feat(pgp): Use crypto.py during Egg and Collection verification #4131
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All Pull Requests:
Check all that apply:
Complete Description of Additions/Changes:
This patch adds a self-contained and isolated GPG verification
environment. It runs GPG in an isolated environment where only selected
PGP keys are allowed to check the file signature matches its file.
GPG creates a directory
$HOME/.gnupg/
every time it performs someoperation. When run under root, but not manually (e.g. via
subscription-manager Cockpit plugin), it tries to create and write to
this directory, which pollutes user directories and/or causes SELinux
denials.
This patch utilizes the
--homedir
argument GPG supports in order tomove the GPG home directory to a temporary directory for the time of the
transaction. After the GPG action is performed, the directory is cleaned
up.
This PR is an improvement over previously reverted #3930