Add --repository-key-check, enabled by default

Allows disabling repository key/signatures checks when
building with offline mirrors

diff --git a/mkosi.md b/mkosi.md
index bdfcb55f60e8b32580f4ecde2b3413717ee5c0b6..63eb092794bec4205e02038a6de904d0afb97ce3 100644 (file)
--- a/mkosi.md
+++ b/mkosi.md
@@ -325,6 +325,12 @@ a boolean argument: either "1", "yes", or "true" to enable, or "0",
   `--mirror=` (or the default repository) will be configured inside the final
   image instead.
 
+`RepositoryKeyCheck=`, `--repository-key-check=`
+
+: Controls signature/key checks when using repositories, enabled by default.
+  Useful to disable checks when combined with `--local-mirror=` and using only
+  a repository from a local filesystem. Not used for DNF-based distros yet.
+
 `Repositories=`, `--repositories=`
 
 : Additional package repositories to use during installation. Expects

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 871bc7ec893ade1298c078924580059ef77a0a1f..58610d4ce5c86ae6e91c4fb0e9eb3478e0ae8832 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2519,6 +2519,9 @@ def install_debian_or_ubuntu(args: MkosiArgs, root: Path, *, do_run_build_script
         if debootstrap_knows_arg("--no-check-valid-until"):
             cmdline += ["--no-check-valid-until"]
 
+        if not args.repository_key_check:
+            cmdline += ["--no-check-gpg"]
+
         mirror = args.local_mirror or args.mirror
         assert mirror is not None
         cmdline += [args.release, root, mirror]
@@ -2699,6 +2702,12 @@ def install_arch(args: MkosiArgs, root: Path, do_run_build_script: bool) -> None
             path.chmod(permissions)
 
     pacman_conf = workspace(root) / "pacman.conf"
+    if args.repository_key_check:
+        sig_level = "Required DatabaseOptional"
+    else:
+        # If we are using a single local mirror built on the fly there
+        # will be no signatures
+        sig_level = "Never"
     with pacman_conf.open("w") as f:
         f.write(
             dedent(
@@ -2713,7 +2722,7 @@ def install_arch(args: MkosiArgs, root: Path, do_run_build_script: bool) -> None
                 Architecture = auto
                 Color
                 CheckSpace
-                SigLevel = Required DatabaseOptional
+                SigLevel = {sig_level}
                 ParallelDownloads = 5
 
                 [core]
@@ -2875,7 +2884,7 @@ def install_opensuse(args: MkosiArgs, root: Path, do_run_build_script: bool) ->
     cmdline += [
         "--root",
         root,
-        "--gpg-auto-import-keys",
+        "--gpg-auto-import-keys" if args.repository_key_check else "--no-gpg-checks",
         "install",
         "-y",
         "--no-recommends",
@@ -5032,6 +5041,13 @@ def create_parser() -> ArgumentParserMkosi:
     group.add_argument("-m", "--mirror", help="Distribution mirror to use")
     group.add_argument("--local-mirror", help="Use a single local, flat and plain mirror to build the image",
     )
+    group.add_argument(
+        "--repository-key-check",
+        metavar="BOOL",
+        action=BooleanAction,
+        help="Controls signature and key checks on repositories",
+        default=True,
+    )
 
     group.add_argument(
         "--repositories",
@@ -6765,6 +6781,7 @@ def print_summary(args: MkosiArgs) -> None:
         MkosiPrinter.info("                    Mirror: " + args.mirror)
     if args.local_mirror is not None:
         MkosiPrinter.info("      Local Mirror (build): " + args.local_mirror)
+    MkosiPrinter.info(f"  Repo Signature/Key check: {yes_no(args.repository_key_check)}")
     if args.repositories is not None and len(args.repositories) > 0:
         MkosiPrinter.info("              Repositories: " + ",".join(args.repositories))
     MkosiPrinter.info("     Use Host Repositories: " + yes_no(args.use_host_repositories))

diff --git a/mkosi/backend.py b/mkosi/backend.py
index da5ceb8899827d51df93f1e5b313d899d0ebaad1..9b0fa8cd3a1772a67a2962b7472d14627bf24a2c 100644 (file)
--- a/mkosi/backend.py
+++ b/mkosi/backend.py
@@ -461,6 +461,7 @@ class MkosiArgs:
     release: str
     mirror: Optional[str]
     local_mirror: Optional[str]
+    repository_key_check: bool
     repositories: List[str]
     use_host_repositories: bool
     repos_dir: Optional[str]

diff --git a/tests/test_config_parser.py b/tests/test_config_parser.py
index 49968050a946c20d26c69f5c11718740ddcc4ab6..35028d8425044396edf08adba56c63ba041989ce 100644 (file)
--- a/tests/test_config_parser.py
+++ b/tests/test_config_parser.py
@@ -84,6 +84,7 @@ class MkosiConfig:
             "local_mirror": None,
             "manifest_format": None,
             "mirror": None,
+            "repository_key_check": True,
             "mksquashfs_tool": [],
             "no_chown": False,
             "nspawn_settings": None,