From afdbe029b9ea253972c79e8090f58576fb5fb6c9 Mon Sep 17 00:00:00 2001 From: Yann Dirson Date: Tue, 18 Oct 2022 15:58:23 +0200 Subject: [PATCH] Add support for globally disabling gpgcheck Similar to no-repo-gpgcheck but for RPM sigs. Signed-off-by: Yann Dirson --- answerfile.py | 1 + backend.py | 2 ++ doc/answerfile.txt | 8 ++++++++ doc/parameters.txt | 5 +++++ install.py | 3 +++ repository.py | 9 +++++++-- 6 files changed, 26 insertions(+), 2 deletions(-) diff --git a/answerfile.py b/answerfile.py index 62b0615c..370b928e 100644 --- a/answerfile.py +++ b/answerfile.py @@ -93,6 +93,7 @@ def processAnswerfile(self): raise AnswerfileException("Unknown mode, %s" % install_type) results['repo-gpgcheck'] = getBoolAttribute(self.top_node, ['repo-gpgcheck'], default=True) + results['gpgcheck'] = getBoolAttribute(self.top_node, ['gpgcheck'], default=True) results.update(self.parseCommon()) elif self.operation == 'restore': results = self.parseRestore() diff --git a/backend.py b/backend.py index 0132885e..4d886ccb 100644 --- a/backend.py +++ b/backend.py @@ -396,9 +396,11 @@ def add_repos(main_repositories, update_repositories, repos): repos = repository.repositoriesFromDefinition(i['media'], i['address']) add_repos(main_repositories, update_repositories, repos) repo_gpgcheck = answers.get('repo-gpgcheck', True) + gpgcheck = answers.get('gpgcheck', True) for repo in repos: if repo in main_repositories: repo.setRepoGpgCheck(repo_gpgcheck) + repo.setGpgCheck(gpgcheck) # A single source coming from an interactive install if 'source-media' in answers_pristine and 'source-address' in answers_pristine: diff --git a/doc/answerfile.txt b/doc/answerfile.txt index 8309ef71..23a7a8d1 100644 --- a/doc/answerfile.txt +++ b/doc/answerfile.txt @@ -48,6 +48,14 @@ Common Attributes Validity: any operation. + gpgcheck="false" + + Disable check of rpm signature (`gpgcheck=0` in `yum.conf`), for + all yum repositories that are not Supplemental Packs (none of + which are checked). Don't use this for a production server. + + Validity: any operation. + Elements common to all answerfiles, both 'installation' and 'restore' --------------------------------------------------------------------- diff --git a/doc/parameters.txt b/doc/parameters.txt index 5a2294ca..3f5f3ed3 100644 --- a/doc/parameters.txt +++ b/doc/parameters.txt @@ -225,3 +225,8 @@ Installer --no-repo-gpgcheck Disable check of repodata signature, for all yum repositories. + + + --no-gpgcheck + + Disable check of rpm signature, for all yum repositories. diff --git a/install.py b/install.py index e090ea48..5afb9c8f 100755 --- a/install.py +++ b/install.py @@ -131,6 +131,9 @@ def go(ui, args, answerfile_address, answerfile_script): elif opt == "--no-repo-gpgcheck": results['repo-gpgcheck'] = False logger.log("Yum gpg check of repository disabled on command-line") + elif opt == "--no-gpgcheck": + results['gpgcheck'] = False + logger.log("Yum gpg check of RPMs disabled on command-line") if boot_console and not serial_console: serial_console = boot_console diff --git a/repository.py b/repository.py index 10e8e5a7..13a20818 100644 --- a/repository.py +++ b/repository.py @@ -243,6 +243,7 @@ def __init__(self, accessor): self._identifier = MAIN_REPOSITORY_NAME self.keyfiles = [] self._repo_gpg_check = True + self._gpg_check = True def get_name_version(config_parser, section, name_key, vesion_key): name, version = None, None @@ -313,10 +314,10 @@ def _repo_config(self): outfh = open(key_path, "w") outfh.write(infh.read()) return """ -gpgcheck=1 +gpgcheck=%s repo_gpgcheck=%s gpgkey=file://%s -""" % (int(self._repo_gpg_check), key_path) +""" % (int(self._gpg_check), int(self._repo_gpg_check), key_path) finally: if infh: infh.close() @@ -356,6 +357,10 @@ def setRepoGpgCheck(self, value): logger.log("%s: setRepoGpgCheck(%s)" % (self, value)) self._repo_gpg_check = value + def setGpgCheck(self, value): + logger.log("%s: setGpgCheck(%s)" % (self, value)) + self._gpg_check = value + class UpdateYumRepository(YumRepositoryWithInfo): """Represents a Yum repository containing packages and associated meta data for an update."""