Skip to content

Commit

Permalink
Check no new unexpected keys were installed during the upgrade
Browse files Browse the repository at this point in the history
Signed-off-by: Jakub Jelen <[email protected]>
  • Loading branch information
Jakuje committed Oct 25, 2023
1 parent a010f7f commit a6f3154
Show file tree
Hide file tree
Showing 2 changed files with 91 additions and 0 deletions.
23 changes: 23 additions & 0 deletions repos/system_upgrade/common/actors/gpgpubkeycheck/actor.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
from leapp.actors import Actor
from leapp.libraries.actor import gpgpubkeycheck
from leapp.models import TrustedGpgKeys
from leapp.reporting import Report
from leapp.tags import ApplicationsPhaseTag, IPUWorkflowTag


class GpgPubkeyCheck(Actor):
"""
Checks no unexpected GPG keys were installed during the upgrade.
This should be mostly sanity check and this should not happen
unless something went very wrong, regardless the gpgcheck was
used (default) or not (with --no-gpgcheck option).
"""

name = 'gpg_pubkey_check'
consumes = (TrustedGpgKeys,)
produces = (Report,)
tags = (IPUWorkflowTag, ApplicationsPhaseTag,)

def process(self):
gpgpubkeycheck.process()
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
from leapp import reporting
from leapp.exceptions import StopActorExecutionError
from leapp.libraries.common.gpg import get_path_to_gpg_certs, the_nogpgcheck_option_used
from leapp.libraries.common.rpms import get_installed_rpms
from leapp.libraries.stdlib import api
from leapp.models import TrustedGpgKeys

FMT_LIST_SEPARATOR = '\n - '


def process():
"""
Verify the system does not have any unexpected gpg keys installed
If the --no-gpgcheck option is used, this is skipped as we can not
guarantee that what was installed came from trusted source
"""

if the_nogpgcheck_option_used():
api.current_logger().warning('The --nogpgcheck option is used: Checking keys does not make sense.')
return

try:
trusted_gpg_keys = next(api.consume(TrustedGpgKeys))
except StopIteration:
raise StopActorExecutionError(
'Could not check for valid GPG keys', details={'details': 'No TrustedGpgKeys facts'}
)

trusted_fps = [key.fingerprint for key in trusted_gpg_keys.items]
unexpected_fps = list()

rpms = get_installed_rpms()
for rpm in rpms:
rpm = rpm.strip()
if not rpm:
continue
name, version, _, _, packager, _, _ = rpm.split('|')
if name != 'gpg-pubkey':
continue
fp = version
if fp not in trusted_fps:
unexpected_fps.append('{fp}: {packager}'.format(fp=fp, packager=packager))

if unexpected_fps:
summary = (
'The system contains unexpected GPG keys after upgrade. This can be caused by some manual intervention'
' or by malicious attempt to hijack the installation process. The unexpected keys are the following:'
' {sep}{key_list}'
.format(
sep=FMT_LIST_SEPARATOR,
key_list=FMT_LIST_SEPARATOR.join(unexpected_fps)
)
)
hint = (
'Verify the installed keys are expected. If so, make sure they are included in {} directory.'
.format(get_path_to_gpg_certs())
)
groups = [reporting.Groups.REPOSITORY, reporting.Groups.SECURITY]
reporting.create_report(
[
reporting.Title('Unexpected GPG keys found after installation'),
reporting.Summary(summary),
reporting.Severity(reporting.Severity.HIGH),
reporting.Groups(groups),
reporting.Remediation(hint=hint),
]
)

0 comments on commit a6f3154

Please sign in to comment.