rpm: New API to check PGP signature of RPM file

include/libdnf5/rpm/rpm_signature.hpp

@@ -96,6 +96,9 @@ class LIBDNF_API RpmSignature {
     RpmSignature & operator=(RpmSignature && src) noexcept;
 
     /// Check signature of the `package` using public keys stored in rpm database.
+    /// The method respects the repository's pkg_gpgcheck option (or
+    /// localpkg_gpgcheck for packages originating from the command line) and
+    /// skips the check if these options are set to `false`.
     /// @param package: package to check.
     /// @return CheckResult::OK - the check passed
     ///         CheckResult::SKIPPED - the check was skipped
@@ -105,6 +108,16 @@ class LIBDNF_API RpmSignature {
     ///         CheckResult::FAILED - check failed for another reason
     CheckResult check_package_signature(const Package & pkg) const;
 
+    /// Check signature of rpm file in `path` location using public keys stored in
+    /// rpm database.
+    /// @param package: package to check.
+    /// @return CheckResult::OK - the check passed
+    ///         CheckResult::FAILED_KEY_MISSING - no corresponding key found in rpmdb
+    ///         CheckResult::FAILED_NOT_TRUSTED - signature is valid but the key is not trusted
+    ///         CheckResult::FAILED_NOT_SIGNED - package is not signed but signature is required
+    ///         CheckResult::FAILED - check failed for another reason
+    CheckResult check_package_signature(const std::string & path) const;
+
     /// Import public key into rpm database.
     /// @param key: GPG key to be imported into rpm database.
     bool import_key(const KeyInfo & key) const;

libdnf5/rpm/rpm_signature.cpp

@@ -183,20 +183,7 @@ RpmSignature & RpmSignature::operator=(const RpmSignature & src) {
 RpmSignature & RpmSignature::operator=(RpmSignature && src) noexcept = default;
 
 
-RpmSignature::CheckResult RpmSignature::check_package_signature(const rpm::Package & pkg) const {
-    // is package gpg check even required?
-    auto repo = pkg.get_repo();
-    if (repo->get_type() == libdnf5::repo::Repo::Type::COMMANDLINE) {
-        if (!p_impl->base->get_config().get_localpkg_gpgcheck_option().get_value()) {
-            return CheckResult::SKIPPED;
-        }
-    } else {
-        auto & repo_config = repo->get_config();
-        if (!repo_config.get_pkg_gpgcheck_option().get_value()) {
-            return CheckResult::SKIPPED;
-        }
-    }
-
+RpmSignature::CheckResult RpmSignature::check_package_signature(const std::string & path) const {
     // rpmcliVerifySignatures is the only API rpm provides for signature verification.
     // Unfortunately to distinguish key_missing/not_signed/verification_failed cases
     // we need to temporarily increase log level to RPMLOG_INFO, collect the log
@@ -212,8 +199,8 @@ RpmSignature::CheckResult RpmSignature::check_package_signature(const rpm::Packa
     auto oldmask = rpmlogSetMask(RPMLOG_UPTO(RPMLOG_PRI(RPMLOG_INFO)));
 
     rpmtsSetVfyLevel(ts_ptr.get(), RPMSIG_SIGNATURE_TYPE);
-    std::string path = pkg.get_package_path();
-    char * const path_array[2] = {&path[0], NULL};
+    std::string path_non_const{path};
+    char * const path_array[2] = {&path_non_const[0], NULL};
     auto rc = rpmcliVerifySignatures(ts_ptr.get(), path_array);
 
     rpmlogSetMask(oldmask);
@@ -265,6 +252,23 @@ RpmSignature::CheckResult RpmSignature::check_package_signature(const rpm::Packa
     return CheckResult::FAILED;
 }
 
+RpmSignature::CheckResult RpmSignature::check_package_signature(const rpm::Package & pkg) const {
+    // is package gpg check even required?
+    auto repo = pkg.get_repo();
+    if (repo->get_type() == libdnf5::repo::Repo::Type::COMMANDLINE) {
+        if (!p_impl->base->get_config().get_localpkg_gpgcheck_option().get_value()) {
+            return CheckResult::SKIPPED;
+        }
+    } else {
+        auto & repo_config = repo->get_config();
+        if (!repo_config.get_pkg_gpgcheck_option().get_value()) {
+            return CheckResult::SKIPPED;
+        }
+    }
+
+    return check_package_signature(pkg.get_package_path());
+}
+
 bool RpmSignature::key_present(const KeyInfo & key) const {
     libdnf5::rpm::RpmLogGuard rpm_log_guard{p_impl->base};
     auto ts_ptr = create_transaction(p_impl->base);