]> git.ipfire.org Git - thirdparty/mkosi.git/commitdiff
hash signing: Use keyring of running user for non-root builds 1516/head
authorMichael A Cassaniti <michael@cassaniti.id.au>
Wed, 26 Apr 2023 04:32:12 +0000 (14:32 +1000)
committerMichael A Cassaniti <michael@cassaniti.id.au>
Wed, 26 Apr 2023 08:02:43 +0000 (18:02 +1000)
`gpg` will attempt to use the root user keyring When running as a non-root
user instead of using the keyring of the user that is executing `mkosi`.
This change will attempt to use the keyring given by `GNUPGHOME` and
fallback to using `~/.gnupg`.

mkosi/__init__.py

index 6cddc2dc419299015852f3b2f7a0f7841f5a81a1..9f644207420d25e9ca75f9c3c557e835e449b099 100644 (file)
@@ -848,7 +848,21 @@ def calculate_signature(state: MkosiState) -> None:
             state.staging / state.config.output_checksum.name,
         ]
 
-        run(cmdline)
+        run(
+            cmdline,
+            # Do not output warnings about keyring permissions
+            stderr=subprocess.DEVNULL,
+            env={
+                # Set the path of the keyring to use based on the environment
+                # if possible and fallback to the default path. Without this the
+                # keyring for the root user will instead be used which will fail
+                # for a non-root build.
+                'GNUPGHOME': os.environ.get(
+                    'GNUPGHOME',
+                    Path(os.environ['HOME']).joinpath('.gnupg')
+                )
+            }
+        )
 
 
 def acl_toggle_remove(config: MkosiConfig, root: Path, uid: int, *, allow: bool) -> None: