|
|
7d8bc5 |
From 74c4068b9da7f2dff16a8ee2605d3350a6a782f6 Mon Sep 17 00:00:00 2001
|
|
|
7d8bc5 |
From: Colin Walters <walters@verbum.org>
|
|
|
7d8bc5 |
Date: Thu, 2 Feb 2017 15:41:29 -0500
|
|
|
7d8bc5 |
Subject: [PATCH] core: Do GPG verification before importing
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
While reading a recent conversation about GPG checking at treecompose
|
|
|
7d8bc5 |
time, I had a sudden thought - were we actually doing verification
|
|
|
7d8bc5 |
client side? Turned out, we aren't. That happens as part of
|
|
|
7d8bc5 |
`dnf_transaction_commit()` which we don't use.
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
That function verifies every package at one go, but for us I think it's better
|
|
|
7d8bc5 |
to do it before "importing". We shouldn't have untrusted bits that we've
|
|
|
7d8bc5 |
unpacked (they might have suid binaries, for one thing).
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
This is an embarassing problem, but it's worth emphasizing that everyone should
|
|
|
7d8bc5 |
be retrieving repodata at a minimum over TLS, which sets a baseline. On RHEL, we
|
|
|
7d8bc5 |
already do pinned TLS, and there are discussions about extending that elsewhere.
|
|
|
7d8bc5 |
---
|
|
|
7d8bc5 |
libdnf | 2 +-
|
|
|
7d8bc5 |
src/libpriv/rpmostree-core.c | 12 +++++++++++-
|
|
|
7d8bc5 |
tests/common/libvm.sh | 16 ++++++++++++++++
|
|
|
7d8bc5 |
tests/vmcheck/test-layering-gpg.sh | 37 +++++++++++++++++++++++++++++++++++++
|
|
|
7d8bc5 |
4 files changed, 65 insertions(+), 2 deletions(-)
|
|
|
7d8bc5 |
create mode 100755 tests/vmcheck/test-layering-gpg.sh
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
|
|
|
7d8bc5 |
index 2daaa48..0b4a3ab 100644
|
|
|
7d8bc5 |
--- a/src/libpriv/rpmostree-core.c
|
|
|
7d8bc5 |
+++ b/src/libpriv/rpmostree-core.c
|
|
|
7d8bc5 |
@@ -1152,18 +1152,25 @@ import_one_package (RpmOstreeContext *self,
|
|
|
7d8bc5 |
g_autofree char *ostree_commit = NULL;
|
|
|
7d8bc5 |
glnx_unref_object RpmOstreeUnpacker *unpacker = NULL;
|
|
|
7d8bc5 |
g_autofree char *pkg_path;
|
|
|
7d8bc5 |
+ DnfRepo *pkg_repo;
|
|
|
7d8bc5 |
int flags = 0;
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
+ pkg_repo = dnf_package_get_repo (pkg);
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
if (pkg_is_local (pkg))
|
|
|
7d8bc5 |
pkg_path = g_strdup (dnf_package_get_filename (pkg));
|
|
|
7d8bc5 |
else
|
|
|
7d8bc5 |
{
|
|
|
7d8bc5 |
const char *pkg_location = dnf_package_get_location (pkg);
|
|
|
7d8bc5 |
pkg_path =
|
|
|
7d8bc5 |
- g_build_filename (dnf_repo_get_location (dnf_package_get_repo (pkg)),
|
|
|
7d8bc5 |
+ g_build_filename (dnf_repo_get_location (pkg_repo),
|
|
|
7d8bc5 |
"packages", glnx_basename (pkg_location), NULL);
|
|
|
7d8bc5 |
}
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
+ /* Verify signatures if enabled */
|
|
|
7d8bc5 |
+ if (!dnf_transaction_gpgcheck_package (dnf_context_get_transaction (hifctx), pkg, error))
|
|
|
7d8bc5 |
+ goto out;
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
flags = RPMOSTREE_UNPACKER_FLAGS_OSTREE_CONVENTION;
|
|
|
7d8bc5 |
if (self->unprivileged)
|
|
|
7d8bc5 |
flags |= RPMOSTREE_UNPACKER_FLAGS_UNPRIVILEGED;
|
|
|
7d8bc5 |
@@ -1220,6 +1227,9 @@ rpmostree_context_import (RpmOstreeContext *self,
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
g_return_val_if_fail (get_pkgcache_repo (self) != NULL, FALSE);
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
+ if (!dnf_transaction_import_keys (dnf_context_get_transaction (hifctx), error))
|
|
|
7d8bc5 |
+ goto out;
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
{
|
|
|
7d8bc5 |
glnx_unref_object DnfState *hifstate = dnf_state_new ();
|
|
|
7d8bc5 |
dnf_state_set_number_steps (hifstate, install->packages_to_import->len);
|
|
|
7d8bc5 |
diff --git a/tests/common/libvm.sh b/tests/common/libvm.sh
|
|
|
7d8bc5 |
index 3b7cb35..bbbcba2 100644
|
|
|
7d8bc5 |
--- a/tests/common/libvm.sh
|
|
|
7d8bc5 |
+++ b/tests/common/libvm.sh
|
|
|
7d8bc5 |
@@ -51,6 +51,11 @@ vm_cmd() {
|
|
|
7d8bc5 |
$SSH "$@"
|
|
|
7d8bc5 |
}
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
+# Delete anything which we might change between runs
|
|
|
7d8bc5 |
+vm_clean_caches() {
|
|
|
7d8bc5 |
+ vm_cmd rm /ostree/repo/extensions/rpmostree/pkgcache/refs/heads/* -rf
|
|
|
7d8bc5 |
+}
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
# run rpm-ostree in vm
|
|
|
7d8bc5 |
# - $@ args
|
|
|
7d8bc5 |
vm_rpmostree() {
|
|
|
7d8bc5 |
@@ -68,6 +73,7 @@ vm_send() {
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
# copy the test repo to the vm
|
|
|
7d8bc5 |
vm_send_test_repo() {
|
|
|
7d8bc5 |
+ gpgcheck=${1:-0}
|
|
|
7d8bc5 |
vm_cmd rm -rf /tmp/vmcheck
|
|
|
7d8bc5 |
vm_send /tmp/vmcheck ${commondir}/compose/yum/repo
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
@@ -77,6 +83,16 @@ name=test-repo
|
|
|
7d8bc5 |
baseurl=file:///tmp/vmcheck/repo
|
|
|
7d8bc5 |
EOF
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
+ if [ $gpgcheck -eq 1 ]; then
|
|
|
7d8bc5 |
+ cat >> vmcheck.repo <
|
|
|
7d8bc5 |
+gpgcheck=1
|
|
|
7d8bc5 |
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
|
|
|
7d8bc5 |
+EOF
|
|
|
7d8bc5 |
+ else
|
|
|
7d8bc5 |
+ echo "Enabling vmcheck.repo without GPG"
|
|
|
7d8bc5 |
+ echo 'gpgcheck=0' >> vmcheck.repo
|
|
|
7d8bc5 |
+ fi
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
vm_send /etc/yum.repos.d vmcheck.repo
|
|
|
7d8bc5 |
}
|
|
|
7d8bc5 |
|
|
|
7d8bc5 |
diff --git a/tests/vmcheck/test-layering-gpg.sh b/tests/vmcheck/test-layering-gpg.sh
|
|
|
7d8bc5 |
new file mode 100755
|
|
|
7d8bc5 |
index 0000000..6b66a79
|
|
|
7d8bc5 |
--- /dev/null
|
|
|
7d8bc5 |
+++ b/tests/vmcheck/test-layering-gpg.sh
|
|
|
7d8bc5 |
@@ -0,0 +1,37 @@
|
|
|
7d8bc5 |
+#!/bin/bash
|
|
|
7d8bc5 |
+#
|
|
|
7d8bc5 |
+# Copyright (C) 2017 Red Hat, Inc.
|
|
|
7d8bc5 |
+#
|
|
|
7d8bc5 |
+# This library is free software; you can redistribute it and/or
|
|
|
7d8bc5 |
+# modify it under the terms of the GNU Lesser General Public
|
|
|
7d8bc5 |
+# License as published by the Free Software Foundation; either
|
|
|
7d8bc5 |
+# version 2 of the License, or (at your option) any later version.
|
|
|
7d8bc5 |
+#
|
|
|
7d8bc5 |
+# This library is distributed in the hope that it will be useful,
|
|
|
7d8bc5 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
7d8bc5 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
7d8bc5 |
+# Lesser General Public License for more details.
|
|
|
7d8bc5 |
+#
|
|
|
7d8bc5 |
+# You should have received a copy of the GNU Lesser General Public
|
|
|
7d8bc5 |
+# License along with this library; if not, write to the
|
|
|
7d8bc5 |
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
|
7d8bc5 |
+# Boston, MA 02111-1307, USA.
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
+set -e
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
+. ${commondir}/libtest.sh
|
|
|
7d8bc5 |
+. ${commondir}/libvm.sh
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
+set -x
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
+vm_send_test_repo 1
|
|
|
7d8bc5 |
+vm_clean_caches
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
+# make sure the package is not already layered
|
|
|
7d8bc5 |
+vm_assert_layered_pkg foo absent
|
|
|
7d8bc5 |
+
|
|
|
7d8bc5 |
+if vm_rpmostree pkg-add foo-1.0 2>err.txt; then
|
|
|
7d8bc5 |
+ assert_not_reached "Installed unsigned package"
|
|
|
7d8bc5 |
+fi
|
|
|
7d8bc5 |
+assert_file_has_content err.txt 'package not signed: foo'
|
|
|
7d8bc5 |
+echo "ok failed to install unsigned package"
|
|
|
7d8bc5 |
--
|
|
|
7d8bc5 |
2.9.3
|
|
|
7d8bc5 |
|