stages/dnf: verify repository checksum

Require "checksum" option for each repository, which contains the checksum of the `repodata/repomd.xml` file. This file (indirectly) contains checksums for all packages. Verify that the metadata dnf downloaded to install packages matches that checksum. This way, this stage will give an error when a reposiory changed between putting together the pipeline and running it.
2019-09-24 00:57:02 +02:00 · 2019-09-24 00:57:02 +02:00 · 57c82a00d0
commit 57c82a00d0
parent e23b5a32a2
9 changed files with 54 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -22,7 +22,8 @@ assembles it into an image. Pipelines are defined as JSON files like this one:
        "repos": {
          "fedora": {
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9",
+            "checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
          }
        },
        "packages": [ "@Core", "grub2-pc", "httpd" ]