Skip to content

Commit 202b10b

Browse files
Harden repo verification and live installer privileges
1 parent 8f1ce06 commit 202b10b

10 files changed

Lines changed: 191 additions & 31 deletions

docs/profesyonel-installer-ana-plani.md

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -101,9 +101,10 @@ Hedef:
101101

102102
Plan:
103103

104-
- Repo GPG anahtari uretilecek ve paket imzalama akisi belgelenecek.
105-
- `.repo` dosyasi `gpgcheck=1` ve `repo_gpgcheck=1` hedefiyle guncellenecek.
106-
- Live ISO sudo/polkit politikasi `NOPASSWD: ALL` yerine yalniz installer komut seti veya pkexec policy ile sinirlanacak.
104+
- Ro `.repo` dosyalari `gpgcheck=1`, `repo_gpgcheck=1` ve `RPM-GPG-KEY-ro-asd` ile guncellendi.
105+
- COPR depolari RPM imzasi (`gpgcheck=1`) ile kaliyor; COPR metadata imzasi yayinlanmadigi icin `repo_gpgcheck=0` istisnasi belgelendi.
106+
- Live ISO `NOPASSWD: ALL` kullanmiyor; otomatik baslatma installer launcher + liveuser ile sinirli polkit kuralina tasindi.
107+
- Hala gereken dis is: 2026-06-15 kontrolunde Ro-Repo tarafinda `RPM-GPG-KEY-ro-asd` ve imzali `repodata/repomd.xml.asc` dosyalari 404 donuyor; bunlar yayinlanmali.
107108

108109
## Storage Plani
109110

docs/sonraki-adim-notu.md

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,14 @@
11
# Sonraki Adim Notu
22

3-
Git temizligi ve GitHub senkronizasyonu bittikten sonra teknik siralama:
3+
Git temizligi ve GitHub senkronizasyonu sonrasi teknik siralama:
44

5-
1. Repo GPG ve live sudo/polkit sertlestirmesi.
6-
- `gpgcheck=0` ve `repo_gpgcheck=0` stable blocker olarak kalacak.
7-
- Live ISO icindeki `NOPASSWD: ALL` daraltilacak.
8-
2. LUKS stage uygulamasi.
5+
1. Tamamlandi: Repo GPG ve live sudo/polkit sertlestirmesi.
6+
- Ro GitHub repo dosyalari `gpgcheck=1`, `repo_gpgcheck=1` ve `RPM-GPG-KEY-ro-asd` ile yaziliyor.
7+
- COPR depolarinda RPM imzasi (`gpgcheck=1`) zorunlu; COPR metadata imzasi yayinlamadigi icin `repo_gpgcheck=0` pratik istisna olarak kaliyor.
8+
- Live ISO icindeki `NOPASSWD: ALL` kaldirildi; otomatik baslatma dar polkit kuralindan `pkexec` launcher'a gidiyor.
9+
- Kurulu sistem dogrulamasi, live polkit/sudoers/installer kalintisi sizarsa kurulumu basarisiz sayiyor.
10+
- Dis blocker: 2026-06-15 kontrolunde `RPM-GPG-KEY-ro-asd`, `x86_64/repodata/repomd.xml.asc` ve `noarch/repodata/repomd.xml.asc` GitHub Pages uzerinde 404 donuyor. Bu dosyalar Ro-Repo tarafinda yayinlanmadan yeni guvenli repo ayari bilincli olarak build/install akisini durdurur.
11+
2. Siradaki is: LUKS stage uygulamasi.
912
- `InstallProfile` encryption semasi hazir, ama `enabled=true` profiller stage destegi tamamlanana kadar bilincli olarak reddediliyor.
1013
- Ilk hedef: gelismis kurulumda opsiyonel LUKS2 root.
1114
3. QEMU stable matrisi.

lib/services/install_stages/chroot_config_stage.dart

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,15 +24,19 @@ cat > /etc/yum.repos.d/ro-repo.repo <<'EOF'
2424
name=Acik Kaynak Gelistirme Toplulugu Repo
2525
baseurl=https://project-ro-asd.github.io/Ro-Repo/$basearch/
2626
enabled=1
27-
gpgcheck=0
27+
gpgcheck=1
28+
gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd
29+
repo_gpgcheck=1
2830
EOF
2931
3032
cat > /etc/yum.repos.d/ro-repo-noarch.repo <<'EOF'
3133
[ro-repo-noarch]
3234
name=Acik Kaynak Gelistirme Toplulugu Repo - Noarch
3335
baseurl=https://project-ro-asd.github.io/Ro-Repo/noarch/
3436
enabled=1
35-
gpgcheck=0
37+
gpgcheck=1
38+
gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd
39+
repo_gpgcheck=1
3640
EOF
3741
3842
cat > /etc/yum.repos.d/ro-kernel-stable-copr.repo <<'EOF'
@@ -558,6 +562,7 @@ EOF
558562
rm -rf /usr/lib/ro-installer /usr/lib64/ro-installer 2>/dev/null || true
559563
rm -f /usr/libexec/ro-installer-launcher.sh 2>/dev/null || true
560564
rm -f /usr/share/polkit-1/actions/org.roasd.installer.policy 2>/dev/null || true
565+
rm -f /etc/polkit-1/rules.d/49-ro-installer-live.rules 2>/dev/null || true
561566
''',
562567
],
563568
'Kurulu sistemden eski autostart girdisi temizlenemedi.',

lib/services/install_stages/post_install_validation_stage.dart

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,18 @@ test -f /etc/yum.repos.d/ro-kernel-stable-copr.repo
3737
test -f /etc/yum.repos.d/ro-kernel-experimental-copr.repo
3838
grep -q 'https://project-ro-asd.github.io/Ro-Repo/$basearch/' /etc/yum.repos.d/ro-repo.repo
3939
grep -q 'https://project-ro-asd.github.io/Ro-Repo/noarch/' /etc/yum.repos.d/ro-repo-noarch.repo
40+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-repo.repo
41+
grep -q '^repo_gpgcheck=1$' /etc/yum.repos.d/ro-repo.repo
42+
grep -q '^gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd$' /etc/yum.repos.d/ro-repo.repo
43+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-repo-noarch.repo
44+
grep -q '^repo_gpgcheck=1$' /etc/yum.repos.d/ro-repo-noarch.repo
45+
grep -q '^gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd$' /etc/yum.repos.d/ro-repo-noarch.repo
4046
grep -q 'hynkzz/ro-kernel-stable' /etc/yum.repos.d/ro-kernel-stable-copr.repo
47+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-kernel-stable-copr.repo
48+
grep -q '^gpgkey=https://download.copr.fedorainfracloud.org/results/hynkzz/ro-kernel-stable/pubkey.gpg$' /etc/yum.repos.d/ro-kernel-stable-copr.repo
4149
grep -q 'hynkzz/ro-Kernel-Experimental' /etc/yum.repos.d/ro-kernel-experimental-copr.repo
50+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-kernel-experimental-copr.repo
51+
grep -q '^gpgkey=https://download.copr.fedorainfracloud.org/results/hynkzz/ro-Kernel-Experimental/pubkey.gpg$' /etc/yum.repos.d/ro-kernel-experimental-copr.repo
4252
''';
4353

4454
const postInstallRoDesktopAppsValidationScript = r'''
@@ -354,6 +364,34 @@ class PostInstallValidationStage {
354364
], 'ro_installer kurulu sistemde kalmış görünüyor.');
355365
if (failure != null) return failure;
356366

367+
failure = await _requireCommand(ctx, 'test', [
368+
'!',
369+
'-e',
370+
'/mnt/usr/libexec/ro-installer-launcher.sh',
371+
], 'ro-installer launcher kurulu sistemde kalmış görünüyor.');
372+
if (failure != null) return failure;
373+
374+
failure = await _requireCommand(ctx, 'test', [
375+
'!',
376+
'-e',
377+
'/mnt/usr/share/polkit-1/actions/org.roasd.installer.policy',
378+
], 'ro-installer polkit policy kurulu sistemde kalmış görünüyor.');
379+
if (failure != null) return failure;
380+
381+
failure = await _requireCommand(ctx, 'test', [
382+
'!',
383+
'-e',
384+
'/mnt/etc/polkit-1/rules.d/49-ro-installer-live.rules',
385+
], 'Canlı oturum polkit kuralı hedef sisteme sızmış görünüyor.');
386+
if (failure != null) return failure;
387+
388+
failure = await _requireCommand(ctx, 'test', [
389+
'!',
390+
'-e',
391+
'/mnt/etc/sudoers.d/ro-installer-live',
392+
], 'Canlı oturum sudoers kuralı hedef sisteme sızmış görünüyor.');
393+
if (failure != null) return failure;
394+
357395
failure = await _requireCommand(ctx, 'chroot', [
358396
'/mnt',
359397
'sh',

linux/org.roasd.installer.policy

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@
1313
<message xml:lang="tr">Ro-ASD Yükleyici yönetici izni gerektirmektedir.</message>
1414
<icon_name>drive-harddisk</icon_name>
1515
<defaults>
16-
<!-- Live ISO ortamında şifresiz yetki yükseltme -->
1716
<allow_any>auth_admin_keep</allow_any>
1817
<allow_inactive>auth_admin_keep</allow_inactive>
1918
<allow_active>auth_admin_keep</allow_active>

linux/ro-installer.desktop

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@ Name[tr]=Ro-ASD Yükleyici
77
Comment=Ro-ASD işletim sistemini bilgisayarınıza kurun
88
Comment[en]=Install Ro-ASD Operating System to your computer
99
Comment[tr]=Ro-ASD işletim sistemini bilgisayarınıza kurun
10-
# Exec: /usr/bin/ro-installer symlink'i paketleme asamasinda olusturulur.
11-
# Uygulama root degilse main.dart icinden pkexec ile kendini tekrar baslatir.
12-
Exec=/usr/bin/ro-installer
10+
# Launcher paketleme asamasinda /usr/libexec altina kurulur.
11+
# Uygulama root degilse launcher pkexec ile kendini tekrar baslatir.
12+
Exec=/usr/libexec/ro-installer-launcher.sh
1313
Icon=drive-harddisk
1414
Terminal=false
1515
Categories=System;

scripts/02-build-iso.sh

Lines changed: 38 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -569,15 +569,19 @@ write_ro_repos() {
569569
name=Acik Kaynak Gelistirme Toplulugu Repo
570570
baseurl=https://project-ro-asd.github.io/Ro-Repo/$basearch/
571571
enabled=1
572-
gpgcheck=0
572+
gpgcheck=1
573+
gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd
574+
repo_gpgcheck=1
573575
EOF
574576
575577
cat > /etc/yum.repos.d/ro-repo-noarch.repo <<'EOF'
576578
[ro-repo-noarch]
577579
name=Acik Kaynak Gelistirme Toplulugu Repo - Noarch
578580
baseurl=https://project-ro-asd.github.io/Ro-Repo/noarch/
579581
enabled=1
580-
gpgcheck=0
582+
gpgcheck=1
583+
gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd
584+
repo_gpgcheck=1
581585
EOF
582586
583587
cat > /etc/yum.repos.d/ro-kernel-stable-copr.repo <<'EOF'
@@ -1105,6 +1109,16 @@ test -f /etc/yum.repos.d/ro-repo.repo
11051109
test -f /etc/yum.repos.d/ro-repo-noarch.repo
11061110
test -f /etc/yum.repos.d/ro-kernel-stable-copr.repo
11071111
test -f /etc/yum.repos.d/ro-kernel-experimental-copr.repo
1112+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-repo.repo
1113+
grep -q '^repo_gpgcheck=1$' /etc/yum.repos.d/ro-repo.repo
1114+
grep -q '^gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd$' /etc/yum.repos.d/ro-repo.repo
1115+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-repo-noarch.repo
1116+
grep -q '^repo_gpgcheck=1$' /etc/yum.repos.d/ro-repo-noarch.repo
1117+
grep -q '^gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd$' /etc/yum.repos.d/ro-repo-noarch.repo
1118+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-kernel-stable-copr.repo
1119+
grep -q '^gpgkey=https://download.copr.fedorainfracloud.org/results/hynkzz/ro-kernel-stable/pubkey.gpg$' /etc/yum.repos.d/ro-kernel-stable-copr.repo
1120+
grep -q '^gpgcheck=1$' /etc/yum.repos.d/ro-kernel-experimental-copr.repo
1121+
grep -q '^gpgkey=https://download.copr.fedorainfracloud.org/results/hynkzz/ro-Kernel-Experimental/pubkey.gpg$' /etc/yum.repos.d/ro-kernel-experimental-copr.repo
11081122
install_pkgs=(
11091123
"${installer_rpm}"
11101124
gdisk
@@ -1187,29 +1201,42 @@ rm -f \
11871201

11881202
log "Live ISO boot kernel/initrd replaced with ro-kernel-stable artifacts."
11891203

1190-
log "Creating live autostart and passwordless sudo policy for installer..."
1204+
log "Creating live autostart and polkit rule for installer..."
11911205
install -d "${TARGET_ROOT_DIR}/etc/xdg/autostart"
11921206
cat > "${TARGET_ROOT_DIR}/etc/xdg/autostart/ro-Installer.desktop" <<'EOF'
11931207
[Desktop Entry]
11941208
Type=Application
11951209
Version=1.0
11961210
Name=Ro-ASD Installer Live AutoStart
11971211
Comment=Starts Ro-ASD installer in the live session
1198-
Exec=/usr/bin/env RO_INSTALLER_LIVE_SESSION=1 RO_INSTALLER_COMMAND_SUDO=1 /usr/bin/ro-installer
1199-
TryExec=/usr/bin/ro-installer
1212+
Exec=/usr/bin/env RO_INSTALLER_LIVE_SESSION=1 /usr/libexec/ro-installer-launcher.sh
1213+
TryExec=/usr/libexec/ro-installer-launcher.sh
12001214
Terminal=false
12011215
NoDisplay=true
12021216
X-GNOME-Autostart-enabled=true
12031217
X-KDE-autostart-after=panel
12041218
EOF
12051219

1206-
install -d "${TARGET_ROOT_DIR}/etc/sudoers.d"
1207-
cat > "${TARGET_ROOT_DIR}/etc/sudoers.d/ro-installer-live" <<'EOF'
1208-
Defaults:liveuser !requiretty
1209-
liveuser ALL=(ALL) NOPASSWD: ALL
1210-
%wheel ALL=(ALL) NOPASSWD: ALL
1220+
install -d "${TARGET_ROOT_DIR}/etc/polkit-1/rules.d"
1221+
cat > "${TARGET_ROOT_DIR}/etc/polkit-1/rules.d/49-ro-installer-live.rules" <<'EOF'
1222+
polkit.addRule(function(action, subject) {
1223+
if (subject.user != "liveuser" || !subject.active) {
1224+
return polkit.Result.NOT_HANDLED;
1225+
}
1226+
1227+
if (action.id == "org.roasd.installer.run") {
1228+
return polkit.Result.YES;
1229+
}
1230+
1231+
if (action.id == "org.freedesktop.policykit.exec" &&
1232+
action.lookup("program") == "/usr/bin/ro-installer") {
1233+
return polkit.Result.YES;
1234+
}
1235+
1236+
return polkit.Result.NOT_HANDLED;
1237+
});
12111238
EOF
1212-
chmod 0440 "${TARGET_ROOT_DIR}/etc/sudoers.d/ro-installer-live"
1239+
chmod 0644 "${TARGET_ROOT_DIR}/etc/polkit-1/rules.d/49-ro-installer-live.rules"
12131240

12141241
rewrite_os_release() {
12151242
local file="$1"

scripts/check-stable.sh

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -86,10 +86,25 @@ forbid_pattern \
8686
lib scripts
8787

8888
forbid_pattern \
89-
"repo GPG kontrolleri kapali degil" \
90-
'(^|[[:space:]])(gpgcheck=0|repo_gpgcheck=0)($|[[:space:]])' \
89+
"RPM GPG kontrolleri kapali degil" \
90+
'(^|[[:space:]])gpgcheck=0($|[[:space:]])' \
9191
lib scripts ro-installer.spec
9292

93+
require_ro_repo_metadata_gpg() {
94+
local file
95+
local key_count
96+
local metadata_count
97+
for file in lib/services/install_stages/chroot_config_stage.dart scripts/02-build-iso.sh; do
98+
rg -n 'project-ro-asd.github.io/Ro-Repo' "${file}" >/dev/null
99+
metadata_count="$(rg -c '^repo_gpgcheck=1$' "${file}" || true)"
100+
key_count="$(rg -c '^gpgkey=https://project-ro-asd.github.io/Ro-Repo/RPM-GPG-KEY-ro-asd$' "${file}" || true)"
101+
[[ "${metadata_count}" -ge 2 ]]
102+
[[ "${key_count}" -ge 2 ]]
103+
done
104+
}
105+
106+
run_check "Ro repo metadata GPG zorunlu" require_ro_repo_metadata_gpg
107+
93108
forbid_pattern \
94109
"live sudo politikasi NOPASSWD ALL degil" \
95110
'NOPASSWD:[[:space:]]*ALL' \

test/services/install_stages/chroot_config_stage_test.dart

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -264,12 +264,15 @@ void main() {
264264
(cmd) =>
265265
cmd.command == 'chroot' &&
266266
cmd.args.join(' ').contains('/etc/yum.repos.d/ro-repo.repo') &&
267-
cmd.args
268-
.join(' ')
269-
.contains('https://project-ro-asd.github.io/Ro-Repo'),
267+
cmd.args.join(' ').contains(
268+
'https://project-ro-asd.github.io/Ro-Repo',
269+
) &&
270+
cmd.args.join(' ').contains('gpgcheck=1') &&
271+
cmd.args.join(' ').contains('repo_gpgcheck=1') &&
272+
cmd.args.join(' ').contains('RPM-GPG-KEY-ro-asd'),
270273
),
271274
true,
272-
reason: 'Ro GitHub repo dosyasi hedef sisteme yazilmadi',
275+
reason: 'Ro GitHub repo dosyasi imza dogrulamayla yazilmadi',
273276
);
274277
expect(
275278
fake.commandLog.any(
@@ -599,6 +602,11 @@ void main() {
599602
cleanupScripts,
600603
contains('/var/lib/AccountsService/users/liveuser'),
601604
);
605+
expect(
606+
cleanupScripts,
607+
contains('/etc/polkit-1/rules.d/49-ro-installer-live.rules'),
608+
);
609+
expect(cleanupScripts, contains('/etc/sudoers.d/ro-installer-live'));
602610
expect(cleanupScripts, contains('userdel -r liveuser'));
603611
},
604612
);

test/services/install_stages/post_install_validation_stage_test.dart

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,26 @@ void main() {
227227
void addInstallerRemovalResponses(FakeCommandRunner fake) {
228228
fake.addResponse('test', ['!', '-e', '/mnt/usr/bin/ro-installer']);
229229
fake.addResponse('test', ['!', '-e', '/mnt/usr/bin/ro_installer']);
230+
fake.addResponse('test', [
231+
'!',
232+
'-e',
233+
'/mnt/usr/libexec/ro-installer-launcher.sh',
234+
]);
235+
fake.addResponse('test', [
236+
'!',
237+
'-e',
238+
'/mnt/usr/share/polkit-1/actions/org.roasd.installer.policy',
239+
]);
240+
fake.addResponse('test', [
241+
'!',
242+
'-e',
243+
'/mnt/etc/polkit-1/rules.d/49-ro-installer-live.rules',
244+
]);
245+
fake.addResponse('test', [
246+
'!',
247+
'-e',
248+
'/mnt/etc/sudoers.d/ro-installer-live',
249+
]);
230250
}
231251

232252
void addLiveUserCleanupResponses(
@@ -486,6 +506,50 @@ void main() {
486506
);
487507
});
488508

509+
test('canlı polkit kuralı sızmışsa doğrulama düşer', () async {
510+
final fake = FakeCommandRunner(defaultSuccess: false);
511+
fake.addResponse('test', ['-f', '/mnt/etc/fstab']);
512+
fake.addResponse('test', ['-f', '/mnt/etc/kernel/cmdline']);
513+
addLocalizationResponses(fake);
514+
addBrandingResponse(fake);
515+
fake.addResponse('sh', [
516+
'-c',
517+
'ls /mnt/boot/loader/entries/*.conf >/dev/null 2>&1',
518+
]);
519+
addNoFedoraKernelResponse(fake);
520+
addStableKernelResponse(fake);
521+
addRoRepoResponses(fake);
522+
addRoDesktopAppsResponses(fake);
523+
addRoThemeResponses(fake);
524+
fake.addResponse('test', ['!', '-e', '/mnt/usr/bin/ro-installer']);
525+
fake.addResponse('test', ['!', '-e', '/mnt/usr/bin/ro_installer']);
526+
fake.addResponse('test', [
527+
'!',
528+
'-e',
529+
'/mnt/usr/libexec/ro-installer-launcher.sh',
530+
]);
531+
fake.addResponse('test', [
532+
'!',
533+
'-e',
534+
'/mnt/usr/share/polkit-1/actions/org.roasd.installer.policy',
535+
]);
536+
fake.addResponse('test', [
537+
'!',
538+
'-e',
539+
'/mnt/etc/polkit-1/rules.d/49-ro-installer-live.rules',
540+
], exitCode: 1);
541+
542+
final ctx = makeContext({
543+
'fileSystem': 'ext4',
544+
'partitionMethod': 'full',
545+
}, fake);
546+
547+
final result = await const PostInstallValidationStage().execute(ctx);
548+
549+
expect(result.success, false);
550+
expect(result.message, contains('Canlı oturum polkit kuralı'));
551+
});
552+
489553
test('Fedora stock kernel kalırsa stage düşer', () async {
490554
final fake = FakeCommandRunner(defaultSuccess: false);
491555
fake.addResponse('test', ['-f', '/mnt/etc/fstab']);

0 commit comments

Comments
 (0)