Beef up GPG key handling

author Daan De Meyer <daan.j.demeyer@gmail.com>

Thu, 12 Oct 2023 10:12:47 +0000 (12:12 +0200)

committer Jörg Behrmann <behrmann@physik.fu-berlin.de>

Thu, 12 Oct 2023 12:40:13 +0000 (14:40 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Thu, 12 Oct 2023 10:12:47 +0000 (12:12 +0200)
committer Jörg Behrmann <behrmann@physik.fu-berlin.de>
Thu, 12 Oct 2023 12:40:13 +0000 (14:40 +0200)
diff --git a/mkosi/distributions/alma.py b/mkosi/distributions/alma.py

index 6d2f3296af44e3304c973dca15cd9b2a98a44d1b..ff90c23bf3f081edb3bb5b156dd693ca56bcaeb5 100644 (file)
--- a/mkosi/distributions/alma.py
+++ b/mkosi/distributions/alma.py
@@ -1,9 +1,7 @@
  # SPDX-License-Identifier: LGPL-2.1+
  
-from pathlib import Path
-
  from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
  from mkosi.state import MkosiState
  
  
@@ -14,11 +12,13 @@ class Installer(centos.Installer):
  
      @staticmethod
      def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux-{state.config.release}")
-        if gpgpath.exists():
-            return (f"file://{gpgpath}",)
-        else:
-            return ("https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever",)
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-AlmaLinux-{state.config.release}",
+                f"https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-{state.config.release}",
+            ),
+        )
  
      @classmethod
      def repository_variants(cls, state: MkosiState, repo: str) -> list[Repo]:
diff --git a/mkosi/distributions/centos.py b/mkosi/distributions/centos.py

index 9f91e546c2336901427e5f8270123222d1d923bc..34121c1085c8206a772864c1d3376956e518d584 100644 (file)
--- a/mkosi/distributions/centos.py
+++ b/mkosi/distributions/centos.py
@@ -8,7 +8,7 @@ from pathlib import Path
  
  from mkosi.architecture import Architecture
  from mkosi.distributions import Distribution, DistributionInstaller, PackageType
-from mkosi.installer.dnf import Repo, invoke_dnf, setup_dnf
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey, invoke_dnf, setup_dnf
  from mkosi.log import complete_step, die
  from mkosi.state import MkosiState
  from mkosi.tree import rmtree
@@ -135,16 +135,8 @@ class Installer(DistributionInstaller):
  
      @staticmethod
      def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        gpgurls = []
-
-        for key in ("CentOS-Official", "CentOS-SIG-Extras"):
-            gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-{key}")
-            if gpgpath.exists():
-                gpgurls += [f"file://{gpgpath}"]
-            else:
-                gpgurls += [f"https://www.centos.org/keys/RPM-GPG-KEY-{key}"]
-
-        return tuple(gpgurls)
+        keys = ("RPM-GPG-KEY-CentOS-Official", "RPM-GPG-KEY-CentOS-SIG-Extras")
+        return tuple(find_rpm_gpgkey(state, key, f"https://www.centos.org/keys/{key}") for key in keys)
  
      @classmethod
      def repository_variants(cls, state: MkosiState, repo: str) -> Iterable[Repo]:
@@ -276,11 +268,13 @@ class Installer(DistributionInstaller):
  
      @classmethod
      def epel_repositories(cls, state: MkosiState) -> Iterable[Repo]:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-EPEL-{state.config.release}")
-        if gpgpath.exists():
-            gpgurls = (f"file://{gpgpath}",)
-        else:
-            gpgurls = (f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{state.config.release}",)
+        gpgurls = (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-EPEL-{state.config.release}",
+                f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{state.config.release}",
+            ),
+        )
  
          if state.config.local_mirror:
              return
@@ -343,20 +337,12 @@ class Installer(DistributionInstaller):
              (
                  "hyperscale",
                  (f"packages-{c}" for c in ("main", "experimental", "facebook", "hotfixes", "spin", "intel")),
-                ("CentOS-SIG-HyperScale",),
+                ("RPM-GPG-KEY-CentOS-SIG-HyperScale",),
              ),
          )
  
          for sig, components, keys in sigs:
-            gpgurls = []
-            for key in keys:
-                gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-{key}")
-                if gpgpath.exists():
-                    gpgurls += [f"file://{gpgpath}"]
-                else:
-                    gpgurls += [f"https://www.centos.org/keys/RPM-GPG-KEY-{key}"]
-
-            gpgurls = tuple(gpgurls)
+            gpgurls = tuple(find_rpm_gpgkey(state, key, f"https://www.centos.org/keys/{key}") for key in keys)
  
              for c in components:
                  if state.config.mirror:
diff --git a/mkosi/distributions/fedora.py b/mkosi/distributions/fedora.py

index d9bfe19e2c91cbd432c3ee83cee5ce65e9065266..568fb6c4bc2619f54bb3e3eb33f989696677b700 100644 (file)
--- a/mkosi/distributions/fedora.py
+++ b/mkosi/distributions/fedora.py
@@ -2,11 +2,10 @@
  
  import urllib.parse
  from collections.abc import Sequence
-from pathlib import Path
  
  from mkosi.architecture import Architecture
  from mkosi.distributions import Distribution, DistributionInstaller, PackageType
-from mkosi.installer.dnf import Repo, invoke_dnf, setup_dnf
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey, invoke_dnf, setup_dnf
  from mkosi.log import die
  from mkosi.state import MkosiState
  
@@ -78,12 +77,14 @@ class Installer(DistributionInstaller):
  
      @classmethod
      def setup(cls, state: MkosiState) -> None:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{state.config.release}-primary")
-        if gpgpath.exists():
-            gpgurls = (f"file://{gpgpath}",)
-        else:
-            # See: https://fedoraproject.org/security/
-            gpgurls = ("https://fedoraproject.org/fedora.gpg",)
+        gpgurls = (
+            find_rpm_gpgkey(
+                state,
+                key=f"RPM-GPG-KEY-fedora-{state.config.release}-primary",
+                url="https://fedoraproject.org/fedora.gpg",
+            ),
+        )
+
          repos = []
  
          if state.config.local_mirror:
diff --git a/mkosi/distributions/rhel.py b/mkosi/distributions/rhel.py

index a128be12ad9c7ec8a6e8f3e29f151533a1742be6..36665048fc53153665a0e377826c1b0cdef448ff 100644 (file)
--- a/mkosi/distributions/rhel.py
+++ b/mkosi/distributions/rhel.py
@@ -5,7 +5,7 @@ from pathlib import Path
  from typing import Any, Optional
  
  from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
  from mkosi.log import die
  from mkosi.state import MkosiState
  
@@ -17,7 +17,15 @@ class Installer(centos.Installer):
  
      @staticmethod
      def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        return ("https://access.redhat.com/security/data/fd431d51.txt",)
+        major = int(float(state.config.release))
+
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-redhat{major}-release",
+                "https://access.redhat.com/security/data/fd431d51.txt",
+            ),
+        )
  
      @staticmethod
      def sslcacert(state: MkosiState) -> Optional[Path]:
diff --git a/mkosi/distributions/rhel_ubi.py b/mkosi/distributions/rhel_ubi.py

index 2f1d070a942a7a7e41b258555a28381a2f8ff185..bd2218ff9e12b6e2178edaa6334f808c29cef746 100644 (file)
--- a/mkosi/distributions/rhel_ubi.py
+++ b/mkosi/distributions/rhel_ubi.py
@@ -3,7 +3,7 @@
  from collections.abc import Iterable
  
  from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
  from mkosi.state import MkosiState
  
  
@@ -14,7 +14,15 @@ class Installer(centos.Installer):
  
      @staticmethod
      def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        return ("https://access.redhat.com/security/data/fd431d51.txt",)
+        major = int(float(state.config.release))
+
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-redhat{major}-release",
+                "https://access.redhat.com/security/data/fd431d51.txt",
+            ),
+        )
  
      @classmethod
      def repository_variants(cls, state: MkosiState, repo: str) -> Iterable[Repo]:
diff --git a/mkosi/distributions/rocky.py b/mkosi/distributions/rocky.py

index 3db9e930f6adff87c57a57a95ac745817d29bec5..e09bf03df9ac7fb9ee593d82317995f865c57765 100644 (file)
--- a/mkosi/distributions/rocky.py
+++ b/mkosi/distributions/rocky.py
@@ -1,9 +1,7 @@
  # SPDX-License-Identifier: LGPL-2.1+
  
-from pathlib import Path
-
  from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
  from mkosi.state import MkosiState
  
  
@@ -14,11 +12,13 @@ class Installer(centos.Installer):
  
      @staticmethod
      def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-{state.config.release}")
-        if gpgpath.exists():
-            return (f"file://{gpgpath}",)
-        else:
-            return ("https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever",)
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-Rocky-{state.config.release}",
+                f"https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-{state.config.release}",
+            ),
+        )
  
      @classmethod
      def repository_variants(cls, state: MkosiState, repo: str) -> list[Repo]:
diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py

index 963e2177564bafbf118657e1c5ef11f2dd97acba..ca302842d937edc0b2bd8544bf525bf4020a280c 100644 (file)
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -23,6 +23,16 @@ class Repo(NamedTuple):
      sslclientcert: Optional[Path] = None
  
  
+def find_rpm_gpgkey(state: MkosiState, key: str, url: str) -> str:
+    for gpgdir in ("usr/share/distribution-gpg-keys", "etc/pki/rpm-gpg"):
+        for root in (state.pkgmngr, state.root, Path("/")):
+            gpgpath = next((root / Path(gpgdir)).rglob(key), None)
+            if gpgpath:
+                return f"file://{gpgpath}"
+
+    return url
+
+
  def dnf_executable(state: MkosiState) -> str:
      # dnf5 does not support building for foreign architectures yet (missing --forcearch)
      dnf = shutil.which("dnf5") if state.config.architecture.is_native() else None
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Thu, 12 Oct 2023 10:12:47 +0000 (12:12 +0200)
committer	Jörg Behrmann <behrmann@physik.fu-berlin.de>
	Thu, 12 Oct 2023 12:40:13 +0000 (14:40 +0200)
mkosi/distributions/alma.py		patch \| blob \| blame \| history
mkosi/distributions/centos.py		patch \| blob \| blame \| history
mkosi/distributions/fedora.py		patch \| blob \| blame \| history
mkosi/distributions/rhel.py		patch \| blob \| blame \| history
mkosi/distributions/rhel_ubi.py		patch \| blob \| blame \| history
mkosi/distributions/rocky.py		patch \| blob \| blame \| history
mkosi/installer/dnf.py		patch \| blob \| blame \| history