diff --git a/answerfile.py b/answerfile.py index bdd4da76..f46f77c5 100644 --- a/answerfile.py +++ b/answerfile.py @@ -92,6 +92,8 @@ def processAnswerfile(self): else: raise AnswerfileException("Unknown mode, %s" % install_type) + results['repo-gpgcheck'] = getBoolAttribute(self.top_node, ['repo-gpgcheck'], default=True) + results['gpgcheck'] = getBoolAttribute(self.top_node, ['gpgcheck'], default=True) results.update(self.parseCommon()) elif self.operation == 'restore': results = self.parseRestore() @@ -267,7 +269,21 @@ def parseSource(self): if rtype == 'url': address = util.URL(address) - results['sources'].append({'media': rtype, 'address': address}) + # workaround getBoolAttribute() not allowing "None" as + # default, by using a getStrAttribute() call first to + # handle the default situation where the attribute is not + # specified + repo_gpgcheck = (None if getStrAttribute(i, ['repo-gpgcheck'], default=None) is None + else getBoolAttribute(i, ['repo-gpgcheck'])) + gpgcheck = (None if getStrAttribute(i, ['gpgcheck'], default=None) is None + else getBoolAttribute(i, ['gpgcheck'])) + + results['sources'].append({ + 'media': rtype, 'address': address, + 'repo_gpgcheck': repo_gpgcheck, + 'gpgcheck': gpgcheck, + }) + logger.log("parsed source %s" % results['sources'][-1]) return results diff --git a/backend.py b/backend.py index df985389..c7789920 100644 --- a/backend.py +++ b/backend.py @@ -380,7 +380,7 @@ def handleRepos(repos, ans): main_repositories = [] update_repositories = [] - def add_repos(main_repositories, update_repositories, repos): + def add_repos(main_repositories, update_repositories, repos, repo_gpgcheck, gpgcheck): """Add repositories to the appropriate list, ensuring no duplicates, that the main repository is at the beginning, and that the order of the rest is maintained.""" @@ -397,20 +397,28 @@ def add_repos(main_repositories, update_repositories, repos): else: repo_list.append(repo) + if repo_list is main_repositories: # i.e., if repo is a "main repository" + repo.setRepoGpgCheck(repo_gpgcheck) + repo.setGpgCheck(gpgcheck) + + default_repo_gpgcheck = answers.get('repo-gpgcheck', True) + default_gpgcheck = answers.get('gpgcheck', True) # A list of sources coming from the answerfile if 'sources' in answers_pristine: for i in answers_pristine['sources']: repos = repository.repositoriesFromDefinition(i['media'], i['address']) - add_repos(main_repositories, update_repositories, repos) + repo_gpgcheck = default_repo_gpgcheck if i['repo_gpgcheck'] is None else i['repo_gpgcheck'] + gpgcheck = default_gpgcheck if i['gpgcheck'] is None else i['gpgcheck'] + add_repos(main_repositories, update_repositories, repos, repo_gpgcheck, gpgcheck) # A single source coming from an interactive install if 'source-media' in answers_pristine and 'source-address' in answers_pristine: repos = repository.repositoriesFromDefinition(answers_pristine['source-media'], answers_pristine['source-address']) - add_repos(main_repositories, update_repositories, repos) + add_repos(main_repositories, update_repositories, repos, default_repo_gpgcheck, default_gpgcheck) for media, address in answers_pristine['extra-repos']: repos = repository.repositoriesFromDefinition(media, address) - add_repos(main_repositories, update_repositories, repos) + add_repos(main_repositories, update_repositories, repos, default_repo_gpgcheck, default_gpgcheck) if not main_repositories or main_repositories[0].identifier() != MAIN_REPOSITORY_NAME: raise RuntimeError("No main repository found") diff --git a/doc/answerfile.txt b/doc/answerfile.txt index 3879662b..79541adc 100644 --- a/doc/answerfile.txt +++ b/doc/answerfile.txt @@ -34,6 +34,29 @@ Restore: ... + +Common Attributes +----------------- + + repo-gpgcheck="false" + + Disable check of repodata signature (`repo_gpgcheck=0` in + `yum.conf`), for all yum repositories that are not Supplemental + Packs (none of which are checked). Don't use this for a network + install of a production server, and make sure to verify the + authenticity of your install media through other means. + + Validity: any operation. + + gpgcheck="false" + + Disable check of rpm signature (`gpgcheck=0` in `yum.conf`), for + all yum repositories that are not Supplemental Packs (none of + which are checked). Don't use this for a production server. + + Validity: any operation. + + Elements common to all answerfiles, both 'installation' and 'restore' --------------------------------------------------------------------- @@ -100,6 +123,15 @@ Elements for 'installation' modes The location of the installation repository or a Supplemental Pack. There may be multiple 'source' elements. + Optional attributes for only: + + repo-gpgcheck=bool + gpgcheck=bool + + Override the global yum gpgcheck setting, respectively for + repodata and RPMs, for this source only. Only applies to + repositories that are not Supplemental Packs (none of which + are checked). grub2|extlinux[D]|grub[D]? diff --git a/doc/parameters.txt b/doc/parameters.txt index c0f78819..3f5f3ed3 100644 --- a/doc/parameters.txt +++ b/doc/parameters.txt @@ -220,3 +220,13 @@ Installer --cc-preparations Prepare configuration for common criteria security. + + + --no-repo-gpgcheck + + Disable check of repodata signature, for all yum repositories. + + + --no-gpgcheck + + Disable check of rpm signature, for all yum repositories. diff --git a/install.py b/install.py index 3f6c1e56..cc7085c4 100755 --- a/install.py +++ b/install.py @@ -136,6 +136,12 @@ def go(ui, args, answerfile_address, answerfile_script): elif opt == "--netinstall": results['netinstall'] = True logger.log("This is a netinstall.") + elif opt == "--no-repo-gpgcheck": + results['repo-gpgcheck'] = False + logger.log("Yum gpg check of repository disabled on command-line") + elif opt == "--no-gpgcheck": + results['gpgcheck'] = False + logger.log("Yum gpg check of RPMs disabled on command-line") if boot_console and not serial_console: serial_console = boot_console diff --git a/repository.py b/repository.py index 77ef243e..d72e2f01 100644 --- a/repository.py +++ b/repository.py @@ -244,6 +244,8 @@ def __init__(self, accessor): super(MainYumRepository, self).__init__(accessor) self._identifier = MAIN_REPOSITORY_NAME self.keyfiles = [] + self._repo_gpg_check = True + self._gpg_check = True def get_name_version(config_parser, section, name_key, vesion_key): name, version = None, None @@ -314,10 +316,10 @@ def _repo_config(self): outfh = open(key_path, "w") outfh.write(infh.read()) return """ -gpgcheck=1 -repo_gpgcheck=1 +gpgcheck=%s +repo_gpgcheck=%s gpgkey=file://%s -""" % (key_path) +""" % (int(self._gpg_check), int(self._repo_gpg_check), key_path) finally: if infh: infh.close() @@ -353,6 +355,13 @@ def getBranding(self, branding): branding['product-build'] = self._build_number return branding + def setRepoGpgCheck(self, value): + logger.log("%s: setRepoGpgCheck(%s)" % (self, value)) + self._repo_gpg_check = value + + def setGpgCheck(self, value): + logger.log("%s: setGpgCheck(%s)" % (self, value)) + self._gpg_check = value class UpdateYumRepository(YumRepositoryWithInfo): """Represents a Yum repository containing packages and associated meta data for an update."""