Harden DNF config

This uses a postinstall script for DNF5 and a configuration file otherwise.
QubesOS · Nov 4, 2024 · 19f62c4 · 19f62c4
1 parent a324b82
commit 19f62c4
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/package-managers/Makefile b/package-managers/Makefile
@@ -94,6 +94,8 @@ endif
 install-dnf5: install-rpm
 	install -D -m 0644 qubes-post-update.actions \
 		$(DESTDIR)$(SYSCONFDIR)/dnf/libdnf5-plugins/actions.d/qubes-post-update.actions
+	install -D -m 0644 dnf-harden.conf \
+		$(DESTDIR)$(SYSCONFDIR)/dnf/libdnf5.conf.d/10-qubes.conf
 
 install-yum: install-rpm
 	install -d $(DESTDIR)$(LIBDIR)/yum-plugins

diff --git a/package-managers/dnf-harden.conf b/package-managers/dnf-harden.conf
@@ -0,0 +1,4 @@
+[main]
+deltarpm=0
+zchunk=0
+gpgcheck=1
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -582,6 +582,10 @@ if [ -L /usr/local ]; then
     mount /usr/local || :
 fi
 
+%if 0%{?fedora} < 41
+dnf config-manager --setopt=gpgcheck=1 --setopt=zchunk=0 --setopt=deltarpm=0 --save
+%endif
+
 # workaround for Fedora's systemd package bug
 # https://bugzilla.redhat.com/1559286
 if [ -d /var/lib/private ]; then
@@ -963,6 +967,7 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/yum.repos.d/qubes-r4.repo
 %if 0%{?fedora} >= 41
 /etc/dnf/libdnf5-plugins/actions.d/qubes-post-update.actions
+/etc/dnf/libdnf5.conf.d/10-qubes.conf
 %else
 %if 0%{?rhel} == 7
 /etc/yum/pluginconf.d/yum-qubes-hooks.conf