org.osbuild.rpm: make rpm --install check signatures

It turns out that rpm will happily check signatures on `--install`, that's just not the default behavior, because of Historical Reasons. This commit enables RPM's signature checking and drops our manual check, which will probably speed up the RPM stage a little bit. Fun! Oh, also there's two bonus code cleanups: one to use f-strings harder, and one to make sure we ignore whitespace in package checksum strings.
runcom · Nov 13, 2019 · 9d4b526 · 9d4b526
1 parent d6ce127
commit 9d4b526
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/stages/org.osbuild.rpm b/stages/org.osbuild.rpm
@@ -31,9 +31,9 @@ def download_package(pkg):
             filename = curl.stdout.strip()
             break
     else:
-        raise RuntimeError("Error downloading " + pkg["url"])
+        raise RuntimeError(f"Error downloading {pkg['url']}")
 
-    algorithm, checksum = pkg["checksum"].split(":", 1)
+    algorithm, checksum = pkg["checksum"].strip().split(":", 1)
     if algorithm not in ("md5", "sha1", "sha256", "sha384", "sha512"):
         raise RuntimeError(f"Unsupported checksum algorithm: {algorithm}")
 
@@ -45,12 +45,6 @@ def download_package(pkg):
         encoding="utf-8",
         check=True)
 
-    # check signature, because `rpm --install` doesn't
-    subprocess.run(
-        ["rpmkeys", "--checksig", filename],
-        cwd=RPM_CACHE_DIR,
-        stdout=subprocess.DEVNULL,
-        check=True)
 
     return filename
 
@@ -93,6 +87,9 @@ def main(tree, options):
         subprocess.run([
             "rpm",
             "--root", tree,
+            # Make rpm require valid signatures & digests on packages.
+            # (see /usr/lib/rpm/macros for more info)
+            "--define", "_pkgverify_level all",
             "--install", manifest.name
         ], cwd=RPM_CACHE_DIR, check=True)