[reposync] Check GPG signatures of downloaded packages (RhBug:1856818)

YUMv3 reposync used to have --gpgcheck option to remove packages that fail GPG signature checking after downloading. This patch implements the option for DNF. = changelog = msg: Add --gpgcheck option to reposync (RhBug:1856818) type: enhancement resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1856818
rpm-software-management · Dec 1, 2020 · 2d427e6 · 2d427e6
1 parent c98558a
commit 2d427e6
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/doc/reposync.rst b/doc/reposync.rst
@@ -48,6 +48,10 @@ All general DNF options are accepted. Namely, the ``--repoid`` option can be use
 ``--download-metadata``
     Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
 
+``-g, --gpgcheck``
+    Remove packages that fail GPG signature checking after downloading. Exit code is ``1`` if at least one package was removed.
+    Note that for repositories with ``gpgcheck=0`` set in their configuration the GPG signature is not checked even with this option used.
+
 ``-m, --downloadcomps``
     Also download and uncompress comps.xml. Consider using ``--download-metadata`` option which will download all available repository metadata.
 

diff --git a/plugins/reposync.py b/plugins/reposync.py
@@ -24,6 +24,7 @@
 import hawkey
 import os
 import shutil
+import types
 
 from dnfpluginscore import _, logger
 from dnf.cli.option_parser import OptionParser
@@ -65,6 +66,9 @@ def set_argparser(parser):
                             help=_('delete local packages no longer present in repository'))
         parser.add_argument('--download-metadata', default=False, action='store_true',
                             help=_('download all the metadata.'))
+        parser.add_argument('-g', '--gpgcheck', default=False, action='store_true',
+                            help=_('Remove packages that fail GPG signature checking '
+                                   'after downloading'))
         parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
                             help=_('also download and uncompress comps.xml'))
         parser.add_argument('--metadata-path',
@@ -114,6 +118,7 @@ def configure(self):
 
     def run(self):
         self.base.conf.keepcache = True
+        gpgcheck_ok = True
         for repo in self.base.repos.iter_enabled():
             if self.opts.remote_time:
                 repo._repo.setPreserveRemoteTime(True)
@@ -150,8 +155,24 @@ def run(self):
                 self.print_urls(pkglist)
             else:
                 self.download_packages(pkglist)
+                if self.opts.gpgcheck:
+                    for pkg in pkglist:
+                        local_path = self.pkg_download_path(pkg)
+                        # base.package_signature_check uses pkg.localPkg() to determine
+                        # the location of the package rpm file on the disk.
+                        # Set it to the correct download path.
+                        pkg.localPkg  = types.MethodType(
+                            lambda s, local_path=local_path: local_path, pkg)
+                        result, error = self.base.package_signature_check(pkg)
+                        if result != 0:
+                            logger.warning(_("Removing {}: {}").format(
+                                os.path.basename(local_path), error))
+                            os.unlink(local_path)
+                            gpgcheck_ok = False
             if self.opts.delete:
                 self.delete_old_local_packages(repo, pkglist)
+        if not gpgcheck_ok:
+            raise dnf.exceptions.Error(_("GPG signature check failed."))
 
     def repo_target(self, repo):
         return _pkgdir(self.opts.destdir or self.opts.download_path,