SSL auth and user GPG key support for user templates repos

Guiiix · Guiiix · commit 13cffb3b0c7f · 2025-04-25T16:50:00.000+02:00
This commit adds the support of user defined GPG keys and SSL
authentication for user templates repositories.
GPG keys and SSL cert/key must be configured in DNF
repositories files using the well-known options
(gpgkey, sslclientcert, sslclientkey).
If the keys are stored in /etc/qubes/repo-templates/keys/,
they will be added to the payload sent to proxy in base64
and will be written to the Proxy VM before DNF command execution
diff --git a/qubesadmin/tools/qvm_template.py b/qubesadmin/tools/qvm_template.py
@@ -20,6 +20,7 @@
 """Tool for managing VM templates."""
 
 import argparse
+import base64
 import collections
 import configparser
 import datetime
@@ -59,6 +60,8 @@
 LOCK_FILE = '/var/tmp/qvm-template.lck'
 DATE_FMT = '%Y-%m-%d %H:%M:%S'
 TAR_HEADER_BYTES = 512
+WRAPPER_PAYLOAD_BEGIN = "###!Q!BEGIN-QUBES-WRAPPER!Q!###"
+WRAPPER_PAYLOAD_END = "###!Q!END-QUBES-WRAPPER!Q!###"
 
 UPDATEVM = str('global UpdateVM')
 
@@ -502,9 +505,48 @@ def check_newline(string, name):
     check_newline(spec, 'template name')
     payload += spec + '\n'
     payload += '---\n'
+
+    repo_config = ""
     for path in args.repo_files:
         with open(path, 'r', encoding='utf-8') as fd:
-            payload += fd.read() + '\n'
+            repo_config += fd.read() + '\n'
+    payload += repo_config
+
+    # Add base64 encoded files to payload if needed
+    def encode_key(path):
+        if path.startswith("file://"):
+            path = path[7:]
+
+        if not path.startswith(
+                "/etc/qubes/repo-templates/keys/") or not os.path.isfile(path):
+            return ""
+
+        encoded_key = "#" + path + "\n"
+        with open(path, "rb") as key:
+            encoded_key += f"#{base64.b64encode(key.read()).decode('ascii')}\n"
+        return encoded_key
+
+    def append_keys(payload):
+        config = configparser.ConfigParser()
+        try:
+            config.read_string(payload)
+        except RuntimeError:
+            return ""
+
+        file_list = set()
+        for section in config.sections():
+            for option in ["gpgkey", "sslclientcert", "sslclientkey"]:
+                if config.has_option(section, option):
+                    file_list.add(config.get(section, option))
+
+        encoded_keys = "".join(encode_key(file_path) for file_path in file_list)
+        if not encoded_keys:
+            return ""
+
+        return f"\n{WRAPPER_PAYLOAD_BEGIN}\n{encoded_keys}{WRAPPER_PAYLOAD_END}"
+
+    payload += append_keys(repo_config)
+
     return payload
 
 
