Move gpg set-priv setup command to sandbox

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index f3af47c332d5cac9b6025049417cd794b9c2be04..f491def2ea91bcee8819e0571fbcdb0c57895534 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2490,16 +2490,7 @@ def calculate_signature(context: Context) -> None:
     if context.config.output_format == OutputFormat.directory:
         return
 
-    # GPG messes with the user's home directory so we run it as the invoking user.
-
-    cmdline: list[PathString] = [
-        "setpriv",
-        f"--reuid={INVOKING_USER.uid}",
-        f"--regid={INVOKING_USER.gid}",
-        "--clear-groups",
-        "gpg",
-        "--detach-sign",
-    ]
+    cmdline: list[PathString] = ["gpg", "--detach-sign"]
 
     # Need to specify key before file to sign
     if context.config.key is not None:
@@ -2528,7 +2519,17 @@ def calculate_signature(context: Context) -> None:
         open(context.staging / context.config.output_checksum, "rb") as i,
         open(context.staging / context.config.output_signature, "wb") as o,
     ):
-        run(cmdline, env=env, stdin=i, stdout=o, sandbox=context.sandbox(mounts=mounts, options=options))
+        run(
+            cmdline,
+            env=env,
+            stdin=i,
+            stdout=o,
+            # GPG messes with the user's home directory so we run it as the invoking user.
+            sandbox=context.sandbox(
+                mounts=mounts,
+                options=options,
+            ) + ["setpriv", f"--reuid={INVOKING_USER.uid}", f"--regid={INVOKING_USER.gid}", "--clear-groups"]
+        )
 
 
 def dir_size(path: Union[Path, os.DirEntry[str]]) -> int: