From: Daan De Meyer Date: Thu, 6 Feb 2025 09:54:45 +0000 (+0100) Subject: fedora: Try to load N+1 key from distribution-gpg-keys as well X-Git-Tag: v26~413^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39baac21e25232da491deb775cfda7a2eebd6c45;p=thirdparty%2Fmkosi.git fedora: Try to load N+1 key from distribution-gpg-keys as well Fetching the rawhide keys from the distribution-gpg-keys github repository faces the same problem that we have when using the locally installed distribution-gpg-keys, the rawhide symlink might not have been updated yet at branching time, so apply the same solution and try to load the N+1 key as well. --- diff --git a/mkosi/curl.py b/mkosi/curl.py index eb8caadea..6560bf987 100644 --- a/mkosi/curl.py +++ b/mkosi/curl.py @@ -7,7 +7,7 @@ from mkosi.mounts import finalize_certificate_mounts from mkosi.run import run, workdir -def curl(config: Config, url: str, output_dir: Path) -> None: +def curl(config: Config, url: str, output_dir: Path, log: bool = True) -> None: run( [ "curl", @@ -16,6 +16,7 @@ def curl(config: Config, url: str, output_dir: Path) -> None: "--remote-name", "--no-progress-meter", "--fail", + *(["--silent"] if not log else []), *(["--proxy", config.proxy_url] if config.proxy_url else []), *(["--noproxy", ",".join(config.proxy_exclude)] if config.proxy_exclude else []), *(["--proxy-capath", "/proxy.cacert"] if config.proxy_peer_certificate else []), @@ -27,4 +28,5 @@ def curl(config: Config, url: str, output_dir: Path) -> None: network=True, options=["--bind", output_dir, workdir(output_dir), *finalize_certificate_mounts(config)], ), + log=log, ) # fmt: skip diff --git a/mkosi/distributions/fedora.py b/mkosi/distributions/fedora.py index 749baa40b..d7dacd5cc 100644 --- a/mkosi/distributions/fedora.py +++ b/mkosi/distributions/fedora.py @@ -1,6 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later import re +import subprocess import tempfile from collections.abc import Iterable, Sequence from pathlib import Path @@ -29,13 +30,15 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]: context, key=f"RPM-GPG-KEY-fedora-{context.config.release}-secondary", required=False ) + versionre = re.compile(r"RPM-GPG-KEY-fedora-(\d+)-(primary|secondary)") + if key1: # During branching, there is always a kerfuffle with the key transition. # For Rawhide, try to load the N+1 key, just in case our local configuration # still indicates that Rawhide==N, but really Rawhide==N+1. if context.config.release == "rawhide" and (rhs := startswith(key1, "file://")): path = Path(rhs).resolve() - if m := re.match(r"RPM-GPG-KEY-fedora-(\d+)-(primary|secondary)", path.name): + if m := versionre.match(path.name): version = int(m.group(1)) if key3 := find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{version + 1}-primary"): # We yield the resolved path for key1, to make it clear that it's @@ -66,11 +69,27 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]: curl(context.config, f"{keys}/RPM-GPG-KEY-fedora-rawhide-primary", Path(d)) key = (Path(d) / "RPM-GPG-KEY-fedora-rawhide-primary").read_text() - keyurl = f"{keys}/{key}" - else: - keyurl = "https://fedoraproject.org/fedora.gpg" + yield f"{keys}/{key}" - yield keyurl + # Same as above, the symlink in distribution-gpg-keys might not have been updated yet to point to + # the new rawhide key when branching happens, so try to load the N+1 key as well. + if m := versionre.match(key): + version = int(m.group(1)) + + try: + with tempfile.TemporaryDirectory() as d: + curl( + context.config, + f"{keys}/RPM-GPG-KEY-fedora-{version + 1}-primary", + Path(d), + log=False, + ) + + yield f"{keys}/RPM-GPG-KEY-fedora-{version + 1}-primary" + except subprocess.CalledProcessError: + pass + else: + yield "https://fedoraproject.org/fedora.gpg" class Installer(DistributionInstaller):