[1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

Submitted by Otavio Salvador on Sept. 30, 2017, 6:06 p.m. | Patch ID: 144618

Details

Message ID 20170930180655.25134-1-otavio@ossystems.com.br
State New
Headers show

Commit Message

Otavio Salvador Sept. 30, 2017, 6:06 p.m.
The dnf has GPG signature check enabled by default. It has been confimed using:

,----
| root@qemux86-64:~# grep gpgcheck /etc/dnf/dnf.conf
| gpgcheck=1
`----

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 meta/lib/oe/package_manager.py | 1 -
 1 file changed, 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 658c964277..1501291657 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -549,7 +549,6 @@  class RpmPM(PackageManager):
             return
 
         if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
-            gpg_opts = 'repo_gpgcheck=1\n'
             gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))
         else:
             gpg_opts = ''

Comments

Alexander Kanavin Oct. 1, 2017, 7:36 a.m.
On 09/30/2017 09:06 PM, Otavio Salvador wrote:
> The dnf has GPG signature check enabled by default. It has been confimed using:
> 
> ,----
> | root@qemux86-64:~# grep gpgcheck /etc/dnf/dnf.conf
> | gpgcheck=1
...
>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
> -            gpg_opts = 'repo_gpgcheck=1\n'
>               gpg_opts += 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' % (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'), self.d.getVar('DISTRO_CODENAME'))


NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two 
different options, which control different things, and you thoroughly 
confused them here.

Alex
Otavio Salvador Oct. 1, 2017, 10 p.m.
On Sun, Oct 1, 2017 at 4:36 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 09/30/2017 09:06 PM, Otavio Salvador wrote:
>>
>> The dnf has GPG signature check enabled by default. It has been confimed
>> using:
>>
>> ,----
>> | root@qemux86-64:~# grep gpgcheck /etc/dnf/dnf.conf
>> | gpgcheck=1
>
> ...
>>
>>           if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
>> -            gpg_opts = 'repo_gpgcheck=1\n'
>>               gpg_opts +=
>> 'gpgkey=file://%s/pki/packagefeed-gpg/PACKAGEFEED-GPG-KEY-%s-%s\n' %
>> (self.d.getVar('sysconfdir'), self.d.getVar('DISTRO'),
>> self.d.getVar('DISTRO_CODENAME'))
>
>
>
> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two different
> options, which control different things, and you thoroughly confused them
> here.

I did test both patches and this is not what I figured. Did you test it?
Alexander Kanavin Oct. 2, 2017, 11:01 a.m.
On 10/02/2017 01:00 AM, Otavio Salvador wrote:

>> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two different
>> options, which control different things, and you thoroughly confused them
>> here.
> 
> I did test both patches and this is not what I figured. Did you test it?

>> Again, 'gpcheck' option has nothing to do with verifying signed package
>> feeds. NAK.
> 
> Oh really? so tell me why it fixed my error?
> 
> Without this patch I need to use:
> 
> dnf install --nogpgcheck <pkg>
> 
> and it is sub-optimal as I did not enabled signed support.


Oe-core has support for two different things:

1. Signing and verifying individual package files. This feature is 
controlled by RPM_SIGN_PACKAGES option in build configuration and dnf's 
gpgcheck config file option at runtime.

2. Signing and verifying repository metadata. This feature is controlled 
by PACKAGE_FEED_SIGN option and repo_gpgcheck config file option 
respectively.

The above two things are completely orthogonal, and can be enabled and 
disabled independently of each other. Now please look at your patches 
keeping this in mind.

I assure you, both of the patches are incorrect. Exactly why is left as 
an exercise for the reader.

Alex
Otavio Salvador Oct. 2, 2017, 1:09 p.m.
Alexander,

On Mon, Oct 2, 2017 at 8:01 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 10/02/2017 01:00 AM, Otavio Salvador wrote:
>
>>> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two
>>> different
>>> options, which control different things, and you thoroughly confused them
>>> here.
>>
>>
>> I did test both patches and this is not what I figured. Did you test it?
>
>
>>> Again, 'gpcheck' option has nothing to do with verifying signed package
>>> feeds. NAK.
>>
>>
>> Oh really? so tell me why it fixed my error?
>>
>> Without this patch I need to use:
>>
>> dnf install --nogpgcheck <pkg>
>>
>> and it is sub-optimal as I did not enabled signed support.
>
> Oe-core has support for two different things:
>
> 1. Signing and verifying individual package files. This feature is
> controlled by RPM_SIGN_PACKAGES option in build configuration and dnf's
> gpgcheck config file option at runtime.
>
> 2. Signing and verifying repository metadata. This feature is controlled by
> PACKAGE_FEED_SIGN option and repo_gpgcheck config file option respectively.
>
> The above two things are completely orthogonal, and can be enabled and
> disabled independently of each other. Now please look at your patches
> keeping this in mind.
>
> I assure you, both of the patches are incorrect. Exactly why is left as an
> exercise for the reader.

I assure you I did test both patches. I leave as an exercise to you to
show me what it breaks.

Also, keeping "exercises" for contributors is not something which
helps to gather more contributions. It solved the dnf install
requirement for my test and seems to be the right thing to do. I may
be missing something but please point it or give me a case test.
Alexander Kanavin Oct. 2, 2017, 1:56 p.m.
On 10/02/2017 04:09 PM, Otavio Salvador wrote:

> I assure you I did test both patches. I leave as an exercise to you to
> show me what it breaks.
> 
> Also, keeping "exercises" for contributors is not something which
> helps to gather more contributions. It solved the dnf install
> requirement for my test and seems to be the right thing to do. I may
> be missing something but please point it or give me a case test.

The first patch is removing the addition of 'repo_gpgcheck=1' option to 
dnf config gile when repo feed signing/verification is enabled. Dnf does 
not enable that feature by default, and so the option must be present in 
dnf config file when repo feed signature verification is in use.

The second patch adds 'gpgcheck=0' when repo feed signing is disabled, 
which will also disable package verification at runtime, ignoring the 
altogether different build setting controlling that. As I've already 
explained to you, package signing and feed signing are two different 
things, with their own sets of options.

Test case 1:

- enable feed signing, check that resulting dnf.conf file has feed 
verification (repo_gpgcheck option) enabled

Test case 2:

- enable package signing, disable package feed signing, check that the 
resulting dnf.conf file has package verification enabled.

Both test cases will fail with your patches.

Alex
Otavio Salvador Oct. 2, 2017, 2:19 p.m.
On Mon, Oct 2, 2017 at 10:56 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> On 10/02/2017 04:09 PM, Otavio Salvador wrote:
>
>> I assure you I did test both patches. I leave as an exercise to you to
>> show me what it breaks.
>>
>> Also, keeping "exercises" for contributors is not something which
>> helps to gather more contributions. It solved the dnf install
>> requirement for my test and seems to be the right thing to do. I may
>> be missing something but please point it or give me a case test.
>
>
> The first patch is removing the addition of 'repo_gpgcheck=1' option to dnf
> config gile when repo feed signing/verification is enabled. Dnf does not
> enable that feature by default, and so the option must be present in dnf
> config file when repo feed signature verification is in use.
>
> The second patch adds 'gpgcheck=0' when repo feed signing is disabled, which
> will also disable package verification at runtime, ignoring the altogether
> different build setting controlling that. As I've already explained to you,
> package signing and feed signing are two different things, with their own
> sets of options.
>
> Test case 1:
>
> - enable feed signing, check that resulting dnf.conf file has feed
> verification (repo_gpgcheck option) enabled
>
> Test case 2:
>
> - enable package signing, disable package feed signing, check that the
> resulting dnf.conf file has package verification enabled.
>
> Both test cases will fail with your patches.

I sent a v2 making it clear it disabled package signature check. It
works for my test case. I dropped the repo_gpgcheck removal patch.