From 0a5d87b7bbafab1af37dd8ba5869f5f8b112de3d Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 26 May 2025 15:09:43 +0200
Subject: [PATCH] Only pick up /etc/pki/tls and /etc/pki/ca-trust as
 certificate dirs

Extra rpm GPG keys can be configured in /etc/pki/rpm-gpg. Let's not
assume /etc/pki consists solely of certificates but instead, let's pick
out the two directories out of there that do concern themselves with
certificates.

This allows copying extra rpm gpg keys to /etc/pki/rpm-gpg with
SandboxTrees= without these getting overridden by the /etc/pki bind
mount we used to have before.

Fixes #3687
---
 action.yaml                    | 2 +-
 mkosi/__init__.py              | 3 ++-
 mkosi/mounts.py                | 3 ++-
 mkosi/resources/man/mkosi.1.md | 8 ++++----
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/action.yaml b/action.yaml
index e5823195c..ced80781b 100644
--- a/action.yaml
+++ b/action.yaml
@@ -62,7 +62,7 @@ runs:
     - name: Create missing mountpoints
       shell: bash
       run: |
-        for p in /etc/pki /etc/ssl /etc/ca-certificates /var/lib/ca-certificates /etc/crypto-policies; do
+        for p in /etc/pki/ca-trust /etc/pki/tls /etc/ssl /etc/ca-certificates /var/lib/ca-certificates /etc/crypto-policies; do
           if [[ ! -e "$p" ]]; then
             sudo mkdir -p "$p"
           fi
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 5f97fa642..9c8451072 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1202,7 +1202,8 @@ def install_sandbox_trees(config: Config, dst: Path) -> None:
     # Create various mountpoints in /etc as /etc from the sandbox tree is mounted read-only into the sandbox.
 
     for d in (
-        "etc/pki",
+        "etc/pki/ca-trust",
+        "etc/pki/tls",
         "etc/ssl",
         "etc/ca-certificates",
         "etc/pacman.d/gnupg",
diff --git a/mkosi/mounts.py b/mkosi/mounts.py
index 8efefb679..863316965 100644
--- a/mkosi/mounts.py
+++ b/mkosi/mounts.py
@@ -141,7 +141,8 @@ def finalize_certificate_mounts(config: Config, relaxed: bool = False) -> list[P
         mounts += [
             (root / subdir, Path("/") / subdir)
             for subdir in (
-                Path("etc/pki"),
+                Path("etc/pki/ca-trust"),
+                Path("etc/pki/tls"),
                 Path("etc/ssl"),
                 Path("etc/ca-certificates"),
                 Path("var/lib/ca-certificates"),
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index 5a8612210..429c9c9e0 100644
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1447,10 +1447,10 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 
 `ToolsTreeCertificates=`, `--tools-tree-certificates=`
 :   Specify whether to use certificates and keys from the tools tree.
-    Enabled by default. If enabled, `/etc/pki`, `/etc/ssl`,
-    `/etc/ca-certificates`, and `/var/lib/ca-certificates` from the
-    tools tree are used. Otherwise, these directories are picked up from
-    the host.
+    Enabled by default. If enabled, `/etc/pki/ca-trust`, `/etc/pki/tls`,
+    `/etc/ssl`, `/etc/ca-certificates`, and `/var/lib/ca-certificates`
+    from the tools tree are used. Otherwise, these directories are
+    picked up from the host.
 
 `ExtraSearchPaths=`, `--extra-search-path=`
 :   List of colon-separated paths to look for tools in, before using the
-- 
2.47.2