diff --git a/.gitignore b/.gitignore
index 3a3bab3..e610ed6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/bubblewrap-0.1.7.tar.xz
-SOURCES/rpm-ostree-2017.1.tar.xz
+SOURCES/rpm-ostree-2017.3.tar.xz
diff --git a/.rpm-ostree.metadata b/.rpm-ostree.metadata
index 03b2608..71dec28 100644
--- a/.rpm-ostree.metadata
+++ b/.rpm-ostree.metadata
@@ -1,2 +1,2 @@
a0058efeff906bc72cb5880d37b2553d8c5430d1 SOURCES/bubblewrap-0.1.7.tar.xz
-116c5e7da5bd8476fb0abb6243e42ba8da45bbb0 SOURCES/rpm-ostree-2017.1.tar.xz
+9a5b2d0dff6c2a7265a0c061dc94a72fcb5a8c37 SOURCES/rpm-ostree-2017.3.tar.xz
diff --git a/SOURCES/0001-core-Do-GPG-verification-before-importing.patch b/SOURCES/0001-core-Do-GPG-verification-before-importing.patch
deleted file mode 100644
index a89cee8..0000000
--- a/SOURCES/0001-core-Do-GPG-verification-before-importing.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 74c4068b9da7f2dff16a8ee2605d3350a6a782f6 Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Thu, 2 Feb 2017 15:41:29 -0500
-Subject: [PATCH] core: Do GPG verification before importing
-
-While reading a recent conversation about GPG checking at treecompose
-time, I had a sudden thought - were we actually doing verification
-client side? Turned out, we aren't. That happens as part of
-`dnf_transaction_commit()` which we don't use.
-
-That function verifies every package at one go, but for us I think it's better
-to do it before "importing". We shouldn't have untrusted bits that we've
-unpacked (they might have suid binaries, for one thing).
-
-This is an embarassing problem, but it's worth emphasizing that everyone should
-be retrieving repodata at a minimum over TLS, which sets a baseline. On RHEL, we
-already do pinned TLS, and there are discussions about extending that elsewhere.
----
- libdnf | 2 +-
- src/libpriv/rpmostree-core.c | 12 +++++++++++-
- tests/common/libvm.sh | 16 ++++++++++++++++
- tests/vmcheck/test-layering-gpg.sh | 37 +++++++++++++++++++++++++++++++++++++
- 4 files changed, 65 insertions(+), 2 deletions(-)
- create mode 100755 tests/vmcheck/test-layering-gpg.sh
-
-diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
-index 2daaa48..0b4a3ab 100644
---- a/src/libpriv/rpmostree-core.c
-+++ b/src/libpriv/rpmostree-core.c
-@@ -1152,18 +1152,25 @@ import_one_package (RpmOstreeContext *self,
- g_autofree char *ostree_commit = NULL;
- glnx_unref_object RpmOstreeUnpacker *unpacker = NULL;
- g_autofree char *pkg_path;
-+ DnfRepo *pkg_repo;
- int flags = 0;
-
-+ pkg_repo = dnf_package_get_repo (pkg);
-+
- if (pkg_is_local (pkg))
- pkg_path = g_strdup (dnf_package_get_filename (pkg));
- else
- {
- const char *pkg_location = dnf_package_get_location (pkg);
- pkg_path =
-- g_build_filename (dnf_repo_get_location (dnf_package_get_repo (pkg)),
-+ g_build_filename (dnf_repo_get_location (pkg_repo),
- "packages", glnx_basename (pkg_location), NULL);
- }
-
-+ /* Verify signatures if enabled */
-+ if (!dnf_transaction_gpgcheck_package (dnf_context_get_transaction (hifctx), pkg, error))
-+ goto out;
-+
- flags = RPMOSTREE_UNPACKER_FLAGS_OSTREE_CONVENTION;
- if (self->unprivileged)
- flags |= RPMOSTREE_UNPACKER_FLAGS_UNPRIVILEGED;
-@@ -1220,6 +1227,9 @@ rpmostree_context_import (RpmOstreeContext *self,
-
- g_return_val_if_fail (get_pkgcache_repo (self) != NULL, FALSE);
-
-+ if (!dnf_transaction_import_keys (dnf_context_get_transaction (hifctx), error))
-+ goto out;
-+
- {
- glnx_unref_object DnfState *hifstate = dnf_state_new ();
- dnf_state_set_number_steps (hifstate, install->packages_to_import->len);
-diff --git a/tests/common/libvm.sh b/tests/common/libvm.sh
-index 3b7cb35..bbbcba2 100644
---- a/tests/common/libvm.sh
-+++ b/tests/common/libvm.sh
-@@ -51,6 +51,11 @@ vm_cmd() {
- $SSH "$@"
- }
-
-+# Delete anything which we might change between runs
-+vm_clean_caches() {
-+ vm_cmd rm /ostree/repo/extensions/rpmostree/pkgcache/refs/heads/* -rf
-+}
-+
- # run rpm-ostree in vm
- # - $@ args
- vm_rpmostree() {
-@@ -68,6 +73,7 @@ vm_send() {
-
- # copy the test repo to the vm
- vm_send_test_repo() {
-+ gpgcheck=${1:-0}
- vm_cmd rm -rf /tmp/vmcheck
- vm_send /tmp/vmcheck ${commondir}/compose/yum/repo
-
-@@ -77,6 +83,16 @@ name=test-repo
- baseurl=file:///tmp/vmcheck/repo
- EOF
-
-+ if [ $gpgcheck -eq 1 ]; then
-+ cat >> vmcheck.repo <<EOF
-+gpgcheck=1
-+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
-+EOF
-+ else
-+ echo "Enabling vmcheck.repo without GPG"
-+ echo 'gpgcheck=0' >> vmcheck.repo
-+ fi
-+
- vm_send /etc/yum.repos.d vmcheck.repo
- }
-
-diff --git a/tests/vmcheck/test-layering-gpg.sh b/tests/vmcheck/test-layering-gpg.sh
-new file mode 100755
-index 0000000..6b66a79
---- /dev/null
-+++ b/tests/vmcheck/test-layering-gpg.sh
-@@ -0,0 +1,37 @@
-+#!/bin/bash
-+#
-+# Copyright (C) 2017 Red Hat, Inc.
-+#
-+# This library is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU Lesser General Public
-+# License as published by the Free Software Foundation; either
-+# version 2 of the License, or (at your option) any later version.
-+#
-+# This library is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+# Lesser General Public License for more details.
-+#
-+# You should have received a copy of the GNU Lesser General Public
-+# License along with this library; if not, write to the
-+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-+# Boston, MA 02111-1307, USA.
-+
-+set -e
-+
-+. ${commondir}/libtest.sh
-+. ${commondir}/libvm.sh
-+
-+set -x
-+
-+vm_send_test_repo 1
-+vm_clean_caches
-+
-+# make sure the package is not already layered
-+vm_assert_layered_pkg foo absent
-+
-+if vm_rpmostree pkg-add foo-1.0 2>err.txt; then
-+ assert_not_reached "Installed unsigned package"
-+fi
-+assert_file_has_content err.txt 'package not signed: foo'
-+echo "ok failed to install unsigned package"
---
-2.9.3
-
diff --git a/SOURCES/0001-daemon-Avoid-erroring-out-on-startup-status-with-ori.patch b/SOURCES/0001-daemon-Avoid-erroring-out-on-startup-status-with-ori.patch
deleted file mode 100644
index 7eb621d..0000000
--- a/SOURCES/0001-daemon-Avoid-erroring-out-on-startup-status-with-ori.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From c48a889da09af0c2cc9d540fa5f3868d6f239e3e Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Mon, 13 Feb 2017 21:01:31 -0500
-Subject: [PATCH] daemon: Avoid erroring out on startup/status with origin
- unconfigured-state
-
-As part of an earlier cleanup of origin parsing, we started checking
-the origin `unconfigured-state` even just starting the daemon, which
-is kind of bad.
-
-It's tempting to flip the default for the parser so that we *only* check
-unconfigured state if we go to upgrade, but let's not do that in this patch.
-
-Closes: #626
-Approved by: jlebon
----
- src/daemon/rpmostree-sysroot-upgrader.c | 3 ++-
- src/daemon/rpmostreed-deployment-utils.c | 6 ++++--
- src/daemon/rpmostreed-os.c | 3 ++-
- tests/check/test-basic.sh | 14 +++++++++++++-
- 4 files changed, 21 insertions(+), 5 deletions(-)
-
-diff --git a/src/daemon/rpmostree-sysroot-upgrader.c b/src/daemon/rpmostree-sysroot-upgrader.c
-index edadde0..cdb90d4 100644
---- a/src/daemon/rpmostree-sysroot-upgrader.c
-+++ b/src/daemon/rpmostree-sysroot-upgrader.c
-@@ -1321,7 +1321,8 @@ clean_pkgcache_orphans (RpmOstreeSysrootUpgrader *self,
- OstreeDeployment *deployment = deployments->pdata[i];
- g_autoptr(RpmOstreeOrigin) origin = NULL;
-
-- origin = rpmostree_origin_parse_deployment (deployment, error);
-+ origin = rpmostree_origin_parse_deployment_ex (deployment, RPMOSTREE_ORIGIN_PARSE_FLAGS_IGNORE_UNCONFIGURED,
-+ error);
- if (!origin)
- return FALSE;
-
-diff --git a/src/daemon/rpmostreed-deployment-utils.c b/src/daemon/rpmostreed-deployment-utils.c
-index 9b2fb9a..43c814f 100644
---- a/src/daemon/rpmostreed-deployment-utils.c
-+++ b/src/daemon/rpmostreed-deployment-utils.c
-@@ -185,7 +185,8 @@ rpmostreed_deployment_generate_variant (OstreeDeployment *deployment,
-
- id = rpmostreed_deployment_generate_id (deployment);
-
-- origin = rpmostree_origin_parse_deployment (deployment, error);
-+ origin = rpmostree_origin_parse_deployment_ex (deployment, RPMOSTREE_ORIGIN_PARSE_FLAGS_IGNORE_UNCONFIGURED,
-+ error);
- if (!origin)
- return NULL;
-
-@@ -254,7 +255,8 @@ rpmostreed_commit_generate_cached_details_variant (OstreeDeployment *deployment,
- {
- g_autoptr(RpmOstreeOrigin) origin = NULL;
-
-- origin = rpmostree_origin_parse_deployment (deployment, error);
-+ origin = rpmostree_origin_parse_deployment_ex (deployment, RPMOSTREE_ORIGIN_PARSE_FLAGS_IGNORE_UNCONFIGURED,
-+ error);
- if (!origin)
- return NULL;
- origin_refspec = g_strdup (rpmostree_origin_get_refspec (origin));
-diff --git a/src/daemon/rpmostreed-os.c b/src/daemon/rpmostreed-os.c
-index ded637d..3fde7da 100644
---- a/src/daemon/rpmostreed-os.c
-+++ b/src/daemon/rpmostreed-os.c
-@@ -1166,7 +1166,8 @@ rpmostreed_os_load_internals (RpmostreedOS *self, GError **error)
- g_autoptr(RpmOstreeOrigin) origin = NULL;
-
- /* Don't fail here for unknown origin types */
-- origin = rpmostree_origin_parse_deployment (merge_deployment, NULL);
-+ origin = rpmostree_origin_parse_deployment_ex (merge_deployment, RPMOSTREE_ORIGIN_PARSE_FLAGS_IGNORE_UNCONFIGURED,
-+ NULL);
- if (origin)
- {
- cached_update = rpmostreed_commit_generate_cached_details_variant (merge_deployment,
-diff --git a/tests/check/test-basic.sh b/tests/check/test-basic.sh
-index 8b7baa6..670a668 100755
---- a/tests/check/test-basic.sh
-+++ b/tests/check/test-basic.sh
-@@ -24,7 +24,7 @@ export RPMOSTREE_SUPPRESS_REQUIRES_ROOT_CHECK=yes
-
- ensure_dbus
-
--echo "1..14"
-+echo "1..15"
-
- setup_os_repository "archive-z2" "syslinux"
-
-@@ -145,6 +145,18 @@ $OSTREE remote add secureos file://$(pwd)/testos-repo
- rpm-ostree rebase --os=testos secureos:$branch gpg-signed
- echo "ok deploy from remote with unsigned and signed commits"
-
-+originpath=$(ostree admin --sysroot=sysroot --print-current-dir).origin
-+echo "unconfigured-state=Access to TestOS requires ONE BILLION DOLLARS" >> ${originpath}
-+pid=$(pgrep -u $(id -u) -f 'rpm-ostree.*daemon')
-+test -n "${pid}" || assert_not_reached "failed to find rpm-ostree pid"
-+kill -9 ${pid}
-+rpm-ostree status
-+if rpm-ostree upgrade --os=testos 2>err.txt; then
-+ assert_not_reached "Upgraded from unconfigured-state"
-+fi
-+assert_file_has_content err.txt 'ONE BILLION DOLLARS'
-+echo "ok unconfigured status"
-+
- # Ensure it returns an error when passing a wrong option.
- rpm-ostree --help | awk '/^$/ {in_commands=0} {if(in_commands==1){print $0}} /^Builtin Commands:/ {in_commands=1}' > commands
- while read command; do
---
-2.9.3
-
diff --git a/SOURCES/0001-unpacker-support-root-owned-var-run-files.patch b/SOURCES/0001-unpacker-support-root-owned-var-run-files.patch
deleted file mode 100644
index 8c7c248..0000000
--- a/SOURCES/0001-unpacker-support-root-owned-var-run-files.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 8cf071127e670671065d041f2cb678cdc303b9c1 Mon Sep 17 00:00:00 2001
-From: Jonathan Lebon <jlebon@redhat.com>
-Date: Mon, 13 Feb 2017 11:32:19 -0500
-Subject: [PATCH 1/2] unpacker: support root-owned /var & /run files
-
-I'm not sure why we weren't doing this before, but we need to also
-support files in /var and /run that are owned by root.
-
-Related: RHBZ#1421781
-
-Closes: #622
-Approved by: cgwalters
----
- src/libpriv/rpmostree-unpacker.c | 9 +++++----
- tests/common/compose/yum/nonrootcap.spec | 4 ++++
- tests/vmcheck/test-layering-non-root-caps.sh | 6 +++++-
- 3 files changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/src/libpriv/rpmostree-unpacker.c b/src/libpriv/rpmostree-unpacker.c
-index 34e133a..98586d9 100644
---- a/src/libpriv/rpmostree-unpacker.c
-+++ b/src/libpriv/rpmostree-unpacker.c
-@@ -594,11 +594,12 @@ compose_filter_cb (OstreeRepo *repo,
-
- get_rpmfi_override (self, path, &user, &group, NULL);
-
-- /* First, look for non-root paths in /run and /var */
-- if ((user != NULL || group != NULL) &&
-- (g_str_has_prefix (path, "/run/") || g_str_has_prefix (path, "/var/")))
-+ /* convert /run and /var entries to tmpfiles.d */
-+ if (g_str_has_prefix (path, "/run/") ||
-+ g_str_has_prefix (path, "/var/"))
- {
-- append_tmpfiles_d (self, path, file_info, user, group);
-+ append_tmpfiles_d (self, path, file_info,
-+ user ?: "root", group ?: "root");
- return OSTREE_REPO_COMMIT_FILTER_SKIP;
- }
- else if (!error_was_set)
-diff --git a/tests/common/compose/yum/nonrootcap.spec b/tests/common/compose/yum/nonrootcap.spec
-index 8f9dead..be5959d 100644
---- a/tests/common/compose/yum/nonrootcap.spec
-+++ b/tests/common/compose/yum/nonrootcap.spec
-@@ -38,6 +38,8 @@ mkdir -p %{buildroot}/usr/bin
- install *.sh %{buildroot}/usr/bin
- mkdir -p %{buildroot}/var/lib/nonrootcap
- mkdir -p %{buildroot}/run/nonrootcap
-+mkdir -p %{buildroot}/var/lib/nonrootcap-rootowned
-+mkdir -p %{buildroot}/run/nonrootcap-rootowned
-
- %clean
- rm -rf %{buildroot}
-@@ -53,6 +55,8 @@ rm -rf %{buildroot}
- %attr(4775, nrcuser, nrcgroup) %caps(cap_net_bind_service=ep) /usr/bin/nrc-usergroupcaps-setuid.sh
- %attr(-, nrcuser, nrcgroup) /var/lib/nonrootcap
- %attr(-, nrcuser, nrcgroup) /run/nonrootcap
-+/var/lib/nonrootcap-rootowned
-+/run/nonrootcap-rootowned
-
- %changelog
- * Wed Jan 05 2017 Jonathan Lebon <jlebon@redhat.com> 1.0-1
-diff --git a/tests/vmcheck/test-layering-non-root-caps.sh b/tests/vmcheck/test-layering-non-root-caps.sh
-index aa9991c..6cba6e2 100755
---- a/tests/vmcheck/test-layering-non-root-caps.sh
-+++ b/tests/vmcheck/test-layering-non-root-caps.sh
-@@ -51,7 +51,9 @@ if ! vm_has_files /usr/bin/nrc-none.sh \
- /usr/bin/nrc-usergroup.sh \
- /usr/bin/nrc-usergroupcaps.sh \
- /var/lib/nonrootcap \
-- /run/nonrootcap; then
-+ /run/nonrootcap \
-+ /var/lib/nonrootcap-rootowned \
-+ /run/nonrootcap-rootowned; then
- assert_not_reached "not all files were layered"
- fi
- echo "ok all files layered"
-@@ -96,4 +98,6 @@ check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_s
- vm_cmd test -u /usr/bin/nrc-usergroupcaps-setuid.sh
- check_file /var/lib/nonrootcap nrcuser nrcgroup
- check_file /run/nonrootcap nrcuser nrcgroup
-+check_file /var/lib/nonrootcap-rootowned root root
-+check_file /run/nonrootcap-rootowned root root
- echo "ok correct user/group and fcaps"
---
-2.10.2
-
diff --git a/SOURCES/libdnf-gpg.patch b/SOURCES/libdnf-gpg.patch
deleted file mode 100644
index 4b9bac4..0000000
--- a/SOURCES/libdnf-gpg.patch
+++ /dev/null
@@ -1,318 +0,0 @@
-From b2ded5a4da58940159f5d337e9e29c5de5cc0f7a Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Thu, 2 Feb 2017 10:00:06 -0500
-Subject: [PATCH 1/2] repo: Enable GPG by default
-
-This increases compatibility with dnf/yum. It was very surprising to me that we
-didn't do this. Most repos do seem to use `gpgcheck=1`, but I'm fairly certain
-I've seen repo configs in the wild that actually depend on it, though after
-looking at a few (ceph, postgres), I can't find one yet.
-
-Still, I think it's worth making this change. I suspect very few people will
-edit `/etc/yum/yum.conf` to globally disable GPG checking, versus disabling it
-per repository.
----
- libdnf/dnf-repo.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/libdnf/dnf-repo.c b/libdnf/dnf-repo.c
-index 08e0d8b..017c82d 100644
---- a/libdnf/libdnf/dnf-repo.c
-+++ b/libdnf/libdnf/dnf-repo.c
-@@ -858,7 +858,16 @@ dnf_repo_set_keyfile_data(DnfRepo *repo, GError **error)
- /* gpgkey is optional for gpgcheck=1, but required for repo_gpgcheck=1 */
- g_free(priv->gpgkey);
- priv->gpgkey = g_key_file_get_string(priv->keyfile, priv->id, "gpgkey", NULL);
-- priv->gpgcheck_pkgs = dnf_repo_get_boolean(priv->keyfile, priv->id, "gpgcheck", NULL);
-+ /* Currently, we don't have a global configuration file. The way this worked in yum
-+ * is that the yum package enabled gpgcheck=1 by default in /etc/yum.conf. Basically,
-+ * I don't think many people changed that. It's just saner to disable it in the individual
-+ * repo files as required. To claim compatibility with yum repository files, I think
-+ * we need to basically hard code the yum.conf defaults here.
-+ */
-+ if (!g_key_file_has_key (priv->keyfile, priv->id, "gpgcheck", NULL))
-+ priv->gpgcheck_pkgs = TRUE;
-+ else
-+ priv->gpgcheck_pkgs = dnf_repo_get_boolean(priv->keyfile, priv->id, "gpgcheck", NULL);
- priv->gpgcheck_md = dnf_repo_get_boolean(priv->keyfile, priv->id, "repo_gpgcheck", NULL);
- if (priv->gpgcheck_md && priv->gpgkey == NULL) {
- g_set_error_literal(error,
---
-2.9.3
-
-
-From 0d68ebac7d39a9278ebb5259c4912efa55c080da Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Tue, 31 Jan 2017 17:14:37 -0500
-Subject: [PATCH 2/2] transaction: Export parts of the GPG functionality
-
-rpm-ostree doesn't use `dnf_transaction_commit()`, because it uses libostree to
-store the RPMs, and bubblewrap to run `%post`s. However, we do need the GPG
-functionality.
----
- libdnf/libdnf/dnf-transaction.c | 193 ++++++++++++++++++++++++++++-------------------
- libdnf/libdnf/dnf-transaction.h | 11 +++
- 2 files changed, 127 insertions(+), 77 deletions(-)
-
-diff --git a/libdnf/libdnf/dnf-transaction.c b/libdnf/libdnf/dnf-transaction.c
-index 62fcc51..dd73245 100644
---- a/libdnf/libdnf/dnf-transaction.c
-+++ b/libdnf/libdnf/dnf-transaction.c
-@@ -328,17 +328,88 @@ dnf_transaction_ensure_repo_list(DnfTransaction *transaction,
- return TRUE;
- }
-
-+gboolean
-+dnf_transaction_gpgcheck_package (DnfTransaction *transaction,
-+ DnfPackage *pkg,
-+ GError **error)
-+{
-+ DnfTransactionPrivate *priv = GET_PRIVATE(transaction);
-+ GError *error_local = NULL;
-+ DnfRepo *repo;
-+ const gchar *fn;
-+
-+ /* ensure the filename is set */
-+ if (!dnf_transaction_ensure_repo(transaction, pkg, error)) {
-+ g_prefix_error(error, "Failed to check untrusted: ");
-+ return FALSE;
-+ }
-+
-+ /* find the location of the local file */
-+ fn = dnf_package_get_filename(pkg);
-+ if (fn == NULL) {
-+ g_set_error(error,
-+ DNF_ERROR,
-+ DNF_ERROR_FILE_NOT_FOUND,
-+ "Downloaded file for %s not found",
-+ dnf_package_get_name(pkg));
-+ return FALSE;
-+ }
-+
-+ /* check file */
-+ if (!dnf_keyring_check_untrusted_file(priv->keyring, fn, &error_local)) {
-+
-+ /* probably an i/o error */
-+ if (!g_error_matches(error_local,
-+ DNF_ERROR,
-+ DNF_ERROR_GPG_SIGNATURE_INVALID)) {
-+ g_propagate_error(error, error_local);
-+ return FALSE;
-+ }
-+
-+ /* if the repo is signed this is ALWAYS an error */
-+ repo = dnf_package_get_repo(pkg);
-+ if (repo != NULL && dnf_repo_get_gpgcheck(repo)) {
-+ g_set_error(error,
-+ DNF_ERROR,
-+ DNF_ERROR_FILE_INVALID,
-+ "package %s cannot be verified "
-+ "and repo %s is GPG enabled: %s",
-+ dnf_package_get_nevra(pkg),
-+ dnf_repo_get_id(repo),
-+ error_local->message);
-+ g_error_free(error_local);
-+ return FALSE;
-+ }
-+
-+ /* we can only install signed packages in this mode */
-+ if ((priv->flags & DNF_TRANSACTION_FLAG_ONLY_TRUSTED) > 0) {
-+ g_propagate_error(error, error_local);
-+ return FALSE;
-+ }
-+
-+ /* we can install unsigned packages */
-+ g_warning("ignoring as allow-untrusted: %s",
-+ error_local->message);
-+ g_clear_error(&error_local);
-+ }
-+
-+ return TRUE;
-+}
-+
- /**
- * dnf_transaction_check_untrusted:
-+ * @transaction: Transaction
-+ * @goal: Target goal
-+ * @error: Error
-+ *
-+ * Verify GPG signatures for all pending packages to be changed as part
-+ * of @goal.
- */
--static gboolean
-+gboolean
- dnf_transaction_check_untrusted(DnfTransaction *transaction,
- HyGoal goal,
- GError **error)
- {
-- DnfTransactionPrivate *priv = GET_PRIVATE(transaction);
-- DnfPackage *pkg;
-- const gchar *fn;
- guint i;
- g_autoptr(GPtrArray) install = NULL;
-
-@@ -354,64 +425,10 @@ dnf_transaction_check_untrusted(DnfTransaction *transaction,
-
- /* find any packages in untrusted repos */
- for (i = 0; i < install->len; i++) {
-- GError *error_local = NULL;
-- DnfRepo *repo;
-- pkg = g_ptr_array_index(install, i);
-+ DnfPackage *pkg = g_ptr_array_index(install, i);
-
-- /* ensure the filename is set */
-- if (!dnf_transaction_ensure_repo(transaction, pkg, error)) {
-- g_prefix_error(error, "Failed to check untrusted: ");
-+ if (!dnf_transaction_gpgcheck_package (transaction, pkg, error))
- return FALSE;
-- }
--
-- /* find the location of the local file */
-- fn = dnf_package_get_filename(pkg);
-- if (fn == NULL) {
-- g_set_error(error,
-- DNF_ERROR,
-- DNF_ERROR_FILE_NOT_FOUND,
-- "Downloaded file for %s not found",
-- dnf_package_get_name(pkg));
-- return FALSE;
-- }
--
-- /* check file */
-- if (!dnf_keyring_check_untrusted_file(priv->keyring, fn, &error_local)) {
--
-- /* probably an i/o error */
-- if (!g_error_matches(error_local,
-- DNF_ERROR,
-- DNF_ERROR_GPG_SIGNATURE_INVALID)) {
-- g_propagate_error(error, error_local);
-- return FALSE;
-- }
--
-- /* if the repo is signed this is ALWAYS an error */
-- repo = dnf_package_get_repo(pkg);
-- if (repo != NULL && dnf_repo_get_gpgcheck(repo)) {
-- g_set_error(error,
-- DNF_ERROR,
-- DNF_ERROR_FILE_INVALID,
-- "package %s cannot be verified "
-- "and repo %s is GPG enabled: %s",
-- dnf_package_get_nevra(pkg),
-- dnf_repo_get_id(repo),
-- error_local->message);
-- g_error_free(error_local);
-- return FALSE;
-- }
--
-- /* we can only install signed packages in this mode */
-- if ((priv->flags & DNF_TRANSACTION_FLAG_ONLY_TRUSTED) > 0) {
-- g_propagate_error(error, error_local);
-- return FALSE;
-- }
--
-- /* we can install unsigned packages */
-- g_debug("ignoring as allow-untrusted: %s",
-- error_local->message);
-- g_clear_error(&error_local);
-- }
- }
- return TRUE;
- }
-@@ -1167,6 +1184,44 @@ dnf_transaction_reset(DnfTransaction *transaction)
- }
-
- /**
-+ * dnf_transaction_import_keys:
-+ * @transaction: a #DnfTransaction instance.
-+ * @error: A #GError or %NULL
-+ *
-+ * Imports all keys from /etc/pki/rpm-gpg as well as any
-+ * downloaded per-repo keys. Note this is called automatically
-+ * by dnf_transaction_commit().
-+ **/
-+gboolean
-+dnf_transaction_import_keys(DnfTransaction *transaction,
-+ GError **error)
-+{
-+ guint i;
-+
-+ DnfTransactionPrivate *priv = GET_PRIVATE(transaction);
-+ /* import all system wide GPG keys */
-+ if (!dnf_keyring_add_public_keys(priv->keyring, error))
-+ return FALSE;
-+
-+ /* import downloaded repo GPG keys */
-+ for (i = 0; i < priv->repos->len; i++) {
-+ DnfRepo *repo = g_ptr_array_index(priv->repos, i);
-+ const gchar *pubkey;
-+
-+ /* does this file actually exist */
-+ pubkey = dnf_repo_get_public_key(repo);
-+ if (g_file_test(pubkey, G_FILE_TEST_EXISTS)) {
-+ /* import */
-+ if (!dnf_keyring_add_public_key(priv->keyring, pubkey, error))
-+ return FALSE;
-+ }
-+ }
-+
-+ return TRUE;
-+}
-+
-+
-+/**
- * dnf_transaction_commit:
- * @transaction: a #DnfTransaction instance.
- * @goal: A #HyGoal
-@@ -1237,26 +1292,10 @@ dnf_transaction_commit(DnfTransaction *transaction,
- if (!ret)
- goto out;
-
-- /* import all system wide GPG keys */
-- ret = dnf_keyring_add_public_keys(priv->keyring, error);
-+ ret = dnf_transaction_import_keys(transaction, error);
- if (!ret)
- goto out;
-
-- /* import downloaded repo GPG keys */
-- for (i = 0; i < priv->repos->len; i++) {
-- DnfRepo *repo = g_ptr_array_index(priv->repos, i);
-- const gchar *pubkey;
--
-- /* does this file actually exist */
-- pubkey = dnf_repo_get_public_key(repo);
-- if (g_file_test(pubkey, G_FILE_TEST_EXISTS)) {
-- /* import */
-- ret = dnf_keyring_add_public_key(priv->keyring, pubkey, error);
-- if (!ret)
-- goto out;
-- }
-- }
--
- /* find any packages without valid GPG signatures */
- ret = dnf_transaction_check_untrusted(transaction, goal, error);
- if (!ret)
-diff --git a/libdnf/libdnf/dnf-transaction.h b/libdnf/libdnf/dnf-transaction.h
-index 6131374..84d1365 100644
---- a/libdnf/libdnf/dnf-transaction.h
-+++ b/libdnf/libdnf/dnf-transaction.h
-@@ -95,6 +95,17 @@ gboolean dnf_transaction_depsolve (DnfTransaction *transac
- gboolean dnf_transaction_download (DnfTransaction *transaction,
- DnfState *state,
- GError **error);
-+
-+gboolean dnf_transaction_import_keys (DnfTransaction *transaction,
-+ GError **error);
-+
-+gboolean dnf_transaction_gpgcheck_package (DnfTransaction *transaction,
-+ DnfPackage *pkg,
-+ GError **error);
-+gboolean dnf_transaction_check_untrusted (DnfTransaction *transaction,
-+ HyGoal goal,
-+ GError **error);
-+
- gboolean dnf_transaction_commit (DnfTransaction *transaction,
- HyGoal goal,
- DnfState *state,
---
-2.9.3
-
diff --git a/SPECS/rpm-ostree.spec b/SPECS/rpm-ostree.spec
index b4c8b37..5b48d8f 100644
--- a/SPECS/rpm-ostree.spec
+++ b/SPECS/rpm-ostree.spec
@@ -1,8 +1,8 @@
%global bubblewrap_version 0.1.7
Summary: Client side upgrade program and server side compose tool
Name: rpm-ostree
-Version: 2017.1
-Release: 5.atomic%{?dist}
+Version: 2017.3
+Release: 2.atomic%{?dist}
#VCS: https://github.com/cgwalters/rpm-ostree
# This tarball is generated via "make -f Makefile.dist-packaging dist-snapshot"
# because github doesn't support placing submodules in tarballs and RPM
@@ -13,10 +13,6 @@ URL: https://github.com/projectatomic/rpm-ostree
Source1: https://github.com/projectatomic/bubblewrap/releases/download/v%{bubblewrap_version}/bubblewrap-%{bubblewrap_version}.tar.xz
Patch1: 0001-Revert-selector-prefer-obsoletes-Related-RhBug-10965.patch
-Patch2: 0001-unpacker-support-root-owned-var-run-files.patch
-Patch3: 0001-daemon-Avoid-erroring-out-on-startup-status-with-ori.patch
-Patch4: libdnf-gpg.patch
-Patch5: 0001-core-Do-GPG-verification-before-importing.patch
Requires: ostree-fuse
@@ -26,10 +22,9 @@ BuildRequires: autoconf automake libtool git
BuildRequires: chrpath
BuildRequires: gtk-doc
BuildRequires: gnome-common
-BuildRequires: gobject-introspection
+BuildRequires: gobject-introspection-devel
# Core requirements
-BuildRequires: pkgconfig(ostree-1) >= 2015.1
-BuildRequires: pkgconfig(libgsystem)
+BuildRequires: pkgconfig(ostree-1) >= 2017.2
BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(rpm)
BuildRequires: pkgconfig(libarchive)
@@ -42,7 +37,7 @@ BuildRequires: libattr-devel
BuildRequires: pkgconfig(librepo)
# We're using RPATH to pick up our bundled version
-%global __requires_exclude ^libhif[.]so[.].*$
+%global __requires_exclude ^libdnf[.]so[.].*$
BuildRequires: cmake
BuildRequires: pkgconfig(expat)
@@ -136,6 +131,13 @@ python autofiles.py > files.devel \
%files devel -f files.devel
%changelog
+* Tue Mar 21 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.3-2.atomic
+- Add BR on gobject-introspection-devel.
+
+* Fri Mar 17 2017 Jonathan Lebon <jlebon@redhat.com> - 2017.3-1.atomic
+- New upstream release
+- Resolves: #1433392
+
* Tue Feb 14 2017 Colin Walters <walters@verbum.org> - 2017.1-5.atomic
- Add patch to do GPG checking before importing/installing RPMs
- Resolves: #1422157