search

OSInside / kiwi

KIWI - Appliance Builder Next Generation
https://osinside.github.io/kiwi
GNU General Public License v3.0
300 stars 152 forks source link

Gpg checks in zypper repo config disabled by default #2273

Open Zinurist opened 1 year ago

Zinurist commented 1 year ago

Problem description

As per the documentation here and here, you can set repository_gpgcheck and package_gpgcheck, and if they are omitted, the package manager's default is used instead. The second link also mentions: If not set, no value is appended into the repository configuration file..

The code for zypper though does set these values to 0 if they are omitted, I'm not familiar with the codebase but these lines look to be the reason: https://github.com/OSInside/kiwi/blob/53f1c72f9f1514c990ab668d8d8efe4ec46470e4/kiwi/repository/zypper.py#L326

I end up with these lines in the repo files in /etc/zypp/repos.d/... in the created image:

repo_gpgcheck = 0
pkg_gpgcheck = 0

If I do zypper lr in the built image, it still shows it as having repo GPG checks enabled though, which I don't really understand, but those 2 lines in the repo config definitely look wrong.

Side note: package_gpgcheck is missing from the image description documentation.

Expected behaviour

That kiwi-ng doesn't add any extra lines to the repo files.

Steps to reproduce the behaviour

I tried to make a minimal setup for this, here's the config.xml:

<?xml version="1.0" encoding="utf-8"?>
<image schemaversion="7.4" name="test">
    <description type="system"><author>test</author><contact>test</contact><specification>test</specification></description>
    <preferences><version>1</version><packagemanager>zypper</packagemanager><type image="kis"/></preferences>
    <repository type="rpm-md" alias="leap153" imageinclude="true"><source path="http://download.opensuse.org/distribution/leap/15.3/repo/oss/"/></repository>
    <packages type="bootstrap"><package name="openSUSE-release"/></packages>
    <packages type="image"><package name="dracut"/><package name="kernel-default"/></packages>
</image>

And then using kiwi-ng:

$ kiwi-ng system build --description tmp/ --target-dir tmp2
$ cat tmp2/build/image-root/etc/zypp/repos.d/leap153.repo

OS and Software information

Conan-Kudo commented 1 year ago

You're effectively describing a Zypper bug. If the repo files disable gpg check, Zypper should respect that.

Zinurist commented 1 year ago

The zypper behavior is correct after all, setting them to 0 won't turn off the checks, it will just allow unsigned repos/packages without asking (mentioned somewhere here.