From 41a498015f7048145778e53c512bc3a07edb3fac Mon Sep 17 00:00:00 2001 From: Yann Dirson Date: Thu, 5 Oct 2023 12:15:43 +0200 Subject: [PATCH] installFromYum: give more detailed error messages on gpg errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Covers: 1. repo_gpgcheck: a. wrong system clock putting gpg key creation in the future, causing a yum crash (nothing special happens if the date of the signature is in the future ¯\_(ツ)_/¯) b. other yum crashes due to uncaught gpg exceptions (if any) c. lack of repomd signature (while repo_gpgcheck is in force) d. signature done by other key than the one in ISO ("repomd.xml signature could not be verified" ¯\_(ツ)_/¯) 2. gpgcheck: a. RPM signed with unknown key b. unsigned RPM referenced by unsigned repomd (no-repo-gpgcheck) c. RPM re-signed with unknown key, unsigned repomd (no-repo-gpgcheck) d. RPM overwritten with another RPM signed with known key (diagnosed through hash but, same diag as 2.c) e. delsigned/resigned/etc RPM, unchanged repomd (same diag as 2.c/d) Does not cover notably: - unsigned RPM referenced by (re)signed repomd In some cases Yum does not give an error, but dies because of an uncaught exception, which makes this check quite brittle, but in the worst case if messages change, we still fallback to the original "Error installing packages" message. Signed-off-by: Yann Dirson --- repository.py | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/repository.py b/repository.py index ba880a59..d0c344a2 100644 --- a/repository.py +++ b/repository.py @@ -844,10 +844,38 @@ def updateInstallProgress(m): total = 0 updateInstallProgress(m) rv = p.wait() + gpg_error_message = None + + if stderr.find(' in import_key_to_pubring') >= 0: + gpg_error_message = "Signature key import failed" + # add any other instance of uncaught GpgmeError before this like + elif stderr.find('gpgme.GpgmeError: ') >= 0: + gpg_error_message = "Cryptography-related yum crash" + + elif re.search("Couldn't open file [^ ]*/repodata/repomd.xml.asc", stderr): + # would otherwise be mistaken for "pubring import" !? + gpg_error_message = "No signature on repository metadata" + elif stderr.find('repomd.xml signature could not be verified') >= 0: + gpg_error_message = "Repository signature verification failure" + + else: + match = re.search("Public key for ([^ ]*.rpm) is not installed", stderr) + if match: + gpg_error_message = "Missing key for %s" % (match.group(1),) + match = re.search("Package ([^ ]*.rpm) is not signed", stderr) + if match: + gpg_error_message = "Package not signed: %s" % (match.group(1),) + match = re.search(r" ([^ ]*): \[Errno [0-9]*\] No more mirrors to try", stderr) + if match: + # rpm not found or corrupted/re-signed/etc + gpg_error_rpm_not_found = match.group(1) + gpg_error_message = "Cannot find valid rpm for %s" % (match.group(1),) if rv: logger.log("DNF exited with %d" % rv) - raise ErrorInstallingPackage("Error installing packages") + if gpg_error_message is None: + gpg_error_message = "Error installing packages" + raise ErrorInstallingPackage(gpg_error_message) shutil.rmtree(os.path.join(mounts['root'], cachedir), ignore_errors=True)