Blob Blame History Raw
diff -up yum-3.4.3/docs/yum.conf.5.orig yum-3.4.3/docs/yum.conf.5
--- yum-3.4.3/docs/yum.conf.5.orig	2017-03-23 13:48:19.700471026 +0100
+++ yum-3.4.3/docs/yum.conf.5	2017-03-23 13:48:21.455461060 +0100
@@ -105,6 +105,31 @@ signature check on the repodata. When th
 default for all repositories. The default is `0'.
 
 .IP
+\fBpayload_gpgcheck\fR
+Either `1' or `0'. This tells yum whether or not it should also perform a GPG
+signature check on the payload (part of a package holding the actual files that
+comprise the package).
+
+By default, yum only performs GPG signature checks on package headers.
+Thus, if the payload data has been tampered with or corrupted, yum will fail in
+the middle of the transaction due to an RPM unpacking error, after some
+unverified scriptlets might have already run, and possibly leave the package in
+question partly installed.
+
+To prevent all of that, you can enable this option to extend the signature
+check to also include the payload, so that yum can avoid running the
+transaction in case of payload corruption.
+This slightly improves security, however at the expense of significantly
+increased transaction time, so you may want to only use this option when
+package corruption is a concern.
+
+For this option to have effect, make sure to also enable gpgcheck (or
+localpkg_gpgcheck for local packages).
+
+When this option is set in the [main] section it sets the default for all
+repositories. The default is `0'.
+
+.IP
 \fBskip_broken\fR
 Either `1' or `0'. Resolve depsolve problems by removing packages that
 are causing problems from the transaction.
diff -up yum-3.4.3/rpmUtils/miscutils.py.orig yum-3.4.3/rpmUtils/miscutils.py
--- yum-3.4.3/rpmUtils/miscutils.py.orig	2011-06-28 22:27:22.000000000 +0200
+++ yum-3.4.3/rpmUtils/miscutils.py	2017-03-23 13:48:21.455461060 +0100
@@ -58,11 +58,16 @@ def compareVerOnly(v1, v2):
     """compare version strings only using rpm vercmp"""
     return compareEVR(('', v1, ''), ('', v2, ''))
     
-def checkSig(ts, package):
-    """Takes a transaction set and a package, check it's sigs, 
+def checkSig(ts, package, payload=False):
+    """Takes a transaction set and a package, check it's sigs.
+
+    By default, only RPMv4 sigs (header-only) will be verified (faster).  By
+    setting payload to True, RPMv3 sigs (header+payload) will also be verified
+    (slower).
+
     return 0 if they are all fine
     return 1 if the gpg key can't be found
-    return 2 if the header is in someway damaged
+    return 2 if the header or payload is in someway damaged
     return 3 if the key is not trusted 
     return 4 if the pkg is not gpg or pgp signed"""
     
@@ -89,6 +94,24 @@ def checkSig(ts, package):
         else:
             del hdr
 
+    # Don't perform the payload check if the header check failed, otherwise we
+    # could mask the reason stored in "value" (we only return one integer from
+    # this function and shouldn't change that).
+    if payload and value == 0:
+        os.lseek(fdno, 0, 0)
+        # We don't want the OK message to pollute the output but we do want the
+        # BAD message (verbose version) in case of a failure, which is only
+        # possible by running _verifySigs() twice (temporary hack until we have
+        # the proper API for payload verification in RPM).
+        rpm.setVerbosity(rpm.RPMLOG_WARNING)
+        valid = ts._verifySigs(fdno, package)
+        if not valid:
+            value = 2
+            os.lseek(fdno, 0, 0)
+            rpm.setVerbosity(rpm.RPMLOG_INFO)
+            ts._verifySigs(fdno, package)
+        rpm.setVerbosity(rpm.RPMLOG_NOTICE)
+
     try:
         os.close(fdno)
     except OSError, e: # if we're not opened, don't scream about it
diff -up yum-3.4.3/rpmUtils/transaction.py.orig yum-3.4.3/rpmUtils/transaction.py
--- yum-3.4.3/rpmUtils/transaction.py.orig	2017-03-23 13:48:19.441472497 +0100
+++ yum-3.4.3/rpmUtils/transaction.py	2017-03-23 13:48:21.455461060 +0100
@@ -35,7 +35,8 @@ class TransactionWrapper:
                          'setProbFilter',
                          'hdrFromFdno',
                          'next',
-                         'clean']
+                         'clean',
+                         '_verifySigs']
         self.tsflags = []
         self.open = True
 
diff -up yum-3.4.3/yum/config.py.orig yum-3.4.3/yum/config.py
--- yum-3.4.3/yum/config.py.orig	2017-03-23 13:48:19.701471020 +0100
+++ yum-3.4.3/yum/config.py	2017-03-23 13:48:21.456461055 +0100
@@ -46,6 +46,7 @@ from misc import get_uuid, read_in_items
 # Alter/patch these to change the default checking...
 __pkgs_gpgcheck_default__ = False
 __repo_gpgcheck_default__ = False
+__payload_gpgcheck_default__ = False
 __main_multilib_policy_default__ = 'all'
 __main_failovermethod_default__ = 'roundrobin'
 __main_installonly_limit_default__ = 0
@@ -786,6 +787,7 @@ class YumConf(StartupConf):
     gpgcheck = BoolOption(__pkgs_gpgcheck_default__)
     repo_gpgcheck = BoolOption(__repo_gpgcheck_default__)
     localpkg_gpgcheck = BoolOption(__pkgs_gpgcheck_default__)
+    payload_gpgcheck = BoolOption(__payload_gpgcheck_default__)
     obsoletes = BoolOption(True)
     showdupesfromrepos = BoolOption(False)
     enabled = BoolOption(True)
diff -up yum-3.4.3/yum/__init__.py.orig yum-3.4.3/yum/__init__.py
--- yum-3.4.3/yum/__init__.py.orig	2017-03-23 13:48:19.731470850 +0100
+++ yum-3.4.3/yum/__init__.py	2017-03-23 13:48:21.456461055 +0100
@@ -2755,7 +2755,9 @@ much more problems).
         
         if check:
             ts = self.rpmdb.readOnlyTS()
-            sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg())
+            sigresult = rpmUtils.miscutils.checkSig(
+                ts, po.localPkg(), payload=self.conf.payload_gpgcheck,
+            )
             localfn = os.path.basename(po.localPkg())
             
             if sigresult == 0: