Log hashes of download packages before installing them

Follow the change in builder-debian f1e2283 "template: log hashes of all downloaded packages before installation". This will allow better verification of template build process. Simplify the process by dropping support for templates without yum/dnf installed. It is always installed by prepare-chroot-base, if not - that's an error. Related: QubesOS/qubes-issues#2023
marmarek · May 15, 2017 · ebbe5f1 · ebbe5f1
1 parent ba2474a
commit ebbe5f1
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 6 deletions.
diff --git a/prepare-chroot-base b/prepare-chroot-base
@@ -76,6 +76,8 @@ if ! [ -f "${INSTALLDIR}/tmp/.prepared_base" ]; then
             exit 1
         }
     done
+    echo "-> Printing hashes of downloaded packages:"
+    sha256sum "${DOWNLOADDIR}/"*.rpm
     if [ "${VERBOSE:-0}" -ge 2 -o "${DEBUG:-0}" -eq 1 ]; then
         set -x
     fi

diff --git a/template_scripts/distribution.sh b/template_scripts/distribution.sh
@@ -62,10 +62,18 @@ function yumInstall() {
     mount --bind pkgs-for-template ${INSTALLDIR}/tmp/template-builder-repo
     if [ -e "${INSTALLDIR}/usr/bin/$YUM" ]; then
         cp ${SCRIPTSDIR}/template-builder-repo.repo ${INSTALLDIR}/etc/yum.repos.d/
-        chroot_cmd $YUM --setopt=strict=false install ${YUM_OPTS} -y ${files[@]} || exit 1
+        chroot_cmd $YUM --setopt=strict=false --downloadonly install ${YUM_OPTS} -y ${files[@]} || exit 1
+        find ${INSTALLDIR}/var/cache/dnf -name '*.rpm' -print0 | xargs -r0 sha256sum
+        find ${INSTALLDIR}/var/cache/yum -name '*.rpm' -print0 | xargs -r0 sha256sum
+        # set http proxy to invalid one, to prevent any connection in case of
+        # --cacheonly being buggy: better fail the build than install something
+        # else than the logged one
+        chroot_cmd $YUM --setopt=strict=false install ${YUM_OPTS} -y \
+            --cacheonly --setopt=http_proxy=http://127.0.0.1:1/ ${files[@]} || exit 1
         rm -f ${INSTALLDIR}/etc/yum.repos.d/template-builder-repo.repo
     else
-        yum install -c ${SCRIPTSDIR}/../template-yum.conf ${YUM_OPTS} -y --installroot=${INSTALLDIR} ${files[@]} || exit 1
+        echo "$YUM not installed in $INSTALLDIR, exiting!"
+        exit 1
     fi
     umount ${INSTALLDIR}/etc/resolv.conf
     umount ${INSTALLDIR}/tmp/template-builder-repo
@@ -106,11 +114,19 @@ function yumGroupInstall() {
             fi
         fi
         chroot_cmd $YUM clean expire-cache
-        chroot_cmd $YUM group install $optional ${YUM_OPTS} -y ${files[@]} || exit 1
+        chroot_cmd $YUM --downloadonly group install $optional ${YUM_OPTS} -y ${files[@]} || exit 1
+        find ${INSTALLDIR}/var/cache/dnf -name '*.rpm' -print0 | xargs -r0 sha256sum
+        find ${INSTALLDIR}/var/cache/yum -name '*.rpm' -print0 | xargs -r0 sha256sum
+        # set http proxy to invalid one, to prevent any connection in case of
+        # --cacheonly being buggy: better fail the build than install something
+        # else than the logged one
+        chroot_cmd $YUM group install $optional ${YUM_OPTS} -y \
+            --cacheonly --setopt=http_proxy=http://127.0.0.1:1/ ${files[@]} || exit 1
         rm -f ${INSTALLDIR}/etc/yum.repos.d/template-builder-repo.repo
         rm -f ${INSTALLDIR}/etc/yum.repos.d/template-qubes-vm.repo
     else
-        yum install -c ${SCRIPTSDIR}/../template-yum.conf ${YUM_OPTS} -y --installroot=${INSTALLDIR} ${files[@]} || exit 1
+        echo "$YUM not installed in $INSTALLDIR, exiting!"
+        exit 1
     fi
     umount ${INSTALLDIR}/etc/resolv.conf
     umount ${INSTALLDIR}/tmp/template-builder-repo
@@ -129,10 +145,18 @@ function yumUpdate() {
     mount --bind pkgs-for-template ${INSTALLDIR}/tmp/template-builder-repo
     if [ -e "${INSTALLDIR}/usr/bin/$YUM" ]; then
         cp ${SCRIPTSDIR}/template-builder-repo.repo ${INSTALLDIR}/etc/yum.repos.d/
-        chroot_cmd $YUM update ${YUM_OPTS} -y ${files[@]} || exit 1
+        chroot_cmd $YUM --downloadonly update ${YUM_OPTS} -y ${files[@]} || exit 1
+        find ${INSTALLDIR}/var/cache/dnf -name '*.rpm' -print0 | xargs -r0 sha256sum
+        find ${INSTALLDIR}/var/cache/yum -name '*.rpm' -print0 | xargs -r0 sha256sum
+        # set http proxy to invalid one, to prevent any connection in case of
+        # --cacheonly being buggy: better fail the build than install something
+        # else than the logged one
+        chroot_cmd $YUM update ${YUM_OPTS} -y \
+            --cacheonly --setopt=http_proxy=http://127.0.0.1:1/ ${files[@]} || exit 1
         rm -f ${INSTALLDIR}/etc/yum.repos.d/template-builder-repo.repo
     else
-        yum update -c ${SCRIPTSDIR}/../template-yum.conf ${YUM_OPTS} -y --installroot=${INSTALLDIR} ${files[@]} || exit 1
+        echo "$YUM not installed in $INSTALLDIR, exiting!"
+        exit 1
     fi
     umount ${INSTALLDIR}/etc/resolv.conf
     umount ${INSTALLDIR}/tmp/template-builder-repo
@@ -156,6 +180,7 @@ function verifyPackages() {
             exit 1
         }
     done
+    sha256sum "$@"
 
     return 0
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -76,6 +76,8 @@ if ! [ -f "${INSTALLDIR}/tmp/.prepared_base" ]; then @@
                 exit 1
             }
         done
+        echo "-> Printing hashes of downloaded packages:"
+        sha256sum "${DOWNLOADDIR}/"*.rpm
         if [ "${VERBOSE:-0}" -ge 2 -o "${DEBUG:-0}" -eq 1 ]; then
             set -x
         fi
@@ Expand Down @@