From b5e94997dea324c12357186c3e04ac0aea77d34d Mon Sep 17 00:00:00 2001
From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Date: Sep 29 2015 12:11:31 +0000
Subject: Verify downloaded packages


Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

---

diff --git a/pungi/gather.py b/pungi/gather.py
index a5c9df9..66212d2 100644
--- a/pungi/gather.py
+++ b/pungi/gather.py
@@ -1103,6 +1103,20 @@ class Pungi(PungiBase):
             sys.exit(1)
 
         for po in polist:
+            # before doing anything with the package, verify its signature
+            result, errmsg = self.ayum.sigCheckPkg(po)
+            if result == 0:
+                # Verified ok, or verify not req'd
+                pass
+            elif result == 1:
+                # keys are provided through kickstart, so treat this as consent
+                # for importing them
+                self.ayum.getKeyForPackage(po, lambda x, y, z: True)
+            else:
+                # Fatal error
+                self.logger.error(errmsg)
+                sys.exit(1)
+
             basename = os.path.basename(po.relativepath)
 
             local = po.localPkg()