Bug 1448164

Summary: [RFE] shift gpg sig check code into shared library
Product: [Fedora] Fedora Reporter: Pat Riehecky <riehecky>
Component: dnfAssignee: Jaroslav Rohel <jrohel>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhideCC: chuck.wilson, mail, marmarek, mkolman, ngompa13, packaging-team-maint, pmatilai, rpm-software-management, vmukhame, vponcova
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-18 14:28:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1665453, 1339617    

Description Pat Riehecky 2017-05-04 16:25:32 UTC 
Description of problem:
I'm looking for an elegant solution to [1] where Anaconda uses the DNF libraries to download RPMs and validate their signatures.  It already uses DNF for download, dependencies, and installation of packages.

Today DNF only has the GPG code in the cli section.  If it were shifted into a central library and called from the cli, then anaconda could also utilize DNFs signature checking.

Version-Release number of selected component (if applicable):dnf-2.4.0-2.fc26


How reproducible:100%


Steps to Reproduce:
1.Try to utilize DNF as a library to validate GPG signatures of repos
2.
3.

Actual results:
Code only exists in cli.py

Expected results:
GPG checking in perhaps package.py or repo.py ?


Additional info:

[1] https://github.com/rhinstaller/anaconda/pull/375
Comment 1 Daniel Mach 2017-05-10 11:22:00 UTC 
Thanks for the report, I'll follow up with Anaconda team.
Comment 2 Neal Gompa 2017-05-28 23:37:59 UTC 
This would also be great for livecd-tools and appliance-tools, as I'd definitely prefer to be able to validate signatures if the user wanted to.
Comment 3 Neal Gompa 2017-05-28 23:38:51 UTC 
There's also a PR for this waiting on DNF and pykickstart: https://github.com/livecd-tools/livecd-tools/pull/14
Comment 4 Vendula Poncova 2017-09-14 12:58:54 UTC 
Hi, could you estimate when this bug will be fixed, please? We are considering to use the workaround in Anaconda for now.
Comment 5 kushaldas@gmail.com 2017-12-14 00:45:51 UTC 
Hi, is there any update on this?
Comment 6 Pat Riehecky 2018-02-22 16:33:10 UTC 
Hi, is there any update on this?
Comment 7 Daniel Mach 2018-05-29 15:12:07 UTC 
We don't have any estimate, but we definitely want to implement this during libdnf consolidation.
Comment 8 Neal Gompa 2018-10-28 03:33:39 UTC 
Any progress on this? It's been nearly half a year since the last request on this, and I *still* would like to resolve this such that we can have GPG checking in livecd-tools, Anaconda, and Lorax.
Comment 9 Daniel Mach 2018-12-07 15:20:25 UTC 
The GPG code is one of the libdnf parts we haven't touched yet during libdnf refactoring.

The next item on the critical path is the Sack, because it's inconsistently used in libdnf (context) and dnf (Base) and is preventing us from sharing code and further progress in general. The GPG improvements will probably follow.
Comment 10 Daniel Mach 2019-03-18 09:06:06 UTC 
We have prioritized this work into our current backlog.
New code will be written in libdnf, exported via SWIG to Python and provided in DNF as a public API.
Comment 11 Panu Matilainen 2019-03-18 09:35:06 UTC 
dmach, jrohel, please keep me & ffesti in loop when starting working on this, it's the perfect opportunity to sanitize things. The existing code in dnf is inherited from yum and dates back to rhel-5 and rpm 4.4, lots of things have changed on rpm side since then.
Comment 12 Martin Kolman 2019-09-04 14:56:43 UTC 
Any rough timeline when this functionality might be available in DNF shipped in Fedora ?

There are already at least two PRs blocked by this & it would be good to see them move them forward
or at least be able to put some timeline on them getting unblocked. :)

The PRs in question:
https://github.com/rhinstaller/anaconda/pull/375
https://github.com/livecd-tools/livecd-tools/pull/14
Comment 13 Jaroslav Mracek 2023-07-18 14:28:37 UTC 
The functionality was already implemented see: base.package_signature_check(self, pkg): and package_import_key(pkg, askcb=None, fullaskcb=None). Methods were introduce in dnf-4.16.1.