From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 13 Jan 2026 19:55:02 +0000 (+0100)
Subject: opensuse: Fetch remote keys as well if RepositoryKeyFetch= is enabled
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c367f993dd8873a411e8d7518ddad0736a78af09;p=thirdparty%2Fmkosi.git

opensuse: Fetch remote keys as well if RepositoryKeyFetch= is enabled

Also improve error handling for if local keys do not exist.
---

diff --git a/mkosi/distribution/opensuse.py b/mkosi/distribution/opensuse.py
index c23b2ef3f..039398f17 100644
--- a/mkosi/distribution/opensuse.py
+++ b/mkosi/distribution/opensuse.py
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+import os
 import tempfile
 from collections.abc import Iterable
 from pathlib import Path
@@ -15,7 +16,8 @@ from mkosi.installer.rpm import RpmRepository, find_rpm_gpgkey, setup_rpm
 from mkosi.installer.zypper import Zypper
 from mkosi.log import die
 from mkosi.mounts import finalize_certificate_mounts
-from mkosi.run import run
+from mkosi.run import run, workdir
+from mkosi.util import flatten
 from mkosi.versioncomp import GenericVersion
 
 
@@ -54,11 +56,12 @@ class Installer(DistributionInstaller, distribution=Distribution.opensuse):
 
         if cls.package_manager(context.config) is Zypper and (gpgkeys := fetch_gpgkeys(context)):
             run(
-                ["rpm", "--root=/buildroot", "--import", *gpgkeys],
+                ["rpm", "--root=/buildroot", "--import", *(workdir(key) for key in gpgkeys)],
                 sandbox=context.sandbox(
                     options=[
                         *context.rootoptions(),
                         *finalize_certificate_mounts(context.config),
+                        *flatten(["--ro-bind", os.fspath(key), workdir(key)] for key in gpgkeys),
                     ],
                 ),
             )
@@ -266,10 +269,21 @@ def fetch_gpgkeys(context: Context) -> list[Path]:
 
             keys = value.splitlines()
             for key in keys:
-                if not key.startswith("file://"):
-                    continue
-
-                files.add(Path(key.removeprefix("file://")))
+                if key.startswith("file://"):
+                    path = key.removeprefix("file://").lstrip("/")
+                    if not (context.config.tools() / path).exists():
+                        die(f"Local repository GPG key specified ({key}) but not found at /{path}")
+
+                    files.add(context.config.tools() / path)
+                elif key.startswith("https://") and context.config.repository_key_fetch:
+                    (context.workspace / "keys").mkdir(parents=True, exist_ok=True)
+                    curl(context.config, key, output_dir=context.workspace / "keys")
+                    files.add(context.workspace / "keys" / Path(key).name)
+                else:
+                    die(
+                        f"Remote repository GPG key specified ({key}) but RepositoryKeyFetch= is disabled",
+                        hint="Enable RepositoryKeyFetch= or provide local keys",
+                    )
 
     return sorted(files)