From: Daan De Meyer Date: Tue, 3 Oct 2023 12:42:50 +0000 (+0200) Subject: Use local GPG keys from distribution-gpg-keys if available X-Git-Tag: v18~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d104f9753610903e4f90f6ad50f5e2e999fb473f;p=thirdparty%2Fmkosi.git Use local GPG keys from distribution-gpg-keys if available Let's prefer using local keys from the distribution-gpg-keys package if available. --- diff --git a/mkosi/distributions/alma.py b/mkosi/distributions/alma.py index ef58c4a3d..cb510d55f 100644 --- a/mkosi/distributions/alma.py +++ b/mkosi/distributions/alma.py @@ -1,5 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1+ +from pathlib import Path + from mkosi.config import MkosiConfig from mkosi.distributions import centos from mkosi.installer.dnf import Repo @@ -11,8 +13,12 @@ class Installer(centos.Installer): return "AlmaLinux" @staticmethod - def gpgurls() -> tuple[str, ...]: - return ("https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever",) + def gpgurls(config: MkosiConfig) -> tuple[str, ...]: + gpgpath = Path(f"/usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux-{config.release}") + if gpgpath.exists(): + return (f"file://{gpgpath}",) + else: + return ("https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever",) @classmethod def repository_variants(cls, config: MkosiConfig, repo: str) -> list[Repo]: @@ -21,7 +27,7 @@ class Installer(centos.Installer): else: url = f"mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/{repo.lower()}" - return [Repo(repo, url, cls.gpgurls())] + return [Repo(repo, url, cls.gpgurls(config))] @classmethod def sig_repositories(cls, config: MkosiConfig) -> list[Repo]: diff --git a/mkosi/distributions/centos.py b/mkosi/distributions/centos.py index 248a062ca..59665cbba 100644 --- a/mkosi/distributions/centos.py +++ b/mkosi/distributions/centos.py @@ -70,6 +70,7 @@ class Installer(DistributionInstaller): "cpio", "curl", "debian-keyring", + "distribution-gpg-keys", "dnf", "dosfstools", "e2fsprogs", @@ -137,34 +138,40 @@ class Installer(DistributionInstaller): return a @staticmethod - def gpgurls() -> tuple[str, ...]: - return ( - "https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official", - "https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Extras", - ) + def gpgurls(config: MkosiConfig) -> tuple[str, ...]: + gpgurls = [] + + for key in ("CentOS-Official", "CentOS-SIG-Extras"): + gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-{key}") + if gpgpath.exists(): + gpgurls += [f"file://{gpgpath}"] + else: + gpgurls += [f"https://www.centos.org/keys/RPM-GPG-KEY-{key}"] + + return tuple(gpgurls) @classmethod def repository_variants(cls, config: MkosiConfig, repo: str) -> Iterable[Repo]: if config.local_mirror: - yield Repo(repo, f"baseurl={config.local_mirror}", cls.gpgurls()) + yield Repo(repo, f"baseurl={config.local_mirror}", cls.gpgurls(config)) elif config.mirror: if int(config.release) <= 8: yield Repo( repo.lower(), f"baseurl={join_mirror(config, f'centos/$stream/{repo}/$basearch/os')}", - cls.gpgurls(), + cls.gpgurls(config), ) yield Repo( f"{repo.lower()}-debuginfo", f"baseurl={join_mirror(config, 'centos-debuginfo/$stream/$basearch')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) yield Repo( f"{repo.lower()}-source", f"baseurl={join_mirror(config, f'centos/$stream/{repo}/Source')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) else: @@ -172,12 +179,12 @@ class Installer(DistributionInstaller): yield Repo( repo.lower(), f"baseurl={join_mirror(config, f'SIGs/$stream/{repo}/$basearch/extras-common')}", - cls.gpgurls(), + cls.gpgurls(config), ) yield Repo( f"{repo.lower()}-source", f"baseurl={join_mirror(config, f'SIGs/$stream/{repo}/source/extras-common')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) @@ -185,18 +192,18 @@ class Installer(DistributionInstaller): yield Repo( repo.lower(), f"baseurl={join_mirror(config, f'$stream/{repo}/$basearch/os')}", - cls.gpgurls(), + cls.gpgurls(config), ) yield Repo( f"{repo.lower()}-debuginfo", f"baseurl={join_mirror(config, f'$stream/{repo}/$basearch/debug/tree')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) yield Repo( f"{repo.lower()}-source", f"baseurl={join_mirror(config, f'$stream/{repo}/source/tree')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) @@ -205,19 +212,19 @@ class Installer(DistributionInstaller): yield Repo( repo.lower(), f"mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo={repo}", - cls.gpgurls(), + cls.gpgurls(config), ) # These can't be retrieved from the mirrorlist. yield Repo( f"{repo.lower()}-debuginfo", "baseurl=http://debuginfo.centos.org/$stream/$basearch", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) yield Repo( f"{repo.lower()}-source", f"baseurl=https://vault.centos.org/centos/$stream/{repo}/Source", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) else: @@ -227,30 +234,30 @@ class Installer(DistributionInstaller): yield Repo( repo.lower(), f"{url}?arch=$basearch&repo=centos-extras-sig-extras-common-$stream", - cls.gpgurls(), + cls.gpgurls(config), ) yield Repo( f"{repo.lower()}-source", f"{url}?arch=source&repo=centos-extras-sig-extras-common-source-$stream", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) else: yield Repo( repo.lower(), f"{url}?arch=$basearch&repo=centos-{repo.lower()}-$stream", - cls.gpgurls(), + cls.gpgurls(config), ) yield Repo( f"{repo.lower()}-debuginfo", f"{url}?arch=$basearch&repo=centos-{repo.lower()}-debug-$stream", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) yield Repo( f"{repo.lower()}-source", f"{url}?arch=source&repo=centos-{repo.lower()}-source-$stream", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) @@ -273,7 +280,11 @@ class Installer(DistributionInstaller): @classmethod def epel_repositories(cls, config: MkosiConfig) -> Iterable[Repo]: - gpgurls = ("https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-$releasever",) + gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-EPEL-{config.release}") + if gpgpath.exists(): + gpgurls = (f"file://{gpgpath}",) + else: + gpgurls = (f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{config.release}",) if config.local_mirror: return @@ -336,11 +347,17 @@ class Installer(DistributionInstaller): ( "hyperscale", (f"packages-{c}" for c in ("main", "experimental", "facebook", "hotfixes", "spin", "intel")), - ("https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-HyperScale",), + ("CentOS-SIG-HyperScale",), ), ) - for sig, components, gpgurls in sigs: + for sig, components, key in sigs: + gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-{key}") + if gpgpath.exists(): + gpgurls = (f"file://{gpgpath}",) + else: + gpgurls = (f"https://www.centos.org/keys/RPM-GPG-KEY-{key}",) + for c in components: if config.mirror: if int(config.release) <= 8: diff --git a/mkosi/distributions/fedora.py b/mkosi/distributions/fedora.py index 6c06a5aa1..bcd24b6c8 100644 --- a/mkosi/distributions/fedora.py +++ b/mkosi/distributions/fedora.py @@ -2,6 +2,7 @@ import urllib.parse from collections.abc import Sequence +from pathlib import Path from mkosi.architecture import Architecture from mkosi.distributions import Distribution, DistributionInstaller, PackageType @@ -44,6 +45,7 @@ class Installer(DistributionInstaller): "cpio", "curl-minimal", "debian-keyring", + "distribution-gpg-keys", "dnf5", "dosfstools", "e2fsprogs", @@ -76,8 +78,12 @@ class Installer(DistributionInstaller): @classmethod def setup(cls, state: MkosiState) -> None: - # See: https://fedoraproject.org/security/ - gpgurls = ("https://fedoraproject.org/fedora.gpg",) + gpgpath = Path(f"/usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{state.config.release}-primary") + if gpgpath.exists(): + gpgurls = (f"file://{gpgpath}",) + else: + # See: https://fedoraproject.org/security/ + gpgurls = ("https://fedoraproject.org/fedora.gpg",) repos = [] if state.config.local_mirror: diff --git a/mkosi/distributions/opensuse.py b/mkosi/distributions/opensuse.py index 7e46ade11..639d9a20e 100644 --- a/mkosi/distributions/opensuse.py +++ b/mkosi/distributions/opensuse.py @@ -44,6 +44,7 @@ class Installer(DistributionInstaller): "coreutils", "cpio", "curl", + "distribution-gpg-keys", "dnf", "dosfstools", "e2fsprogs", diff --git a/mkosi/distributions/rhel_ubi.py b/mkosi/distributions/rhel_ubi.py index 32c84dbcd..4751fe244 100644 --- a/mkosi/distributions/rhel_ubi.py +++ b/mkosi/distributions/rhel_ubi.py @@ -13,37 +13,37 @@ class Installer(centos.Installer): return "RHEL UBI" @staticmethod - def gpgurls() -> tuple[str, ...]: + def gpgurls(config: MkosiConfig) -> tuple[str, ...]: return ("https://access.redhat.com/security/data/fd431d51.txt",) @classmethod def repository_variants(cls, config: MkosiConfig, repo: str) -> Iterable[Repo]: if config.local_mirror: - yield Repo(repo, f"baseurl={config.local_mirror}", cls.gpgurls()) + yield Repo(repo, f"baseurl={config.local_mirror}", cls.gpgurls(config)) else: v = config.release yield Repo( f"ubi-{v}-{repo}-rpms", f"baseurl={centos.join_mirror(config, f'ubi{v}/{v}/$basearch/{repo}/os')}", - cls.gpgurls(), + cls.gpgurls(config), ) yield Repo( f"ubi-{v}-{repo}-debug-rpms", f"baseurl={centos.join_mirror(config, f'ubi{v}/{v}/$basearch/{repo}/debug')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) yield Repo( f"ubi-{v}-{repo}-source", f"baseurl={centos.join_mirror(config, f'ubi{v}/{v}/$basearch/{repo}/source')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) if repo == "codeready-builder": yield Repo( f"ubi-{v}-{repo}", f"baseurl={centos.join_mirror(config, f'ubi{v}/{v}/$basearch/{repo}/os')}", - cls.gpgurls(), + cls.gpgurls(config), enabled=False, ) diff --git a/mkosi/distributions/rocky.py b/mkosi/distributions/rocky.py index b57cbc5d3..6f4e87cc2 100644 --- a/mkosi/distributions/rocky.py +++ b/mkosi/distributions/rocky.py @@ -1,5 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1+ +from pathlib import Path + from mkosi.config import MkosiConfig from mkosi.distributions import centos from mkosi.installer.dnf import Repo @@ -11,8 +13,12 @@ class Installer(centos.Installer): return "Rocky Linux" @staticmethod - def gpgurls() -> tuple[str, ...]: - return ("https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever",) + def gpgurls(config: MkosiConfig) -> tuple[str, ...]: + gpgpath = Path(f"/usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-{config.release}") + if gpgpath.exists(): + return (f"file://{gpgpath}",) + else: + return ("https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever",) @classmethod def repository_variants(cls, config: MkosiConfig, repo: str) -> list[Repo]: @@ -21,7 +27,7 @@ class Installer(centos.Installer): else: url = f"mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo={repo}-$releasever" - return [Repo(repo, url, cls.gpgurls())] + return [Repo(repo, url, cls.gpgurls(config))] @classmethod def sig_repositories(cls, config: MkosiConfig) -> list[Repo]: diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md index 259ff6b13..504f54ec3 100644 --- a/mkosi/resources/mkosi.md +++ b/mkosi/resources/mkosi.md @@ -1173,43 +1173,44 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`, which distributions default tools tree packages are defined and which packages are included in those default tools trees: - | | Fedora | CentOS | Debian | Arch | openSUSE | - |---------------------|--------|--------|--------|------|----------| - | `apt` | X | X | X | X | | - | `archlinux-keyring` | X | | X | X | | - | `bash` | X | X | X | X | X | - | `btrfs-progs` | X | | X | X | X | - | `bubblewrap` | X | X | X | X | X | - | `ca-certificates` | X | X | X | X | X | - | `coreutils` | X | X | X | X | X | - | `cpio` | X | X | X | X | X | - | `curl` | X | X | X | X | X | - | `debian-keyring` | X | X | X | X | | - | `dnf` | X | X | X | X | X | - | `dosfstools` | X | X | X | X | X | - | `e2fsprogs` | X | X | X | X | X | - | `edk2-ovmf` | X | X | X | X | X | - | `erofs-utils` | X | | X | X | X | - | `mtools` | X | X | X | X | X | - | `openssh` | X | X | X | X | X | - | `openssl` | X | X | X | X | X | - | `pacman` | X | | X | X | | - | `pesign` | X | X | X | X | X | - | `qemu` | X | X | X | X | X | - | `sbsigntools` | X | | X | X | X | - | `socat` | X | X | X | X | X | - | `squashfs-tools` | X | X | X | X | X | - | `strace` | X | X | X | X | X | - | `swtpm` | X | X | X | X | X | - | `systemd` | X | X | X | X | X | - | `ukify` | X | | X | X | X | - | `tar` | X | X | X | X | X | - | `util-linux` | X | X | X | X | X | - | `virtiofsd` | X | X | | X | X | - | `xfsprogs` | X | X | X | X | X | - | `xz` | X | X | X | X | X | - | `zstd` | X | X | X | X | X | - | `zypper` | X | | X | X | | + | | Fedora | CentOS | Debian | Arch | openSUSE | + |-------------------------|--------|--------|--------|------|----------| + | `apt` | X | X | X | X | | + | `archlinux-keyring` | X | | X | X | | + | `bash` | X | X | X | X | X | + | `btrfs-progs` | X | | X | X | X | + | `bubblewrap` | X | X | X | X | X | + | `ca-certificates` | X | X | X | X | X | + | `coreutils` | X | X | X | X | X | + | `cpio` | X | X | X | X | X | + | `curl` | X | X | X | X | X | + | `debian-keyring` | X | X | X | X | | + | `distribution-gpg-keys` | X | X | | | X | + | `dnf` | X | X | X | X | X | + | `dosfstools` | X | X | X | X | X | + | `e2fsprogs` | X | X | X | X | X | + | `edk2-ovmf` | X | X | X | X | X | + | `erofs-utils` | X | | X | X | X | + | `mtools` | X | X | X | X | X | + | `openssh` | X | X | X | X | X | + | `openssl` | X | X | X | X | X | + | `pacman` | X | | X | X | | + | `pesign` | X | X | X | X | X | + | `qemu` | X | X | X | X | X | + | `sbsigntools` | X | | X | X | X | + | `socat` | X | X | X | X | X | + | `squashfs-tools` | X | X | X | X | X | + | `strace` | X | X | X | X | X | + | `swtpm` | X | X | X | X | X | + | `systemd` | X | X | X | X | X | + | `ukify` | X | | X | X | X | + | `tar` | X | X | X | X | X | + | `util-linux` | X | X | X | X | X | + | `virtiofsd` | X | X | | X | X | + | `xfsprogs` | X | X | X | X | X | + | `xz` | X | X | X | X | X | + | `zstd` | X | X | X | X | X | + | `zypper` | X | | X | X | | `ToolsTreeDistribution=`, `--tools-tree-distribution=`