[Yum-devel] [PATCH 3/4] when importing a gpgkey - write out a -ro version of the gpgdir for non-root users to use also setup the difficult-to-grok gpgoptions necessary to make a readonly GNUPGHOME work with a simple key validation

tim.lauridsen at gmail.com tim.lauridsen at gmail.com
Mon Dec 27 17:56:53 UTC 2010


On Thu, Dec 23, 2010 at 8:51 PM, Seth Vidal <skvidal at fedoraproject.org>wrote:

> change setCacheDir() so it can take an alternative prefix and so we don't
> set
> a prefix then assume something else entirely
> ---
>  yum/misc.py |   37 ++++++++++++++++++++++++++++++++-----
>  1 files changed, 32 insertions(+), 5 deletions(-)
>
> diff --git a/yum/misc.py b/yum/misc.py
> index e539c27..4ac419e 100644
> --- a/yum/misc.py
> +++ b/yum/misc.py
> @@ -20,6 +20,7 @@ import pwd
>  import fnmatch
>  import bz2
>  import gzip
> +import shutil
>  _available_compression = ['gz', 'bz2']
>  try:
>     import lzma
> @@ -496,7 +497,7 @@ def keyInstalled(ts, keyid, timestamp):
>
>     return -1
>
> -def import_key_to_pubring(rawkey, keyid, cachedir=None, gpgdir=None):
> +def import_key_to_pubring(rawkey, keyid, cachedir=None, gpgdir=None,
> make_ro_copy=True):
>     # FIXME - cachedir can be removed from this method when we break api
>     if gpgme is None:
>         return False
> @@ -519,6 +520,30 @@ def import_key_to_pubring(rawkey, keyid,
> cachedir=None, gpgdir=None):
>     # ultimately trust the key or pygpgme is definitionally stupid
>     k = ctx.get_key(keyid)
>     gpgme.editutil.edit_trust(ctx, k, gpgme.VALIDITY_ULTIMATE)
> +
> +    if make_ro_copy:
> +
> +        rodir = gpgdir + '-ro'
> +        if not os.path.exists(rodir):
> +            os.makedirs(rodir, mode=0755)
> +            for f in glob.glob(gpgdir + '/*'):
> +                basename = os.path.basename(f)
> +                ro_f = rodir + '/' + basename
> +                shutil.copy(f, ro_f)
> +                os.chmod(ro_f, 0755)
> +            fp = open(rodir + '/gpg.conf', 'w', 0755)
> +            # yes it is this stupid, why do you ask?
> +            opts="""lock-never
> +no-auto-check-trustdb
> +trust-model direct
> +no-expensive-trust-checks
> +no-permission-warning
> +preserve-permissions
> +"""
> +            fp.write(opts)
> +            fp.close()
> +
> +
>     return True
>
>  def return_keyids_from_pubring(gpgdir):
> @@ -541,7 +566,9 @@ def valid_detached_sig(sig_file, signed_file,
> gpghome=None):
>     if gpgme is None:
>         return False
>
> -    if gpghome and os.path.exists(gpghome):
> +    if gpghome:
> +        if not os.path.exists(gpghome):
> +            return False
>         os.environ['GNUPGHOME'] = gpghome
>
>     if hasattr(sig_file, 'read'):
> @@ -573,7 +600,7 @@ def valid_detached_sig(sig_file, signed_file,
> gpghome=None):
>
>     return False
>
> -def getCacheDir(tmpdir='/var/tmp', reuse=True):
> +def getCacheDir(tmpdir='/var/tmp', reuse=True, prefix='yum-'):
>     """return a path to a valid and safe cachedir - only used when not
> running
>        as root or when --tempcache is set"""
>
> @@ -584,11 +611,11 @@ def getCacheDir(tmpdir='/var/tmp', reuse=True):
>     except KeyError:
>         return None # if it returns None then, well, it's bollocksed
>
> -    prefix = 'yum-'
> +    prefix = prefix
>
>     if reuse:
>         # check for /var/tmp/yum-username-* -
> -        prefix = 'yum-%s-' % username
> +        prefix = '%s%s-' % (prefix, username)
>         dirpath = '%s/%s*' % (tmpdir, prefix)
>         cachedirs = sorted(glob.glob(dirpath))
>         for thisdir in cachedirs:
> --
> 1.7.2.3
>
> _______________________________________________
> Yum-devel mailing list
> Yum-devel at lists.baseurl.org
> http://lists.baseurl.org/mailman/listinfo/yum-devel
>

ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.baseurl.org/pipermail/yum-devel/attachments/20101227/3aabac77/attachment.html>


More information about the Yum-devel mailing list