- # Make sure the cpio archive is covered by a valid signature
- # before we use it. Since dnf-download-signed currently doesn't
- # check that the package is the one we asked for, this only
- # ensures that the cpio archive is safe to extract. Then we
- # check the digest on each needed file before using it. We're
- # still correct if an attacker substitutes a different signed
- # package in which the files we need have the same content.
- # ~ Matt 2019-05-18
- #
- # Ideally, we'd only require a signature if the package came
- # from a repository with gpgcheck=1. Right now, I use no
- # unsigned packages. If I build my own packages again, I can
- # either sign them or just fix them manually if they reach this
- # code.
- # ~ Matt 2017-11-11
- subprocess.check_call(['dnf-download-signed'] + list(needPackages), cwd=packages_tmpdir)