Implicitly trust file-local sources managed by landscape (LP: #173657…

…6) (#31)
canonical · Feb 6, 2018 · d640643 · d640643
1 parent 7da9a78
commit d640643
Show file tree

Hide file tree

Showing 3 changed files with 179 additions and 67 deletions.
diff --git a/debian/landscape-client.postinst b/debian/landscape-client.postinst
@@ -106,6 +106,14 @@ END
         USER_UPDATE_FLAG_FILE="$DATA_PATH/user-update-flag"
         install --owner=landscape /dev/null $USER_UPDATE_FLAG_FILE
         echo "This file indicates that the Landscape client needs to send updated user information to the server." >> $USER_UPDATE_FLAG_FILE
+
+        # To work around bug #1735100 we rewrite file-local landscape sources
+        # with the trusted flag, as they have no release file, thus are
+        # unsigned repositories. It exists while package profile is applying.
+        LANDSCAPE_INTERNAL_SOURCES=/etc/apt/sources.list.d/_landscape-internal-facade.list
+        if grep -q -e "^deb file:" $LANDSCAPE_INTERNAL_SOURCES; then
+            sed -i 's/^deb file:/deb [ trusted=yes ] file:/' $LANDSCAPE_INTERNAL_SOURCES
+        fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

diff --git a/landscape/lib/apt/package/facade.py b/landscape/lib/apt/package/facade.py
@@ -269,15 +269,21 @@ def _get_internal_sources_list(self):
         sources_dir = apt_pkg.config.find_dir("Dir::Etc::sourceparts")
         return os.path.join(sources_dir, "_landscape-internal-facade.list")
 
-    def add_channel_apt_deb(self, url, codename, components=None):
+    def add_channel_apt_deb(self, url, codename, components=None,
+                            trusted=None):
         """Add a deb URL which points to a repository.
 
         @param url: The base URL of the repository.
         @param codename: The dist in the repository.
         @param components: The components to be included.
+        @param trusted: Whether validation should be skipped (if local).
         """
         sources_file_path = self._get_internal_sources_list()
-        sources_line = "deb %s %s" % (url, codename)
+        source_options = ""
+        if trusted is not None and url.startswith("file:"):
+            trusted_val = "yes" if trusted else "no"
+            source_options = "[ trusted={} ] ".format(trusted_val)
+        sources_line = "deb {}{} {}".format(source_options, url, codename)
         if components:
             sources_line += " %s" % " ".join(components)
         if os.path.exists(sources_file_path):
@@ -296,7 +302,9 @@ def add_channel_deb_dir(self, path):
         about the deb files.
         """
         self._create_packages_file(path)
-        self.add_channel_apt_deb("file://%s" % path, "./", None)
+        # yakkety+ validate even file repository by default. deb dirs don't
+        # have a signed Release file but are local so they should be trusted.
+        self.add_channel_apt_deb("file://%s" % path, "./", None, trusted=True)
 
     def clear_channels(self):
         """Clear the channels that have been added through the facade.