Currently, the Arch keyring from the host or tools tree is always
used directly without any option to modify it (except by modifying
it directly on the host or in the tools tree). We also don't support
RepositoryKeyFetch= for the Arch Linux keyring and it's one of the
sources of annoying mounts outside of /usr which complicates
"mkosi sandbox".
Let's improve the situation by switching to our own pacman keyring
instead of using the one from the tools tree or host. Instead, we'll
only use /usr/share/pacman/keyrings from the host or tools tree to
populate the keyring we maintain ourselves. Users can extend the
keyring created by mkosi with their own keys via sandbox trees. If
RepositoryKeyFetch= is enabled, we'll download the archlinux-keyring
package and extract the keyring from there into the sandbox.
The keyring cache is maintained together with the repository metadata
cache. The only difference is that sync_repository_metadata() will
update the global package cache whereas the keyring directory is always
maintained per cache directory instead of globally.
We take the opportunity to stop using Michel's kernel-utils ppa with a
more recent archlinux-keyring package in favor of enabling
RepositoryKeyFetch= by default for Arch builds on Ubuntu.
projects / thirdparty / mkosi.git / commit
