Add gpgkey and check_repogpg support to dnf-json

This allows verification of repository metadata signatures. The gpgkeys field is a list of key urls, or the gpg key itself, starting with '-----BEGIN PGP PUBLIC KEY BLOCK-----'. These will be written to a temporary file, and that file:// url will be passed to dnf.
2023-01-19 11:00:36 -08:00 · 2023-01-19 11:00:36 -08:00 · c2577eaea8
commit c2577eaea8
parent d12447408b
2 changed files with 27 additions and 0 deletions
--- a/23
+++ b/23
@ -82,6 +82,29 @@ class Solver():
        if "sslclientcert" in desc:
            repo.sslclientcert = desc["sslclientcert"]

+        if "check_gpg" in desc:
+            repo.gpgcheck = desc["check_gpg"]
+        if "check_repogpg" in desc:
+            repo.repo_gpgcheck = desc["check_repogpg"]
+        if "gpgkey" in desc:
+            repo.gpgkey = [desc["gpgkey"]]
+        if "gpgkeys" in desc:
+            # gpgkeys can contain a full key, or it can be a URL
+            # dnf expects urls, so write the key to a temporary location and add the file://
+            # path to repo.gpgkey
+            keydir = os.path.join(parent_conf.persistdir, "gpgkeys")
+            if not os.path.exists(keydir):
+                os.makedirs(keydir, mode=0o700, exist_ok=True)
+
+            for key in desc["gpgkeys"]:
+                if key.startswith("-----BEGIN PGP PUBLIC KEY BLOCK-----"):
+                    keyfile = tempfile.NamedTemporaryFile(dir=keydir, delete=False)
+                    keyfile.write(key.encode("utf-8"))
+                    repo.gpgkey.append(f"file://{keyfile.name}")
+                    keyfile.close()
+                else:
+                    repo.gpgkey.append(key)
+
        # In dnf, the default metadata expiration time is 48 hours. However,
        # some repositories never expire the metadata, and others expire it much
        # sooner than that. We therefore allow this to be configured. If nothing
--- a/internal/dnfjson/dnfjson.go
+++ b/internal/dnfjson/dnfjson.go
@ -248,6 +248,8 @@ func (s *Solver) reposFromRPMMD(rpmRepos []rpmmd.RepoConfig) ([]repoConfig, erro
 			Metalink:       rr.Metalink,
 			MirrorList:     rr.MirrorList,
 			GPGKeys:        rr.GPGKeys,
+			CheckGPG:       rr.CheckGPG,
+			CheckRepoGPG:   rr.CheckRepoGPG,
 			IgnoreSSL:      rr.IgnoreSSL,
 			MetadataExpire: rr.MetadataExpire,
 		}
@ -277,6 +279,8 @@ type repoConfig struct {
 	Metalink       string   `json:"metalink,omitempty"`
 	MirrorList     string   `json:"mirrorlist,omitempty"`
 	GPGKeys        []string `json:"gpgkeys,omitempty"`
+	CheckGPG       bool     `json:"gpgcheck"`
+	CheckRepoGPG   bool     `json:"check_repogpg"`
 	IgnoreSSL      bool     `json:"ignoressl"`
 	SSLCACert      string   `json:"sslcacert,omitempty"`
 	SSLClientKey   string   `json:"sslclientkey,omitempty"`