From: Luca Boccassi <bluca@debian.org>
Date: Sun, 21 Aug 2022 11:23:14 +0000 (+0100)
Subject: Add --repository-key-check, enabled by default
X-Git-Tag: v14~56^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d014f8fcf348b881debcec686d72e63feccbb52b;p=thirdparty%2Fmkosi.git

Add --repository-key-check, enabled by default

Allows disabling repository key/signatures checks when
building with offline mirrors
---

diff --git a/mkosi.md b/mkosi.md
index bdfcb55f6..63eb09279 100644
--- a/mkosi.md
+++ b/mkosi.md
@@ -325,6 +325,12 @@ a boolean argument: either "1", "yes", or "true" to enable, or "0",
   `--mirror=` (or the default repository) will be configured inside the final
   image instead.
 
+`RepositoryKeyCheck=`, `--repository-key-check=`
+
+: Controls signature/key checks when using repositories, enabled by default.
+  Useful to disable checks when combined with `--local-mirror=` and using only
+  a repository from a local filesystem. Not used for DNF-based distros yet.
+
 `Repositories=`, `--repositories=`
 
 : Additional package repositories to use during installation. Expects
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 871bc7ec8..58610d4ce 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2519,6 +2519,9 @@ def install_debian_or_ubuntu(args: MkosiArgs, root: Path, *, do_run_build_script
         if debootstrap_knows_arg("--no-check-valid-until"):
             cmdline += ["--no-check-valid-until"]
 
+        if not args.repository_key_check:
+            cmdline += ["--no-check-gpg"]
+
         mirror = args.local_mirror or args.mirror
         assert mirror is not None
         cmdline += [args.release, root, mirror]
@@ -2699,6 +2702,12 @@ def install_arch(args: MkosiArgs, root: Path, do_run_build_script: bool) -> None
             path.chmod(permissions)
 
     pacman_conf = workspace(root) / "pacman.conf"
+    if args.repository_key_check:
+        sig_level = "Required DatabaseOptional"
+    else:
+        # If we are using a single local mirror built on the fly there
+        # will be no signatures
+        sig_level = "Never"
     with pacman_conf.open("w") as f:
         f.write(
             dedent(
@@ -2713,7 +2722,7 @@ def install_arch(args: MkosiArgs, root: Path, do_run_build_script: bool) -> None
                 Architecture = auto
                 Color
                 CheckSpace
-                SigLevel = Required DatabaseOptional
+                SigLevel = {sig_level}
                 ParallelDownloads = 5
 
                 [core]
@@ -2875,7 +2884,7 @@ def install_opensuse(args: MkosiArgs, root: Path, do_run_build_script: bool) ->
     cmdline += [
         "--root",
         root,
-        "--gpg-auto-import-keys",
+        "--gpg-auto-import-keys" if args.repository_key_check else "--no-gpg-checks",
         "install",
         "-y",
         "--no-recommends",
@@ -5032,6 +5041,13 @@ def create_parser() -> ArgumentParserMkosi:
     group.add_argument("-m", "--mirror", help="Distribution mirror to use")
     group.add_argument("--local-mirror", help="Use a single local, flat and plain mirror to build the image",
     )
+    group.add_argument(
+        "--repository-key-check",
+        metavar="BOOL",
+        action=BooleanAction,
+        help="Controls signature and key checks on repositories",
+        default=True,
+    )
 
     group.add_argument(
         "--repositories",
@@ -6765,6 +6781,7 @@ def print_summary(args: MkosiArgs) -> None:
         MkosiPrinter.info("                    Mirror: " + args.mirror)
     if args.local_mirror is not None:
         MkosiPrinter.info("      Local Mirror (build): " + args.local_mirror)
+    MkosiPrinter.info(f"  Repo Signature/Key check: {yes_no(args.repository_key_check)}")
     if args.repositories is not None and len(args.repositories) > 0:
         MkosiPrinter.info("              Repositories: " + ",".join(args.repositories))
     MkosiPrinter.info("     Use Host Repositories: " + yes_no(args.use_host_repositories))
diff --git a/mkosi/backend.py b/mkosi/backend.py
index da5ceb889..9b0fa8cd3 100644
--- a/mkosi/backend.py
+++ b/mkosi/backend.py
@@ -461,6 +461,7 @@ class MkosiArgs:
     release: str
     mirror: Optional[str]
     local_mirror: Optional[str]
+    repository_key_check: bool
     repositories: List[str]
     use_host_repositories: bool
     repos_dir: Optional[str]
diff --git a/tests/test_config_parser.py b/tests/test_config_parser.py
index 49968050a..35028d842 100644
--- a/tests/test_config_parser.py
+++ b/tests/test_config_parser.py
@@ -84,6 +84,7 @@ class MkosiConfig:
             "local_mirror": None,
             "manifest_format": None,
             "mirror": None,
+            "repository_key_check": True,
             "mksquashfs_tool": [],
             "no_chown": False,
             "nspawn_settings": None,