Honor per-repo pgp_gpgcheck=0 even in rpm's enforcing signature mode

Back in the day, it was decided [1] that yum/dnf should honor rpm's global
enforcing signature check policy, the noble idea being that this would be
akin to something like FIPS mode where you can't pick and choose whether you
like it or not case by case. But reality isn't so black and white.

There are all sorts of situations, such as inside buildsystems, where the
global switch would only hurt security instead of increasing it: the freshly
built packages in a "closed" buildsystem are equally secure whether signed
or not, and trying to arrange signing and keys imported for verification etc
in those situations is just helluva lot of trouble for exactly zero gains,
and globally disabling signatures to allow installing those known good
unsigned packages is just terrible.

If available, use the new per-element verification level API in rpm to
disable signature checking per the originating repository setting. The
ts_change_callback() seems to be the easiest place to do this because
it avoids having to hunt for the newly added element manually.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1614351

Fixes: #2229

CMakeLists.txt

@@ -68,6 +68,7 @@ endif()
 
 # includes
 include(GNUInstallDirs)
+include(CheckLibraryExists)
 
 
 # common dependencies

libdnf5/CMakeLists.txt

@@ -99,6 +99,7 @@ pkg_check_modules(RPM REQUIRED rpm>=4.17.0)
 list(APPEND LIBDNF5_PC_REQUIRES "${RPM_MODULE_NAME}")
 target_link_libraries(libdnf5 PRIVATE ${RPM_LIBRARIES})
 target_link_libraries(libdnf5_iface INTERFACE ${RPM_LIBRARIES})
+check_library_exists(rpm rpmteSetVfyLevel "" HAVE_RPMTE_SETVFYLEVEL)
 
 if(WITH_COMPS)
     pkg_check_modules(LIBXML2 REQUIRED libxml-2.0)

libdnf5/config.h.in

@@ -23,5 +23,6 @@ along with libdnf.  If not, see <https://www.gnu.org/licenses/>.
 #define LIBDNF5_DISTRIBUTION_CONFIG_DIR "@CMAKE_INSTALL_PREFIX@/share/dnf5/libdnf.conf.d/"
 #define LIBDNF5_REPOS_DISTRIBUTION_OVERRIDE_DIR "@CMAKE_INSTALL_PREFIX@/share/dnf5/repos.override.d"
 #define DEFAULT_LIBDNF5_PLUGINS_LIB_DIR "@CMAKE_INSTALL_FULL_LIBDIR@/libdnf5/plugins/"
+#cmakedefine HAVE_RPMTE_SETVFYLEVEL @HAVE_RPMTE_SETVFYLEVEL@
 
 #endif // _LIBDNF5_CONFIG_H_

libdnf5/rpm/transaction.cpp

@@ -20,6 +20,8 @@ along with libdnf.  If not, see <https://www.gnu.org/licenses/>.
 
 #include "transaction.hpp"
 
+#include "conf/config.h"
+
 #include "libdnf5/base/transaction.hpp"
 #include "libdnf5/common/exception.hpp"
 #include "libdnf5/rpm/package_query.hpp"
@@ -409,6 +411,14 @@ int Transaction::ts_change_callback(int event, rpmte te, rpmte other, void * dat
         // explicit action caused by last_added_item
         rpmteSetUserdata(te, transaction->last_added_item);
         transaction->last_item_added_ts_element = true;
+#if defined(HAVE_RPMTE_SETVFYLEVEL)
+        // honor per-repo pkg_gpgcheck=0 in rpm's enforcing signature mode
+        auto pkg = transaction->last_added_item->get_package();
+        auto gpgcheck = pkg.get_repo()->get_config().get_pkg_gpgcheck_option();
+        if (gpgcheck.get_value() == false) {
+            rpmteSetVfyLevel(te, RPMSIG_DIGEST_TYPE);
+        }
+#endif
     } else {
         // action caused by librpm itself
         auto trigger_nevra = transaction->last_added_item->get_package().get_full_nevra();