From 7f6d223078599c3a6a2f26bf89ba8a91afd4cb88 Mon Sep 17 00:00:00 2001
From: Michal Domonkos <mdomonko@redhat.com>
Date: Mon, 17 Dec 2018 14:38:22 +0100
Subject: [PATCH] Add basic integration with %_pkgverify_level

RPM 4.14.2 introduced a new low-level security policy for package
verification configured with the %_pkgverify_level macro:

http://rpm.org/wiki/Releases/4.14.2

In DNF, signature verification is done via RPM but in a separate step
that precedes the transaction itself (BaseCli.gpgsigcheck()).  We can
make use of that to catch signature errors and/or import public keys the
same way as if gpgcheck was enabled from the start.  To that end, this
commit forces the gpgcheck and localpkg_gpgcheck options to True if the
policy would result in signature verification anyway.

Resolves RHEL-8 bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1614351
---
 dnf/cli/cli.py           | 18 ++++++++++++++++++
 dnf/cli/option_parser.py |  2 +-
 doc/command_ref.rst      |  2 +-
 doc/conf_ref.rst         | 12 ++++++++++--
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
index ea328702f4..522a2ad936 100644
--- a/dnf/cli/cli.py
+++ b/dnf/cli/cli.py
@@ -972,6 +972,24 @@ def configure(self, args, option_parser=None):
         if self.base.conf.color != 'auto':
             self.base.output.term.reinit(color=self.base.conf.color)
 
+        if rpm.expandMacro('%_pkgverify_level') in ('signature', 'all'):
+            forcing = False
+            for repo in self.base.repos.iter_enabled():
+                if repo.gpgcheck:
+                    continue
+                repo.gpgcheck = True
+                forcing = True
+            if not self.base.conf.localpkg_gpgcheck:
+                self.base.conf.localpkg_gpgcheck = True
+                forcing = True
+            if forcing:
+                logger.warning(
+                    _("Warning: Enforcing GPG signature check globally "
+                      "as per active RPM security policy (see 'gpgcheck' in "
+                      "dnf.conf(5) for how to squelch this message)"
+                      )
+                )
+
     def _read_conf_file(self, releasever=None):
         timer = dnf.logging.Timer('config')
         conf = self.base.conf
diff --git a/dnf/cli/option_parser.py b/dnf/cli/option_parser.py
index e60179cfac..ba5a316c79 100644
--- a/dnf/cli/option_parser.py
+++ b/dnf/cli/option_parser.py
@@ -274,7 +274,7 @@ def _main_parser(self):
                                  help=_("disable removal of dependencies that are no longer used"))
         main_parser.add_argument("--nogpgcheck", action="store_false",
                                  default=None, dest='gpgcheck',
-                                 help=_("disable gpg signature checking"))
+                                 help=_("disable gpg signature checking (if RPM policy allows)"))
         main_parser.add_argument("--color", dest="color", default=None,
                                  help=_("control whether color is used"))
         main_parser.add_argument("--refresh", dest="freshest_metadata",
diff --git a/doc/command_ref.rst b/doc/command_ref.rst
index 6ba31ff9be..70659e6560 100644
--- a/doc/command_ref.rst
+++ b/doc/command_ref.rst
@@ -275,7 +275,7 @@ Options
     do not install documentation by using rpm flag 'RPMTRANS_FLAG_NODOCS'
 
 ``--nogpgcheck``
-    skip checking GPG signatures on packages
+    skip checking GPG signatures on packages (if RPM policy allows)
 
 ``--noplugins``
     Disable all plugins.
diff --git a/doc/conf_ref.rst b/doc/conf_ref.rst
index 979e2d18c6..6bbcbda9c0 100644
--- a/doc/conf_ref.rst
+++ b/doc/conf_ref.rst
@@ -452,7 +452,11 @@ configuration.
 ``gpgcheck``
     :ref:`boolean <boolean-label>`
 
-    Whether to perform GPG signature check on packages found in this repository. The default is False.
+    Whether to perform GPG signature check on packages found in this repository.
+    The default is False.
+    This option can only be used to strengthen the active RPM security policy set with the `%_pkgverify_level` macro (see /usr/lib/rpm/macros for details).
+    That means, if the macro is set to `signature` or `all` and this option is False, it will be overridden to True when DNF runs and a warning will be printed.
+    To squelch the warning, make sure this option is True on every enabled repository and also enable :ref:`localpkg_gpgcheck <localpkg_gpgcheck-label>`.
 
 .. _include-label:
 
@@ -470,10 +474,14 @@ configuration.
 
     Determines how DNF resolves host names. Set this to '4'/'IPv4' or '6'/'IPv6' to resolve to IPv4 or IPv6 addresses only. By default, DNF resolves to either addresses.
 
+.. _localpkg_gpgcheck-label:
+
 ``localpkg_gpgcheck``
     :ref:`boolean <boolean-label>`
 
-    Whether to perform a GPG signature check on local packages (packages in a file, not in a repositoy). The default is False.
+    Whether to perform a GPG signature check on local packages (packages in a file, not in a repository).
+    The default is False.
+    This option is subject to the active RPM security policy (see :ref:`gpgcheck <gpgcheck-label>` for more details).
 
 ``max_parallel_downloads``
     :ref:`integer <integer-label>`