Merge pull request #2 from xcp-ng/yann/gpgcheck

Global and per-source gpgcheck flags

answerfile.py

@@ -92,6 +92,8 @@ def processAnswerfile(self):
             else:
                 raise AnswerfileException("Unknown mode, %s" % install_type)
 
+            results['repo-gpgcheck'] = getBoolAttribute(self.top_node, ['repo-gpgcheck'], default=True)
+            results['gpgcheck'] = getBoolAttribute(self.top_node, ['gpgcheck'], default=True)
             results.update(self.parseCommon())
         elif self.operation == 'restore':
             results = self.parseRestore()
@@ -267,7 +269,21 @@ def parseSource(self):
             if rtype == 'url':
                 address = util.URL(address)
 
-            results['sources'].append({'media': rtype, 'address': address})
+            # workaround getBoolAttribute() not allowing "None" as
+            # default, by using a getStrAttribute() call first to
+            # handle the default situation where the attribute is not
+            # specified
+            repo_gpgcheck = (None if getStrAttribute(i, ['repo-gpgcheck'], default=None) is None
+                             else getBoolAttribute(i, ['repo-gpgcheck']))
+            gpgcheck = (None if getStrAttribute(i, ['gpgcheck'], default=None) is None
+                        else getBoolAttribute(i, ['gpgcheck']))
+
+            results['sources'].append({
+                'media': rtype, 'address': address,
+                'repo_gpgcheck': repo_gpgcheck,
+                'gpgcheck': gpgcheck,
+            })
+            logger.log("parsed source %s" % results['sources'][-1])
 
         return results
 

backend.py

@@ -380,7 +380,7 @@ def handleRepos(repos, ans):
     main_repositories = []
     update_repositories = []
 
-    def add_repos(main_repositories, update_repositories, repos):
+    def add_repos(main_repositories, update_repositories, repos, repo_gpgcheck, gpgcheck):
         """Add repositories to the appropriate list, ensuring no duplicates,
         that the main repository is at the beginning, and that the order of the
         rest is maintained."""
@@ -397,20 +397,28 @@ def add_repos(main_repositories, update_repositories, repos):
                 else:
                     repo_list.append(repo)
 
+                if repo_list is main_repositories: # i.e., if repo is a "main repository"
+                    repo.setRepoGpgCheck(repo_gpgcheck)
+                    repo.setGpgCheck(gpgcheck)
+
+    default_repo_gpgcheck = answers.get('repo-gpgcheck', True)
+    default_gpgcheck = answers.get('gpgcheck', True)
     # A list of sources coming from the answerfile
     if 'sources' in answers_pristine:
         for i in answers_pristine['sources']:
             repos = repository.repositoriesFromDefinition(i['media'], i['address'])
-            add_repos(main_repositories, update_repositories, repos)
+            repo_gpgcheck = default_repo_gpgcheck if i['repo_gpgcheck'] is None else i['repo_gpgcheck']
+            gpgcheck = default_gpgcheck if i['gpgcheck'] is None else i['gpgcheck']
+            add_repos(main_repositories, update_repositories, repos, repo_gpgcheck, gpgcheck)
 
     # A single source coming from an interactive install
     if 'source-media' in answers_pristine and 'source-address' in answers_pristine:
         repos = repository.repositoriesFromDefinition(answers_pristine['source-media'], answers_pristine['source-address'])
-        add_repos(main_repositories, update_repositories, repos)
+        add_repos(main_repositories, update_repositories, repos, default_repo_gpgcheck, default_gpgcheck)
 
     for media, address in answers_pristine['extra-repos']:
         repos = repository.repositoriesFromDefinition(media, address)
-        add_repos(main_repositories, update_repositories, repos)
+        add_repos(main_repositories, update_repositories, repos, default_repo_gpgcheck, default_gpgcheck)
 
     if not main_repositories or main_repositories[0].identifier() != MAIN_REPOSITORY_NAME:
         raise RuntimeError("No main repository found")

doc/answerfile.txt

@@ -34,6 +34,29 @@ Restore:
   ...
 </restore>
 
+
+Common Attributes
+-----------------
+
+  repo-gpgcheck="false"
+
+    Disable check of repodata signature (`repo_gpgcheck=0` in
+    `yum.conf`), for all yum repositories that are not Supplemental
+    Packs (none of which are checked). Don't use this for a network
+    install of a production server, and make sure to verify the
+    authenticity of your install media through other means.
+
+    Validity: any <installation> operation.
+
+  gpgcheck="false"
+
+    Disable check of rpm signature (`gpgcheck=0` in `yum.conf`), for
+    all yum repositories that are not Supplemental Packs (none of
+    which are checked). Don't use this for a production server.
+
+    Validity: any <installation> operation.
+
+
 Elements common to all answerfiles, both 'installation' and 'restore'
 ---------------------------------------------------------------------
 
@@ -100,6 +123,15 @@ Elements for 'installation' modes
     The location of the installation repository or a Supplemental
     Pack. There may be multiple 'source' elements.
 
+    Optional attributes for <source> only:
+
+      repo-gpgcheck=bool
+      gpgcheck=bool
+
+        Override the global yum gpgcheck setting, respectively for
+        repodata and RPMs, for this source only.  Only applies to
+        repositories that are not Supplemental Packs (none of which
+        are checked).
 
   <bootloader location="mbr|partition">grub2|extlinux[D]|grub[D]</bootloader>?
 

doc/parameters.txt

@@ -220,3 +220,13 @@ Installer
   --cc-preparations
 
     Prepare configuration for common criteria security.
+
+
+  --no-repo-gpgcheck
+
+    Disable check of repodata signature, for all yum repositories.
+
+
+  --no-gpgcheck
+
+    Disable check of rpm signature, for all yum repositories.

install.py

@@ -136,6 +136,12 @@ def go(ui, args, answerfile_address, answerfile_script):
         elif opt == "--netinstall":
             results['netinstall'] = True
             logger.log("This is a netinstall.")
+        elif opt == "--no-repo-gpgcheck":
+            results['repo-gpgcheck'] = False
+            logger.log("Yum gpg check of repository disabled on command-line")
+        elif opt == "--no-gpgcheck":
+            results['gpgcheck'] = False
+            logger.log("Yum gpg check of RPMs disabled on command-line")
 
     if boot_console and not serial_console:
         serial_console = boot_console

repository.py

@@ -244,6 +244,8 @@ def __init__(self, accessor):
         super(MainYumRepository, self).__init__(accessor)
         self._identifier = MAIN_REPOSITORY_NAME
         self.keyfiles = []
+        self._repo_gpg_check = True
+        self._gpg_check = True
 
         def get_name_version(config_parser, section, name_key, vesion_key):
             name, version = None, None
@@ -314,10 +316,10 @@ def _repo_config(self):
                 outfh = open(key_path, "w")
                 outfh.write(infh.read())
                 return """
-gpgcheck=1
-repo_gpgcheck=1
+gpgcheck=%s
+repo_gpgcheck=%s
 gpgkey=file://%s
-""" % (key_path)
+""" % (int(self._gpg_check), int(self._repo_gpg_check), key_path)
             finally:
                 if infh:
                     infh.close()
@@ -353,6 +355,13 @@ def getBranding(self, branding):
             branding['product-build'] = self._build_number
         return branding
 
+    def setRepoGpgCheck(self, value):
+        logger.log("%s: setRepoGpgCheck(%s)" % (self, value))
+        self._repo_gpg_check = value
+
+    def setGpgCheck(self, value):
+        logger.log("%s: setGpgCheck(%s)" % (self, value))
+        self._gpg_check = value
 
 class UpdateYumRepository(YumRepositoryWithInfo):
     """Represents a Yum repository containing packages and associated meta data for an update."""