initrd: Copy Arch Linux keyring from host when running as root

When running as root, we run with --cache-only=metadata, which means
we won't try to sync the keyring, so let's reuse the one from the host
to make sure that a keyring is available.

Fixes #3635

diff --git a/mkosi/initrd.py b/mkosi/initrd.py
index f0f2aaad1f0c93677c2993f63b01ca2ad5e5fe77..5948b7117cfc2d24b6c952231036bc6b4a322e68 100644 (file)
--- a/mkosi/initrd.py
+++ b/mkosi/initrd.py
@@ -365,7 +365,11 @@ def main() -> None:
                 shutil.copytree(
                     Path("/etc") / p,
                     Path(sandbox_tree) / "etc" / p,
-                    ignore=shutil.ignore_patterns("gnupg"),
+                    # If we're running as root, use the keyring from the host, but make sure we don't try to
+                    # copy any gpg-agent sockets that might be in /etc/pacman.d/gnupg. If we're not running
+                    # as root, we might not have the necessary permissions to access the keyring so don't try
+                    # to copy the keyring in that case.
+                    ignore=shutil.ignore_patterns("S.*" if os.getuid() == 0 else "gnupg"),
                     dirs_exist_ok=True,
                 )