fedora: Try to load N+1 key from distribution-gpg-keys as well

Fetching the rawhide keys from the distribution-gpg-keys github
repository faces the same problem that we have when using the locally
installed distribution-gpg-keys, the rawhide symlink might not have
been updated yet at branching time, so apply the same solution and
try to load the N+1 key as well.

diff --git a/mkosi/curl.py b/mkosi/curl.py
index eb8caadea2f1d82700de82a0a718a89599f650fe..6560bf987605ee10949e0db286757fd2bc14880b 100644 (file)
--- a/mkosi/curl.py
+++ b/mkosi/curl.py
@@ -7,7 +7,7 @@ from mkosi.mounts import finalize_certificate_mounts
 from mkosi.run import run, workdir
 
 
-def curl(config: Config, url: str, output_dir: Path) -> None:
+def curl(config: Config, url: str, output_dir: Path, log: bool = True) -> None:
     run(
         [
             "curl",
@@ -16,6 +16,7 @@ def curl(config: Config, url: str, output_dir: Path) -> None:
             "--remote-name",
             "--no-progress-meter",
             "--fail",
+            *(["--silent"] if not log else []),
             *(["--proxy", config.proxy_url] if config.proxy_url else []),
             *(["--noproxy", ",".join(config.proxy_exclude)] if config.proxy_exclude else []),
             *(["--proxy-capath", "/proxy.cacert"] if config.proxy_peer_certificate else []),
@@ -27,4 +28,5 @@ def curl(config: Config, url: str, output_dir: Path) -> None:
             network=True,
             options=["--bind", output_dir, workdir(output_dir), *finalize_certificate_mounts(config)],
         ),
+        log=log,
     )  # fmt: skip

diff --git a/mkosi/distributions/fedora.py b/mkosi/distributions/fedora.py
index 749baa40bc292efbcf149b7ac65fec3db30cac64..d7dacd5cc6fab66ecc8b6f697a188475ede5e210 100644 (file)
--- a/mkosi/distributions/fedora.py
+++ b/mkosi/distributions/fedora.py
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 import re
+import subprocess
 import tempfile
 from collections.abc import Iterable, Sequence
 from pathlib import Path
@@ -29,13 +30,15 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
         context, key=f"RPM-GPG-KEY-fedora-{context.config.release}-secondary", required=False
     )
 
+    versionre = re.compile(r"RPM-GPG-KEY-fedora-(\d+)-(primary|secondary)")
+
     if key1:
         # During branching, there is always a kerfuffle with the key transition.
         # For Rawhide, try to load the N+1 key, just in case our local configuration
         # still indicates that Rawhide==N, but really Rawhide==N+1.
         if context.config.release == "rawhide" and (rhs := startswith(key1, "file://")):
             path = Path(rhs).resolve()
-            if m := re.match(r"RPM-GPG-KEY-fedora-(\d+)-(primary|secondary)", path.name):
+            if m := versionre.match(path.name):
                 version = int(m.group(1))
                 if key3 := find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{version + 1}-primary"):
                     # We yield the resolved path for key1, to make it clear that it's
@@ -66,11 +69,27 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
                 curl(context.config, f"{keys}/RPM-GPG-KEY-fedora-rawhide-primary", Path(d))
                 key = (Path(d) / "RPM-GPG-KEY-fedora-rawhide-primary").read_text()
 
-            keyurl = f"{keys}/{key}"
-        else:
-            keyurl = "https://fedoraproject.org/fedora.gpg"
+            yield f"{keys}/{key}"
 
-        yield keyurl
+            # Same as above, the symlink in distribution-gpg-keys might not have been updated yet to point to
+            # the new rawhide key when branching happens, so try to load the N+1 key as well.
+            if m := versionre.match(key):
+                version = int(m.group(1))
+
+                try:
+                    with tempfile.TemporaryDirectory() as d:
+                        curl(
+                            context.config,
+                            f"{keys}/RPM-GPG-KEY-fedora-{version + 1}-primary",
+                            Path(d),
+                            log=False,
+                        )
+
+                    yield f"{keys}/RPM-GPG-KEY-fedora-{version + 1}-primary"
+                except subprocess.CalledProcessError:
+                    pass
+        else:
+            yield "https://fedoraproject.org/fedora.gpg"
 
 
 class Installer(DistributionInstaller):