From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 4 Apr 2024 18:28:58 +0000 (+0200)
Subject: Move gpg set-priv setup command to sandbox
X-Git-Tag: v23~29^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3779dcafa18faf02cacbe11c7cdba5a722e55ccc;p=thirdparty%2Fmkosi.git

Move gpg set-priv setup command to sandbox
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index f3af47c33..f491def2e 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2490,16 +2490,7 @@ def calculate_signature(context: Context) -> None:
     if context.config.output_format == OutputFormat.directory:
         return
 
-    # GPG messes with the user's home directory so we run it as the invoking user.
-
-    cmdline: list[PathString] = [
-        "setpriv",
-        f"--reuid={INVOKING_USER.uid}",
-        f"--regid={INVOKING_USER.gid}",
-        "--clear-groups",
-        "gpg",
-        "--detach-sign",
-    ]
+    cmdline: list[PathString] = ["gpg", "--detach-sign"]
 
     # Need to specify key before file to sign
     if context.config.key is not None:
@@ -2528,7 +2519,17 @@ def calculate_signature(context: Context) -> None:
         open(context.staging / context.config.output_checksum, "rb") as i,
         open(context.staging / context.config.output_signature, "wb") as o,
     ):
-        run(cmdline, env=env, stdin=i, stdout=o, sandbox=context.sandbox(mounts=mounts, options=options))
+        run(
+            cmdline,
+            env=env,
+            stdin=i,
+            stdout=o,
+            # GPG messes with the user's home directory so we run it as the invoking user.
+            sandbox=context.sandbox(
+                mounts=mounts,
+                options=options,
+            ) + ["setpriv", f"--reuid={INVOKING_USER.uid}", f"--regid={INVOKING_USER.gid}", "--clear-groups"]
+        )
 
 
 def dir_size(path: Union[Path, os.DirEntry[str]]) -> int: