Skip to content

Commit 391e2cd

Browse files
committed
installFromYum: give more detailed error messages on gpg errors
Covers: 1. repo_gpgcheck: a. wrong system clock putting gpg key creation in the future, causing a yum crash (nothing special happens if the date of the signature is in the future ¯\_(ツ)_/¯) b. other yum crashes due to uncaught gpg exceptions (if any) c. lack of repomd signature (while repo_gpgcheck is in force) d. signature done by other key than the one in ISO ("repomd.xml signature could not be verified" ¯\_(ツ)_/¯) 2. gpgcheck: a. RPM signed with unknown key b. unsigned RPM referenced by unsigned repomd (no-repo-gpgcheck) c. RPM re-signed with unknown key, unsigned repomd (no-repo-gpgcheck) d. RPM overwritten with another RPM signed with known key (diagnosed through hash but, same diag as 2.c) e. delsigned/resigned/etc RPM, unchanged repomd (same diag as 2.c/d) Does not cover notably: - unsigned RPM referenced by (re)signed repomd In some cases Yum does not give an error, but dies because of an uncaught exception, which makes this check quite brittle, but in the worst case if messages change, we still fallback to the original "Error installing packages" message. Signed-off-by: Yann Dirson <yann.dirson@vates.fr>
1 parent 3ca3be0 commit 391e2cd

1 file changed

Lines changed: 48 additions & 1 deletion

File tree

repository.py

Lines changed: 48 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -821,12 +821,59 @@ def installFromYum(targets, mounts, progress_callback, cachedir):
821821
rv = p.wait()
822822
stderr.seek(0)
823823
stderr = stderr.read()
824+
gpg_uncaught_error = 0
825+
gpg_error_pubring_import = 0
826+
gpg_error_not_signed = 0
827+
gpg_error_bad_repo_sig = 0
828+
gpg_error_rpm_missing_key = None
829+
gpg_error_rpm_not_signed = None
830+
gpg_error_rpm_not_found = None
824831
if stderr:
825832
logger.log("YUM stderr: %s" % stderr.strip())
826833

834+
if stderr.find(' in import_key_to_pubring') >= 0:
835+
gpg_error_pubring_import = 1
836+
# add any other instance of uncaught GpgmeError before this like
837+
elif stderr.find('gpgme.GpgmeError: ') >= 0:
838+
gpg_uncaught_error = 1
839+
840+
elif re.search("Couldn't open file [^ ]*/repodata/repomd.xml.asc", stderr):
841+
# would otherwise be mistaken for "pubring import" !?
842+
gpg_error_not_signed = 1
843+
elif stderr.find('repomd.xml signature could not be verified') >= 0:
844+
gpg_error_bad_repo_sig = 1
845+
846+
else:
847+
match = re.search("Public key for ([^ ]*.rpm) is not installed", stderr)
848+
if match:
849+
gpg_error_rpm_missing_key = match.group(1)
850+
match = re.search("Package ([^ ]*.rpm) is not signed", stderr)
851+
if match:
852+
gpg_error_rpm_not_signed = match.group(1)
853+
match = re.search(r" ([^ ]*): \[Errno [0-9]*\] No more mirrors to try", stderr)
854+
if match:
855+
gpg_error_rpm_not_found = match.group(1)
856+
827857
if rv:
828858
logger.log("Yum exited with %d" % rv)
829-
raise ErrorInstallingPackage("Error installing packages")
859+
if gpg_error_pubring_import:
860+
errmsg = "Signature key import failed"
861+
elif gpg_uncaught_error:
862+
errmsg = "Cryptography-related yum crash"
863+
elif gpg_error_not_signed:
864+
errmsg = "No signature on repository metadata"
865+
elif gpg_error_bad_repo_sig:
866+
errmsg = "Repository signature verification failure"
867+
elif gpg_error_rpm_missing_key:
868+
errmsg = "Missing key for %s" % (gpg_error_rpm_missing_key,)
869+
elif gpg_error_rpm_not_signed:
870+
errmsg = "Package not signed: %s" % (gpg_error_rpm_not_signed,)
871+
elif gpg_error_rpm_not_found:
872+
# rpm not found or corrupted/re-signed/etc
873+
errmsg = "Cannot find valid rpm for %s" % (gpg_error_rpm_not_found,)
874+
else:
875+
errmsg = "Error installing packages"
876+
raise ErrorInstallingPackage(errmsg)
830877

831878
shutil.rmtree(os.path.join(mounts['root'], cachedir))
832879

0 commit comments

Comments
 (0)