From 06a6a838f2467944df37f57b3302617fc523097a Mon Sep 17 00:00:00 2001
From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Date: Sep 29 2015 12:11:31 +0000
Subject: [PATCH 1/2] Set repository gpgkey option


Handle "repo --gpgkey" in kickstart to verify downloaded packages

Especially important for lorax - packages  will not verified there in
any way without setting yum options here.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

---

diff --git a/pungi/gather.py b/pungi/gather.py
index bcc2861..a5c9df9 100644
--- a/pungi/gather.py
+++ b/pungi/gather.py
@@ -281,7 +281,7 @@ class Pungi(PungiBase):
 
     def _add_yum_repo(self, name, url, mirrorlist=False, groups=True,
                       cost=1000, includepkgs=None, excludepkgs=None,
-                      proxy=None):
+                      proxy=None, gpgkey=None):
         """This function adds a repo to the yum object.
         name: Name of the repo
         url: Full url to the repo
@@ -318,6 +318,10 @@ class Pungi(PungiBase):
         thisrepo.exclude = excludepkgs
         thisrepo.includepkgs = includepkgs
         thisrepo.cost = cost
+        if gpgkey:
+            thisrepo.gpgcheck = True
+            thisrepo.gpgkey = yum.parser.varReplace(gpgkey,
+                                                    self.ayum.conf.yumvar)
         # Yum doesn't like proxy being None
         if proxy:
             thisrepo.proxy = proxy
@@ -349,6 +353,7 @@ class Pungi(PungiBase):
         yumconf.installroot = os.path.join(self.workdir, 'yumroot')
         yumconf.uid = os.geteuid()
         yumconf.cache = 0
+        yumconf.assumeyes = True
         yumconf.failovermethod = 'priority'
         yumconf.deltarpm = 0
         yumvars = yum.config._getEnvVar()
@@ -379,7 +384,8 @@ class Pungi(PungiBase):
                                    cost=repo.cost,
                                    includepkgs=repo.includepkgs,
                                    excludepkgs=repo.excludepkgs,
-                                   proxy=repo.proxy)
+                                   proxy=repo.proxy,
+                                   gpgkey=repo.gpgkey)
             else:
                 self._add_yum_repo(repo.name, repo.baseurl,
                                    mirrorlist=False,
@@ -387,7 +393,8 @@ class Pungi(PungiBase):
                                    cost=repo.cost,
                                    includepkgs=repo.includepkgs,
                                    excludepkgs=repo.excludepkgs,
-                                   proxy=repo.proxy)
+                                   proxy=repo.proxy,
+                                   gpgkey=repo.gpgkey)
 
         self.logger.info('Getting sacks for arches %s' % self.valid_arches)
         self.ayum._getSacks(archlist=self.valid_arches)

From b5e94997dea324c12357186c3e04ac0aea77d34d Mon Sep 17 00:00:00 2001
From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Date: Sep 29 2015 12:11:31 +0000
Subject: [PATCH 2/2] Verify downloaded packages


Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

---

diff --git a/pungi/gather.py b/pungi/gather.py
index a5c9df9..66212d2 100644
--- a/pungi/gather.py
+++ b/pungi/gather.py
@@ -1103,6 +1103,20 @@ class Pungi(PungiBase):
             sys.exit(1)
 
         for po in polist:
+            # before doing anything with the package, verify its signature
+            result, errmsg = self.ayum.sigCheckPkg(po)
+            if result == 0:
+                # Verified ok, or verify not req'd
+                pass
+            elif result == 1:
+                # keys are provided through kickstart, so treat this as consent
+                # for importing them
+                self.ayum.getKeyForPackage(po, lambda x, y, z: True)
+            else:
+                # Fatal error
+                self.logger.error(errmsg)
+                sys.exit(1)
+
             basename = os.path.basename(po.relativepath)
 
             local = po.localPkg()