from mkosi.kmod import gen_required_kernel_modules, loaded_modules, process_kernel_modules
from mkosi.log import ARG_DEBUG, complete_step, die, log_notice, log_step
from mkosi.manifest import Manifest
-from mkosi.mounts import finalize_crypto_mounts, finalize_source_mounts, mount_overlay
+from mkosi.mounts import finalize_certificate_mounts, finalize_source_mounts, mount_overlay
from mkosi.pager import page
from mkosi.partition import Partition, finalize_root, finalize_roothash
from mkosi.qemu import (
for script in config.sync_scripts:
options = [
- *finalize_crypto_mounts(config),
+ *finalize_certificate_mounts(config),
"--ro-bind", script, "/work/sync",
"--ro-bind", json, "/work/config.json",
"--dir", "/work/src",
# Ensure /etc exists in the sandbox
(dst / "etc").mkdir(exist_ok=True)
- (dst / "etc/crypto-policies").mkdir(exist_ok=True)
+ if (p := config.tools() / "usr/share/crypto-policies/DEFAULT").exists():
+ Path(dst / "etc/crypto-policies").mkdir(exist_ok=True)
+ copy_tree(p, dst / "etc/crypto-policies/back-ends", sandbox=config.sandbox)
if config.sandbox_trees:
with complete_step("Copying in sandbox trees…"):
if not args.cmdline:
die("Please specify a command to execute in the sandbox")
- mounts = finalize_crypto_mounts(config, relaxed=True)
+ mounts = finalize_certificate_mounts(config, relaxed=True)
+
+ if config.tools() != Path("/") and (config.tools() / "etc/crypto-policies").exists():
+ mounts += ["--ro-bind", config.tools() / "etc/crypto-policies", Path("/etc/crypto-policies")]
# Since we reuse almost every top level directory from the host except /usr, the crypto mountpoints
# have to exist already in these directories or we'll fail with a permission error. Let's check this
from pathlib import Path
from mkosi.config import Config
-from mkosi.mounts import finalize_crypto_mounts
+from mkosi.mounts import finalize_certificate_mounts
from mkosi.run import run, workdir
],
sandbox=config.sandbox(
network=True,
- options=["--bind", output_dir, workdir(output_dir), *finalize_crypto_mounts(config)],
+ options=["--bind", output_dir, workdir(output_dir), *finalize_certificate_mounts(config)],
),
) # fmt: skip
from mkosi.installer.rpm import RpmRepository, find_rpm_gpgkey, setup_rpm
from mkosi.installer.zypper import Zypper
from mkosi.log import die
-from mkosi.mounts import finalize_crypto_mounts
+from mkosi.mounts import finalize_certificate_mounts
from mkosi.run import run
from mkosi.util import sort_packages
sandbox=context.sandbox(
options=[
"--bind", context.root, "/buildroot",
- *finalize_crypto_mounts(context.config),
+ *finalize_certificate_mounts(context.config),
],
),
) # fmt: skip
from mkosi.config import Config, ConfigFeature, OutputFormat
from mkosi.context import Context
-from mkosi.mounts import finalize_crypto_mounts
+from mkosi.mounts import finalize_certificate_mounts
from mkosi.run import apivfs_options, finalize_interpreter, finalize_passwd_symlinks, find_binary
from mkosi.tree import rmtree
from mkosi.types import PathString
@classmethod
def mounts(cls, context: Context) -> list[PathString]:
mounts = [
- *finalize_crypto_mounts(context.config),
+ *finalize_certificate_mounts(context.config),
"--bind", context.repository, "/repository",
] # fmt: skip
from typing import Literal, Optional, overload
from mkosi.context import Context
+from mkosi.distributions import Distribution
from mkosi.log import die
from mkosi.run import run
from mkosi.types import PathString
for plugin in plugindir.iterdir():
f.write(f"%__transaction_{plugin.stem} %{{nil}}\n")
- # Write an rpm sequoia policy that allows SHA1 as various distribution GPG keys (openSUSE) still use SHA1
- # for various things.
- # TODO: Remove when all rpm distribution GPG keys have stopped using SHA1.
- if not (context.config.tools() / "etc/crypto-policies").exists():
+ if context.config.distribution == Distribution.opensuse or (
+ context.config.distribution.is_centos_variant() and context.config.release == "9"
+ ):
+ # Write an rpm sequoia policy that makes sure "sha1.second_preimage_resistance = always" is
+ # configured and makes sure that a minimal config is in place to make sure builds succeed.
+ # TODO: Remove when distributions GPG keys are accepted by the default rpm-sequoia config everywhere.
+
p = context.sandbox_tree / "etc/crypto-policies/back-ends/rpm-sequoia.config"
p.parent.mkdir(parents=True, exist_ok=True)
- p.write_text(
- textwrap.dedent(
- """
- [hash_algorithms]
- sha1.second_preimage_resistance = "always"
- sha224 = "always"
- sha256 = "always"
- sha384 = "always"
- sha512 = "always"
- default_disposition = "never"
- """
- )
- )
+ prev = p.read_text() if p.exists() else ""
+
+ with p.open("w") as f:
+ for line in prev.splitlines(keepends=True):
+ if line.startswith("sha1.second_preimage_resistance"):
+ f.write('sha1.second_preimage_resistance = "always"\n')
+ else:
+ f.write(line)
+
+ if not any(line.startswith("[hash_algorithms]") for line in prev.splitlines()):
+ f.write(
+ textwrap.dedent(
+ """
+ [hash_algorithms]
+ sha1.second_preimage_resistance = "always"
+ sha224 = "always"
+ sha256 = "always"
+ sha384 = "always"
+ sha512 = "always"
+ default_disposition = "never"
+ """
+ )
+ )
def rpm_cmd() -> list[PathString]:
yield options
-def finalize_crypto_mounts(config: Config, relaxed: bool = False) -> list[PathString]:
+def finalize_certificate_mounts(config: Config, relaxed: bool = False) -> list[PathString]:
mounts = []
root = config.tools() if config.tools_tree_certificates else Path("/")
if (root / subdir).exists() and any(p for p in (root / subdir).rglob("*") if not p.is_dir())
]
- if not relaxed or config.tools() != Path("/"):
- if (config.tools() / "etc/crypto-policies").exists():
- mounts += [(config.tools() / "etc/crypto-policies", Path("/etc/crypto-policies"))]
-
return flatten(("--ro-bind", src, target) for src, target in sorted(set(mounts), key=lambda s: s[1]))
projects / thirdparty / mkosi.git / commitdiff
