Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generalize check of the third party RPMs #1327

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Generalize check of the third party RPMs
This is initial draft to generalize current check of installed
third party RPMs that are not part of the installed system
distribution.

Original actor has been written only for RHEL systems and expected
that the only vendor as such is Red Hat. However, in case of other
distributions it's not true. So such a report could be confusing for
users and could set wrong expectations.

List of changes:
 * Rename and move redhatsignedrpmcheck actor to <NEW_NAME>
 * Update docstrings
 * Update the report, respecting name of the installed system
 * ...
pirat89 committed Jan 12, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 1fa8d24f33d77e62f0fd36b4f3444b44f497af2f
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
from leapp.actors import Actor
from leapp.libraries.actor.distributionsignedrpmcheck import check_unsigned_packages
from leapp.models import InstalledUnsignedRPM
from leapp.reporting import Report
from leapp.tags import ChecksPhaseTag, IPUWorkflowTag


class DistributionSignedRpmCheck(Actor):
"""
Check if there are any packages that are not signed by distribution GPG keys.

We are recognizing two (three) types of packages:
* RPMs that are part of the system distribution (RHEL, Centos Stream,
Fedora, ...) - which are recognized based on the signature by known GPG
keys for the particular distribution.
* RPMs that are not signed by such GPG keys - including RPMs not signed
at all. Such RPMs are considered in general as third party content.
(
* some packages are known to not be signed as they are created by
delivered product (which can be part of the distribution). This includes
e.g. katello RPMs created in a Satellite server. We do not report
such packages known to us.
)

If any such non-distribution installed RPMs are detected, report it
to inform that user needs to take care about them before/during/after
the upgrade.
"""

name = 'distribution_signed_rpm_check'
consumes = (InstalledUnsignedRPM,)
produces = (Report,)
tags = (IPUWorkflowTag, ChecksPhaseTag)

def process(self):
check_unsigned_packages()
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from leapp import reporting
from leapp.libraries.actor import redhatsignedrpmcheck
from leapp.libraries.actor import distributionsignedrpmcheck
from leapp.libraries.common.testutils import create_report_mocked, produce_mocked
from leapp.libraries.stdlib import api
from leapp.models import InstalledUnsignedRPM, RPM
@@ -16,9 +16,9 @@ def consume_unsigned_message_mocked(*models):
monkeypatch.setattr(api, "show_message", lambda x: True)
monkeypatch.setattr(reporting, "create_report", create_report_mocked())

packages = redhatsignedrpmcheck.get_unsigned_packages()
packages = distributionsignedrpmcheck.get_unsigned_packages()
assert not packages
redhatsignedrpmcheck.generate_report(packages)
distributionsignedrpmcheck.generate_report(packages)
assert reporting.create_report.called == 0


@@ -40,8 +40,8 @@ def consume_unsigned_message_mocked(*models):
monkeypatch.setattr(api, "show_message", lambda x: True)
monkeypatch.setattr(reporting, "create_report", create_report_mocked())

packages = redhatsignedrpmcheck.get_unsigned_packages()
packages = distributionsignedrpmcheck.get_unsigned_packages()
assert len(packages) == 4
redhatsignedrpmcheck.generate_report(packages)
distributionsignedrpmcheck.generate_report(packages)
assert reporting.create_report.called == 1
assert 'Packages not signed by Red Hat found' in reporting.create_report.report_fields['title']
22 changes: 0 additions & 22 deletions repos/system_upgrade/common/actors/redhatsignedrpmcheck/actor.py

This file was deleted.