Does "rpm-ostree install URL" have any option to check gpg sign before installation?

[akaher]

This is not a Bug, please consider this as Query.

"rpm-ostree install URL" installs any unverified rpm, does this command has any option to check the gpg sign before installation and fails to install if gpg sign is not proper.

Host system details Photon OS, also observed same on other OS.

Expected vs actual behavior "rpm-ostree install URL" installs any unverified rpm.

Expected: "rpm-ostree install URL" should have some option to check the gpg sign and fails if gpg sign is not proper.

Steps to reproduce it rpm-ostree install URL

Would you like to work on the issue? This is not a bug.

[jlebon]

Ahh yep, dnf calls this localpkg_gpgcheck:

$ sudo dnf --setopt=localpkg_gpgcheck=1 --setopt gpgcheck=1 install http://192.168.122.1:8888/foobar-1.0-1.x86_64.rpm
...
Downloading Packages:
Package foobar-1.0-1.x86_64.rpm is not signed
Error: GPG check FAILED

(Though note it's disabled by default.)

Normally, GPG settings come from the repo settings themselves. In this case, we're pointing straight at an RPM. Looking at the dnf source quickly, seems like it's just letting librpm do the GPG verification using its keyring.

Not sure if we want to break backwards compatibility on this, especially if we're matching dnf. Though we could add a CLI switch and an rpm-ostreed.conf knob.

[akaher]

@jlebon Thanks for your reply.

So libdnf's dnf_transaction_gpgcheck_package() should be used even for localpkg if "localpkg_gpgcheck=1".

Thinking if we could control this using /lib/dnf/dnf.conf, or directly enable here: https://github.com/rpm-software-management/libdnf/blob/master/libdnf/conf/ConfigMain.cpp#L209

I will check and let you know if above works.

[akaher]

@jlebon just to verify enabled localpkg_gpgcheck here: https://github.com/rpm-software-management/libdnf/blob/master/libdnf/conf/ConfigMain.cpp#L209

But unfortunately this doesn't works for "rpm-ostree install". Before I dig into libdnf code, just wanted to ask is there any other way to achieve this till we don't have localpkg_gpgcheck from rpm-ostree CLI?

[jlebon]

I think the issue is that the code to handle this is in dnf, not libdnf:

https://github.com/rpm-software-management/dnf/blob/37ce2034f4563cd90625ff2f41f7379cccad8259/dnf/base.py#L1184

So the first step would be to lower it down into libdnf (or we could re-implement it in rpm-ostree, but... the hope is really to be able to share this kind of code between stacks). Examples of other functionality in the same boat: https://github.com/rpm-software-management/libdnf/issues/303 and https://github.com/rpm-software-management/libdnf/issues/258.