stages/dnf: verify repository checksum

Require "checksum" option for each repository, which contains the checksum of the `repodata/repomd.xml` file. This file (indirectly) contains checksums for all packages. Verify that the metadata dnf downloaded to install packages matches that checksum. This way, this stage will give an error when a reposiory changed between putting together the pipeline and running it.
2019-09-24 00:57:02 +02:00 · 2019-09-24 00:57:02 +02:00 · 57c82a00d0
commit 57c82a00d0
parent e23b5a32a2
9 changed files with 54 additions and 10 deletions
--- a/samples/base.json
+++ b/samples/base.json
@ -9,7 +9,8 @@
        "repos": {
          "fedora": {
            "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
-            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9"
+            "gpgkey": "F1D8 EC98 F241 AAF2 0DF6  9420 EF3C 111F CFC6 59B9",
+            "checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
          }
        },
        "packages": [