From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 12 Oct 2023 10:12:47 +0000 (+0200)
Subject: Beef up GPG key handling
X-Git-Tag: v19~84
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eaf9b8bc5f6140b3543f2f09f25dc593f496b95e;p=thirdparty%2Fmkosi.git

Beef up GPG key handling

Let's look for GPG keys in a few more places. Let's also introduce
a function find_rpm_gpgkey() to avoid duplication.
---

diff --git a/mkosi/distributions/alma.py b/mkosi/distributions/alma.py
index 6d2f3296a..ff90c23bf 100644
--- a/mkosi/distributions/alma.py
+++ b/mkosi/distributions/alma.py
@@ -1,9 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1+
 
-from pathlib import Path
-
 from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
 from mkosi.state import MkosiState
 
 
@@ -14,11 +12,13 @@ class Installer(centos.Installer):
 
     @staticmethod
     def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/alma/RPM-GPG-KEY-AlmaLinux-{state.config.release}")
-        if gpgpath.exists():
-            return (f"file://{gpgpath}",)
-        else:
-            return ("https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever",)
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-AlmaLinux-{state.config.release}",
+                f"https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-{state.config.release}",
+            ),
+        )
 
     @classmethod
     def repository_variants(cls, state: MkosiState, repo: str) -> list[Repo]:
diff --git a/mkosi/distributions/centos.py b/mkosi/distributions/centos.py
index 9f91e546c..34121c108 100644
--- a/mkosi/distributions/centos.py
+++ b/mkosi/distributions/centos.py
@@ -8,7 +8,7 @@ from pathlib import Path
 
 from mkosi.architecture import Architecture
 from mkosi.distributions import Distribution, DistributionInstaller, PackageType
-from mkosi.installer.dnf import Repo, invoke_dnf, setup_dnf
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey, invoke_dnf, setup_dnf
 from mkosi.log import complete_step, die
 from mkosi.state import MkosiState
 from mkosi.tree import rmtree
@@ -135,16 +135,8 @@ class Installer(DistributionInstaller):
 
     @staticmethod
     def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        gpgurls = []
-
-        for key in ("CentOS-Official", "CentOS-SIG-Extras"):
-            gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-{key}")
-            if gpgpath.exists():
-                gpgurls += [f"file://{gpgpath}"]
-            else:
-                gpgurls += [f"https://www.centos.org/keys/RPM-GPG-KEY-{key}"]
-
-        return tuple(gpgurls)
+        keys = ("RPM-GPG-KEY-CentOS-Official", "RPM-GPG-KEY-CentOS-SIG-Extras")
+        return tuple(find_rpm_gpgkey(state, key, f"https://www.centos.org/keys/{key}") for key in keys)
 
     @classmethod
     def repository_variants(cls, state: MkosiState, repo: str) -> Iterable[Repo]:
@@ -276,11 +268,13 @@ class Installer(DistributionInstaller):
 
     @classmethod
     def epel_repositories(cls, state: MkosiState) -> Iterable[Repo]:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-EPEL-{state.config.release}")
-        if gpgpath.exists():
-            gpgurls = (f"file://{gpgpath}",)
-        else:
-            gpgurls = (f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{state.config.release}",)
+        gpgurls = (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-EPEL-{state.config.release}",
+                f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{state.config.release}",
+            ),
+        )
 
         if state.config.local_mirror:
             return
@@ -343,20 +337,12 @@ class Installer(DistributionInstaller):
             (
                 "hyperscale",
                 (f"packages-{c}" for c in ("main", "experimental", "facebook", "hotfixes", "spin", "intel")),
-                ("CentOS-SIG-HyperScale",),
+                ("RPM-GPG-KEY-CentOS-SIG-HyperScale",),
             ),
         )
 
         for sig, components, keys in sigs:
-            gpgurls = []
-            for key in keys:
-                gpgpath = Path(f"/usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-{key}")
-                if gpgpath.exists():
-                    gpgurls += [f"file://{gpgpath}"]
-                else:
-                    gpgurls += [f"https://www.centos.org/keys/RPM-GPG-KEY-{key}"]
-
-            gpgurls = tuple(gpgurls)
+            gpgurls = tuple(find_rpm_gpgkey(state, key, f"https://www.centos.org/keys/{key}") for key in keys)
 
             for c in components:
                 if state.config.mirror:
diff --git a/mkosi/distributions/fedora.py b/mkosi/distributions/fedora.py
index d9bfe19e2..568fb6c4b 100644
--- a/mkosi/distributions/fedora.py
+++ b/mkosi/distributions/fedora.py
@@ -2,11 +2,10 @@
 
 import urllib.parse
 from collections.abc import Sequence
-from pathlib import Path
 
 from mkosi.architecture import Architecture
 from mkosi.distributions import Distribution, DistributionInstaller, PackageType
-from mkosi.installer.dnf import Repo, invoke_dnf, setup_dnf
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey, invoke_dnf, setup_dnf
 from mkosi.log import die
 from mkosi.state import MkosiState
 
@@ -78,12 +77,14 @@ class Installer(DistributionInstaller):
 
     @classmethod
     def setup(cls, state: MkosiState) -> None:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{state.config.release}-primary")
-        if gpgpath.exists():
-            gpgurls = (f"file://{gpgpath}",)
-        else:
-            # See: https://fedoraproject.org/security/
-            gpgurls = ("https://fedoraproject.org/fedora.gpg",)
+        gpgurls = (
+            find_rpm_gpgkey(
+                state,
+                key=f"RPM-GPG-KEY-fedora-{state.config.release}-primary",
+                url="https://fedoraproject.org/fedora.gpg",
+            ),
+        )
+
         repos = []
 
         if state.config.local_mirror:
diff --git a/mkosi/distributions/rhel.py b/mkosi/distributions/rhel.py
index a128be12a..36665048f 100644
--- a/mkosi/distributions/rhel.py
+++ b/mkosi/distributions/rhel.py
@@ -5,7 +5,7 @@ from pathlib import Path
 from typing import Any, Optional
 
 from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
 from mkosi.log import die
 from mkosi.state import MkosiState
 
@@ -17,7 +17,15 @@ class Installer(centos.Installer):
 
     @staticmethod
     def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        return ("https://access.redhat.com/security/data/fd431d51.txt",)
+        major = int(float(state.config.release))
+
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-redhat{major}-release",
+                "https://access.redhat.com/security/data/fd431d51.txt",
+            ),
+        )
 
     @staticmethod
     def sslcacert(state: MkosiState) -> Optional[Path]:
diff --git a/mkosi/distributions/rhel_ubi.py b/mkosi/distributions/rhel_ubi.py
index 2f1d070a9..bd2218ff9 100644
--- a/mkosi/distributions/rhel_ubi.py
+++ b/mkosi/distributions/rhel_ubi.py
@@ -3,7 +3,7 @@
 from collections.abc import Iterable
 
 from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
 from mkosi.state import MkosiState
 
 
@@ -14,7 +14,15 @@ class Installer(centos.Installer):
 
     @staticmethod
     def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        return ("https://access.redhat.com/security/data/fd431d51.txt",)
+        major = int(float(state.config.release))
+
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-redhat{major}-release",
+                "https://access.redhat.com/security/data/fd431d51.txt",
+            ),
+        )
 
     @classmethod
     def repository_variants(cls, state: MkosiState, repo: str) -> Iterable[Repo]:
diff --git a/mkosi/distributions/rocky.py b/mkosi/distributions/rocky.py
index 3db9e930f..e09bf03df 100644
--- a/mkosi/distributions/rocky.py
+++ b/mkosi/distributions/rocky.py
@@ -1,9 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1+
 
-from pathlib import Path
-
 from mkosi.distributions import centos
-from mkosi.installer.dnf import Repo
+from mkosi.installer.dnf import Repo, find_rpm_gpgkey
 from mkosi.state import MkosiState
 
 
@@ -14,11 +12,13 @@ class Installer(centos.Installer):
 
     @staticmethod
     def gpgurls(state: MkosiState) -> tuple[str, ...]:
-        gpgpath = Path(f"/usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-{state.config.release}")
-        if gpgpath.exists():
-            return (f"file://{gpgpath}",)
-        else:
-            return ("https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever",)
+        return (
+            find_rpm_gpgkey(
+                state,
+                f"RPM-GPG-KEY-Rocky-{state.config.release}",
+                f"https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-{state.config.release}",
+            ),
+        )
 
     @classmethod
     def repository_variants(cls, state: MkosiState, repo: str) -> list[Repo]:
diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py
index 963e21775..ca302842d 100644
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -23,6 +23,16 @@ class Repo(NamedTuple):
     sslclientcert: Optional[Path] = None
 
 
+def find_rpm_gpgkey(state: MkosiState, key: str, url: str) -> str:
+    for gpgdir in ("usr/share/distribution-gpg-keys", "etc/pki/rpm-gpg"):
+        for root in (state.pkgmngr, state.root, Path("/")):
+            gpgpath = next((root / Path(gpgdir)).rglob(key), None)
+            if gpgpath:
+                return f"file://{gpgpath}"
+
+    return url
+
+
 def dnf_executable(state: MkosiState) -> str:
     # dnf5 does not support building for foreign architectures yet (missing --forcearch)
     dnf = shutil.which("dnf5") if state.config.architecture.is_native() else None