From: DaanDeMeyer <daan.j.demeyer@gmail.com>
Date: Tue, 30 Dec 2025 21:56:51 +0000 (+0100)
Subject: opensuse: Import GPG keys for all repositories
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6bfeb4ac86f10487baab81e7ccadcdba723f1a47;p=thirdparty%2Fmkosi.git

opensuse: Import GPG keys for all repositories

Let's not just import GPG keys for our own repositories, but for
all repositories.
---

diff --git a/mkosi/distribution/opensuse.py b/mkosi/distribution/opensuse.py
index e0b2d5ff5..c23b2ef3f 100644
--- a/mkosi/distribution/opensuse.py
+++ b/mkosi/distribution/opensuse.py
@@ -6,7 +6,7 @@ from pathlib import Path
 from typing import Union
 from xml.etree import ElementTree
 
-from mkosi.config import Architecture, Config
+from mkosi.config import Architecture, Config, parse_ini
 from mkosi.context import Context
 from mkosi.curl import curl
 from mkosi.distribution import Distribution, DistributionInstaller, PackageType, join_mirror
@@ -52,6 +52,17 @@ class Installer(DistributionInstaller, distribution=Distribution.opensuse):
         setup_rpm(context, dbbackend="ndb")
         cls.package_manager(context.config).setup(context, list(cls.repositories(context)))
 
+        if cls.package_manager(context.config) is Zypper and (gpgkeys := fetch_gpgkeys(context)):
+            run(
+                ["rpm", "--root=/buildroot", "--import", *gpgkeys],
+                sandbox=context.sandbox(
+                    options=[
+                        *context.rootoptions(),
+                        *finalize_certificate_mounts(context.config),
+                    ],
+                ),
+            )
+
     @classmethod
     def install(cls, context: Context) -> None:
         packages = ["filesystem"]
@@ -87,22 +98,6 @@ class Installer(DistributionInstaller, distribution=Distribution.opensuse):
                     hint="Make sure the distribution-gpg-keys package is installed",
                 )
 
-            if zypper and gpgkeys:
-                run(
-                    [
-                        "rpm",
-                        "--root=/buildroot",
-                        "--import",
-                        *(key.removeprefix("file://") for key in gpgkeys),
-                    ],
-                    sandbox=context.sandbox(
-                        options=[
-                            *context.rootoptions(),
-                            *finalize_certificate_mounts(context.config),
-                        ],
-                    ),
-                )  # fmt: skip
-
             if context.config.snapshot:
                 if context.config.architecture != Architecture.x86_64:
                     die(f"Snapshot= is only supported for x86-64 on {cls.pretty_name()}")
@@ -261,6 +256,24 @@ class Installer(DistributionInstaller, distribution=Distribution.opensuse):
         return package in ("kernel-default", "kernel-kvmsmall")
 
 
+def fetch_gpgkeys(context: Context) -> list[Path]:
+    files = set()
+
+    for p in (context.sandbox_tree / "etc/zypp/repos.d").iterdir():
+        for _, name, value in parse_ini(p):
+            if name != "gpgkey":
+                continue
+
+            keys = value.splitlines()
+            for key in keys:
+                if not key.startswith("file://"):
+                    continue
+
+                files.add(Path(key.removeprefix("file://")))
+
+    return sorted(files)
+
+
 def fetch_gpgurls(context: Context, repourl: str) -> tuple[str, ...]:
     gpgurls = [f"{repourl}/repodata/repomd.xml.key"]