check the signature of downloaded RPM files

2025-04-17 10:10:20 +00:00 · 2016-05-24 11:01:55 +01:00 · 2016-05-24 11:01:55 +01:00 · 8a21b9149e
commit 8a21b9149e
parent c8b4f338d8
2 changed files with 36 additions and 0 deletions
--- a/salt/modules/rpm.py
+++ b/salt/modules/rpm.py
@ -602,3 +602,37 @@ def version_cmp(ver1, ver2):
        log.warning("Failed to compare version '{0}' to '{1}' using RPM: {2}".format(ver1, ver2, exc))

    return salt.utils.version_cmp(ver1, ver2)
+
+
+def check_sig(*paths):
+    '''
+    Return if the signature of a RPM file is valid.
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' lowpkg.check_sig /path/to/package1.rpm
+        salt '*' lowpkg.check_sig /path/to/package1.rpm /path/to/package2.rpm
+    '''
+    ret = {}
+
+    if not paths:
+        raise CommandExecutionError("No RPM files has been specified.")
+
+    for package_file in paths:
+        ret[package_file] = False
+
+        if not __salt__['file.file_exists'](package_file):
+            continue
+
+        check_cmd = ["rpm", "-K", "--quiet", package_file]
+        check_args = {
+            'ignore_retcode': True,
+            'output_loglevel': 'trace',
+            'python_shell': False,
+        }
+        if __salt__['cmd.retcode'](check_cmd, **check_args) == 0:
+            ret[package_file] = True
+
+    return ret
--- a/salt/modules/zypper.py
+++ b/salt/modules/zypper.py
@ -1534,6 +1534,8 @@ def download(*packages, **kwargs):
            'repository-alias': repo.getAttribute("alias"),
            'path': dld_result.getElementsByTagName("localfile")[0].getAttribute("path"),
        }
+        if not __salt__['lowpkg.check_sig'](pkg_info['path']):
+            continue
        pkg_ret[_get_first_aggregate_text(dld_result.getElementsByTagName("name"))] = pkg_info

    if pkg_ret: