particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

stages/dnf: verify repository checksum

Browse source 
Require "checksum" option for each repository, which contains the
checksum of the `repodata/repomd.xml` file. This file (indirectly)
contains checksums for all packages.

Verify that the metadata dnf downloaded to install packages matches that
checksum. This way, this stage will give an error when a reposiory
changed between putting together the pipeline and running it.
This commit is contained in:
Lars Karlitski 2019-09-24 00:57:02 +02:00 committed by Tom Gundersen
parent e23b5a32a2
commit 57c82a00d0
9 changed files with 54 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -22,7 +22,8 @@ assembles it into an image. Pipelines are defined as JSON files like this one:
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": [ "@Core", "grub2-pc", "httpd" ] "packages": [ "@Core", "grub2-pc", "httpd" ]

3
samples/base-from-yum.json
View file

@ -32,7 +32,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": [ "packages": [

3
samples/base-qcow2.json
View file

@ -10,7 +10,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": [ "packages": [

3
samples/base.json
View file

@ -9,7 +9,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": [ "packages": [

37
stages/org.osbuild.dnf
View file

@ -1,5 +1,6 @@
#!/usr/bin/python3 #!/usr/bin/python3
import hashlib
import json import json
import subprocess import subprocess
import sys import sys
@ -27,6 +28,29 @@ def write_repofile(f, repoid, repo):
write_option("gpgkey", f"file://{keyfile}") write_option("gpgkey", f"file://{keyfile}")
def dnf_cachedir(repoid, repo, releasever, basearch):
"""Return the relative cache directory for a repository.
Using the same algorithm as libdnf:
https://github.com/rpm-software-management/libdnf/blob/master/libdnf/repo/Repo.cpp#L1288
"""
if "metalink" in repo:
url = repo["metalink"]
elif "mirrorlist" in repo:
url = repo["mirrorlist"]
elif "baseurl" in repo:
url = repo["baseurl"]
else:
raise RuntimeError(f"one of metalink, mirrorlist, or baseurl must be given for repository '{repoid}'")
url = url.replace("$basearch", basearch).replace("$releasever", releasever)
digest = hashlib.sha256(url.encode()).hexdigest()[:16]
return f"{repoid}-{digest}"
def main(tree, options): def main(tree, options):
repos = options["repos"] repos = options["repos"]
packages = options["packages"] packages = options["packages"]
@ -65,7 +89,18 @@ def main(tree, options):
] + packages ] + packages
print(" ".join(cmd), flush=True) print(" ".join(cmd), flush=True)
return subprocess.run(cmd).returncode subprocess.run(cmd, check=True)
# verify metadata checksum
for repoid, repo in repos.items():
algorithm, checksum = repo["checksum"].split(":")
assert algorithm == "sha256"
cachedir = dnf_cachedir(repoid, repo, releasever, basearch)
with open(f"{tree}/var/cache/dnf/{cachedir}/repodata/repomd.xml", "rb") as f:
repomd = f.read()
assert hashlib.sha256(repomd).hexdigest() == checksum
return 0
if __name__ == '__main__': if __name__ == '__main__':

6
test/pipelines/f30-boot.json
View file

@ -12,7 +12,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": [ "packages": [
@ -36,7 +37,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": [ "packages": [

3
test/pipelines/firewall.json
View file

@ -9,7 +9,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": ["@Core", "firewalld"] "packages": ["@Core", "firewalld"]

3
test/pipelines/locale.json
View file

@ -9,7 +9,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": ["@Core"] "packages": ["@Core"]

3
test/pipelines/timezone.json
View file

@ -9,7 +9,8 @@
"repos": { "repos": {
"fedora": { "fedora": {
"metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch",
"gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9" "gpgkey": "F1D8 EC98 F241 AAF2 0DF6 9420 EF3C 111F CFC6 59B9",
"checksum": "sha256:9f596e18f585bee30ac41c11fb11a83ed6b11d5b341c1cb56ca4015d7717cb97"
} }
}, },
"packages": ["@Core"] "packages": ["@Core"]