import dnf-plugins-core-4.0.18-3.el8

2021-02-04 06:11:32 +00:00 · 2021-02-04 06:11:32 +00:00 · 80849be5ce
commit 80849be5ce
parent 60a1829ab7
2 changed files with 199 additions and 1 deletions
--- a/SOURCES/0003-reposync-Check-GPG-signatures-of-downloaded-packages-RhBug-1856818.patch
+++ b/SOURCES/0003-reposync-Check-GPG-signatures-of-downloaded-packages-RhBug-1856818.patch
@ -0,0 +1,194 @@
 From a4f21266a6dab9e77913d56c04aba1e579f0e0c1 Mon Sep 17 00:00:00 2001
 From: Marek Blaha <mblaha@redhat.com>
 Date: Fri, 23 Oct 2020 09:06:35 +0200
 Subject: [PATCH 1/2] [reposync] Reorder options alphabetically
 ---
 doc/reposync.rst    | 30 +++++++++++++++---------------
 plugins/reposync.py | 18 +++++++++---------
 2 files changed, 24 insertions(+), 24 deletions(-)
 diff --git a/doc/reposync.rst b/doc/reposync.rst
 index 71a435dc..3b820f33 100644
 --- a/doc/reposync.rst
 +++ b/doc/reposync.rst
@@ -39,36 +39,36 @@ Options
 All general DNF options are accepted. Namely, the ``--repoid`` option can be used to specify the repositories to synchronize. See `Options` in :manpage:`dnf(8)` for details.
 -``-p <download-path>, --download-path=<download-path>``
 -    Root path under which the downloaded repositories are stored, relative to the current working directory. Defaults to the current working directory. Every downloaded repository has a subdirectory named after its ID under this path.
 -    
 -``--norepopath``
 -    Don't add the reponame to the download path. Can only be used when syncing a single repository (default is to add the reponame).
 -
 -``--download-metadata``
 -    Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
 -
 ``-a <architecture>, --arch=<architecture>``
     Download only packages of given architectures (default is all architectures). Can be used multiple times.
 -``--source``
 -    Operate on source packages.
 +``--delete``
 +    Delete local packages no longer present in repository.
 +
 +``--download-metadata``
 +    Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
 ``-m, --downloadcomps``
     Also download and uncompress comps.xml. Consider using ``--download-metadata`` option which will download all available repository metadata.
 +``--metadata-path``
 +    Root path under which the downloaded metadata are stored. It defaults to ``--download-path`` value if not given.
 +
 ``-n, --newest-only``
     Download only newest packages per-repo.
 -``--delete``
 -    Delete local packages no longer present in repository.
 +``--norepopath``
 +    Don't add the reponame to the download path. Can only be used when syncing a single repository (default is to add the reponame).
 -``--metadata-path``
 -    Root path under which the downloaded metadata are stored. It defaults to ``--download-path`` value if not given.
 +``-p <download-path>, --download-path=<download-path>``
 +    Root path under which the downloaded repositories are stored, relative to the current working directory. Defaults to the current working directory. Every downloaded repository has a subdirectory named after its ID under this path.
 ``--remote-time``
     Try to set the timestamps of the downloaded files to those on the remote side.
 +``--source``
 +    Operate on source packages.
 +
 ``-u, --urls``
     Just print urls of what would be downloaded, don't download.
 diff --git a/plugins/reposync.py b/plugins/reposync.py
 index 7556e7eb..6f572cac 100644
 --- a/plugins/reposync.py
 +++ b/plugins/reposync.py
@@ -63,24 +63,24 @@ def set_argparser(parser):
                             help=_('download only packages for this ARCH'))
         parser.add_argument('--delete', default=False, action='store_true',
                             help=_('delete local packages no longer present in repository'))
 -        parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
 -                            help=_('also download and uncompress comps.xml'))
         parser.add_argument('--download-metadata', default=False, action='store_true',
                             help=_('download all the metadata.'))
 +        parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
 +                            help=_('also download and uncompress comps.xml'))
 +        parser.add_argument('--metadata-path',
 +                            help=_('where to store downloaded repository metadata. '
 +                                   'Defaults to the value of --download-path.'))
         parser.add_argument('-n', '--newest-only', default=False, action='store_true',
                             help=_('download only newest packages per-repo'))
 -        parser.add_argument('-p', '--download-path', default='./',
 -                            help=_('where to store downloaded repositories'))
         parser.add_argument('--norepopath', default=False, action='store_true',
                             help=_("Don't add the reponame to the download path."))
 -        parser.add_argument('--metadata-path',
 -                            help=_('where to store downloaded repository metadata. '
 -                                   'Defaults to the value of --download-path.'))
 -        parser.add_argument('--source', default=False, action='store_true',
 -                            help=_('operate on source packages'))
 +        parser.add_argument('-p', '--download-path', default='./',
 +                            help=_('where to store downloaded repositories'))
         parser.add_argument('--remote-time', default=False, action='store_true',
                             help=_('try to set local timestamps of local files by '
                                    'the one on the server'))
 +        parser.add_argument('--source', default=False, action='store_true',
 +                            help=_('operate on source packages'))
         parser.add_argument('-u', '--urls', default=False, action='store_true',
                             help=_("Just list urls of what would be downloaded, "
                                    "don't download"))
 From 978b7f2b1c654fed7b1b4cf45cb607143226804c Mon Sep 17 00:00:00 2001
 From: Marek Blaha <mblaha@redhat.com>
 Date: Fri, 23 Oct 2020 09:14:02 +0200
 Subject: [PATCH 2/2] [reposync] Check GPG signatures of downloaded packages
 (RhBug:1856818)
 YUMv3 reposync used to have --gpgcheck option to remove packages that fail GPG
 signature checking after downloading.
 This patch implements the option for DNF.
 = changelog =
 msg:           Add --gpgcheck option to reposync (RhBug:1856818)
 type:          enhancement
 resolves:      https://bugzilla.redhat.com/show_bug.cgi?id=1856818
 ---
 doc/reposync.rst    |  4 ++++
 plugins/reposync.py | 21 +++++++++++++++++++++
 2 files changed, 25 insertions(+)
 diff --git a/doc/reposync.rst b/doc/reposync.rst
 index 3b820f33..de40957f 100644
 --- a/doc/reposync.rst
 +++ b/doc/reposync.rst
@@ -48,6 +48,10 @@ All general DNF options are accepted. Namely, the ``--repoid`` option can be use
 ``--download-metadata``
     Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
 +``-g, --gpgcheck``
 +    Remove packages that fail GPG signature checking after downloading. Exit code is ``1`` if at least one package was removed.
 +    Note that for repositories with ``gpgcheck=0`` set in their configuration the GPG signature is not checked even with this option used.
 +
 ``-m, --downloadcomps``
     Also download and uncompress comps.xml. Consider using ``--download-metadata`` option which will download all available repository metadata.
 diff --git a/plugins/reposync.py b/plugins/reposync.py
 index 6f572cac..c891bfa2 100644
 --- a/plugins/reposync.py
 +++ b/plugins/reposync.py
@@ -24,6 +24,7 @@
 import hawkey
 import os
 import shutil
 +import types
 from dnfpluginscore import _, logger
 from dnf.cli.option_parser import OptionParser
@@ -65,6 +66,9 @@ def set_argparser(parser):
                             help=_('delete local packages no longer present in repository'))
         parser.add_argument('--download-metadata', default=False, action='store_true',
                             help=_('download all the metadata.'))
 +        parser.add_argument('-g', '--gpgcheck', default=False, action='store_true',
 +                            help=_('Remove packages that fail GPG signature checking '
 +                                   'after downloading'))
         parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
                             help=_('also download and uncompress comps.xml'))
         parser.add_argument('--metadata-path',
@@ -114,6 +118,7 @@ def configure(self):
     def run(self):
         self.base.conf.keepcache = True
 +        gpgcheck_ok = True
         for repo in self.base.repos.iter_enabled():
             if self.opts.remote_time:
                 repo._repo.setPreserveRemoteTime(True)
@@ -150,8 +155,24 @@ def run(self):
                 self.print_urls(pkglist)
             else:
                 self.download_packages(pkglist)
 +                if self.opts.gpgcheck:
 +                    for pkg in pkglist:
 +                        local_path = self.pkg_download_path(pkg)
 +                        # base.package_signature_check uses pkg.localPkg() to determine
 +                        # the location of the package rpm file on the disk.
 +                        # Set it to the correct download path.
 +                        pkg.localPkg  = types.MethodType(
 +                            lambda s, local_path=local_path: local_path, pkg)
 +                        result, error = self.base.package_signature_check(pkg)
 +                        if result != 0:
 +                            logger.warning(_("Removing {}: {}").format(
 +                                os.path.basename(local_path), error))
 +                            os.unlink(local_path)
 +                            gpgcheck_ok = False
             if self.opts.delete:
                 self.delete_old_local_packages(repo, pkglist)
 +        if not gpgcheck_ok:
 +            raise dnf.exceptions.Error(_("GPG signature check failed."))
     def repo_target(self, repo):
         return _pkgdir(self.opts.destdir or self.opts.download_path,
--- a/SPECS/dnf-plugins-core.spec
+++ b/SPECS/dnf-plugins-core.spec
@ -32,13 +32,14 @@
 Name:           dnf-plugins-core
 Version:        4.0.18
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Core Plugins for DNF
 License:        GPLv2+
 URL:            https://github.com/rpm-software-management/dnf-plugins-core
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
 Patch1:         0001-groups-manager-Re-introduce-yum-groups-manager-funct.patch
 Patch2:         0002-needs-restarting-add-s-to-list-services-RhBug-177293.patch
 Patch3:         0003-reposync-Check-GPG-signatures-of-downloaded-packages-RhBug-1856818.patch
 BuildArch:      noarch
 BuildRequires:  cmake
 BuildRequires:  gettext
@ -760,6 +761,9 @@ PYTHONPATH=./plugins nosetests-%{python3_version} -s tests/
 %endif
 %changelog
 * Fri Jan 15 2021 Nicola Sella <nsella@redhat.com> - 4.0.18-3
 - [reposync] Check GPG signatures of downloaded packages (RhBug:1856818)
 * Tue Dec 8 2020 Marek Blaha <mblaha@redhat.com> - 4.0.18-2
 - Introduce groups-manager plugin (RhBug:1826016)
 - [needs-restarting] add -s to list services (RhBug:1772939)