core: Filter locked packages by checksums before depsolving

Don't just filter down packages by NEVRA, but also filter out those that don't match the checksum too. We were enforcing checksum matches already before this, but only *after* depsolving and simply erroring out if they didn't match. However, because of how RPM signing is implemented in Fedora, it is possible to have the same NEVRA in two different repos, each with two different hashes. E.g. right now for example, `efivar-libs` wasn't rebuilt for f31, and so f31 is just shipping the f30 RPM, but signed with the f31 key. And of course, we also had the f30 version in the pool. This patch allows us to transition over to the f31 version with everything else by not getting thrown off by the f30 version already in the pool. (Still need to investigate how the pool will deal with this.)
coreos · Oct 16, 2019 · 9ff9d43 · 9ff9d43
1 parent 11ee20c
commit 9ff9d43
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/src/libpriv/rpmostree-core.c b/src/libpriv/rpmostree-core.c
@@ -1994,15 +1994,30 @@ rpmostree_context_prepare (RpmOstreeContext *self,
       g_assert_cmpuint (g_strv_length (cached_replace_pkgs), ==, 0);
       g_assert_cmpuint (g_strv_length (removed_base_pkgnames), ==, 0);
 
-      GLNX_HASH_TABLE_FOREACH (self->vlockmap, const char*, nevra)
+      GLNX_HASH_TABLE_FOREACH_KV (self->vlockmap, const char*, nevra, const char*, chksum)
         {
           g_autofree char *name = NULL;
           if (!rpmostree_decompose_nevra (nevra, &name, NULL, NULL, NULL, NULL, error))
             return FALSE;
           hy_autoquery HyQuery query = hy_query_create (sack);
           hy_query_filter (query, HY_PKG_NAME, HY_EQ, name);
-          hy_query_filter (query, HY_PKG_NEVRA, HY_NEQ, nevra);
-          DnfPackageSet *pset = hy_query_run_set (query);
+          g_autoptr(GPtrArray) pkglist = hy_query_run (query);
+          DnfPackageSet *pset = dnf_packageset_new (sack);
+          for (guint i = 0; i < pkglist->len; i++)
+            {
+              DnfPackage *pkg = pkglist->pdata[i];
+              const char *pkg_nevra = dnf_package_get_nevra (pkg);
+              if (!g_str_equal (pkg_nevra, nevra))
+                dnf_packageset_add (pset, pkg);
+              else if (chksum && *chksum)
+                {
+                  g_autofree char *pkg_chksum = NULL;
+                  if (!rpmostree_get_repodata_chksum_repr (pkg, &pkg_chksum, error))
+                    return FALSE;
+                  if (!g_str_equal (chksum, pkg_chksum))
+                    dnf_packageset_add (pset, pkg);
+                }
+            }
           dnf_sack_add_excludes (sack, pset);
           dnf_packageset_free (pset);
         }