From 391e2cd7bdcdb578335d442c0ff656ff389c311d Mon Sep 17 00:00:00 2001 From: Yann Dirson Date: Thu, 5 Oct 2023 12:15:43 +0200 Subject: [PATCH] installFromYum: give more detailed error messages on gpg errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Covers: 1. repo_gpgcheck: a. wrong system clock putting gpg key creation in the future, causing a yum crash (nothing special happens if the date of the signature is in the future ¯\_(ツ)_/¯) b. other yum crashes due to uncaught gpg exceptions (if any) c. lack of repomd signature (while repo_gpgcheck is in force) d. signature done by other key than the one in ISO ("repomd.xml signature could not be verified" ¯\_(ツ)_/¯) 2. gpgcheck: a. RPM signed with unknown key b. unsigned RPM referenced by unsigned repomd (no-repo-gpgcheck) c. RPM re-signed with unknown key, unsigned repomd (no-repo-gpgcheck) d. RPM overwritten with another RPM signed with known key (diagnosed through hash but, same diag as 2.c) e. delsigned/resigned/etc RPM, unchanged repomd (same diag as 2.c/d) Does not cover notably: - unsigned RPM referenced by (re)signed repomd In some cases Yum does not give an error, but dies because of an uncaught exception, which makes this check quite brittle, but in the worst case if messages change, we still fallback to the original "Error installing packages" message. Signed-off-by: Yann Dirson --- repository.py | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/repository.py b/repository.py index 98194052..ae5450ce 100644 --- a/repository.py +++ b/repository.py @@ -821,12 +821,59 @@ def installFromYum(targets, mounts, progress_callback, cachedir): rv = p.wait() stderr.seek(0) stderr = stderr.read() + gpg_uncaught_error = 0 + gpg_error_pubring_import = 0 + gpg_error_not_signed = 0 + gpg_error_bad_repo_sig = 0 + gpg_error_rpm_missing_key = None + gpg_error_rpm_not_signed = None + gpg_error_rpm_not_found = None if stderr: logger.log("YUM stderr: %s" % stderr.strip()) + if stderr.find(' in import_key_to_pubring') >= 0: + gpg_error_pubring_import = 1 + # add any other instance of uncaught GpgmeError before this like + elif stderr.find('gpgme.GpgmeError: ') >= 0: + gpg_uncaught_error = 1 + + elif re.search("Couldn't open file [^ ]*/repodata/repomd.xml.asc", stderr): + # would otherwise be mistaken for "pubring import" !? + gpg_error_not_signed = 1 + elif stderr.find('repomd.xml signature could not be verified') >= 0: + gpg_error_bad_repo_sig = 1 + + else: + match = re.search("Public key for ([^ ]*.rpm) is not installed", stderr) + if match: + gpg_error_rpm_missing_key = match.group(1) + match = re.search("Package ([^ ]*.rpm) is not signed", stderr) + if match: + gpg_error_rpm_not_signed = match.group(1) + match = re.search(r" ([^ ]*): \[Errno [0-9]*\] No more mirrors to try", stderr) + if match: + gpg_error_rpm_not_found = match.group(1) + if rv: logger.log("Yum exited with %d" % rv) - raise ErrorInstallingPackage("Error installing packages") + if gpg_error_pubring_import: + errmsg = "Signature key import failed" + elif gpg_uncaught_error: + errmsg = "Cryptography-related yum crash" + elif gpg_error_not_signed: + errmsg = "No signature on repository metadata" + elif gpg_error_bad_repo_sig: + errmsg = "Repository signature verification failure" + elif gpg_error_rpm_missing_key: + errmsg = "Missing key for %s" % (gpg_error_rpm_missing_key,) + elif gpg_error_rpm_not_signed: + errmsg = "Package not signed: %s" % (gpg_error_rpm_not_signed,) + elif gpg_error_rpm_not_found: + # rpm not found or corrupted/re-signed/etc + errmsg = "Cannot find valid rpm for %s" % (gpg_error_rpm_not_found,) + else: + errmsg = "Error installing packages" + raise ErrorInstallingPackage(errmsg) shutil.rmtree(os.path.join(mounts['root'], cachedir))