From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 22 Aug 2024 10:10:50 +0000 (+0200)
Subject: fedora: Get rawhide GPG key from github
X-Git-Tag: v25~347
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f86e0de5b461da4900d17f1e8362ff251c983cf6;p=thirdparty%2Fmkosi.git

fedora: Get rawhide GPG key from github

fedora.gpg is always out-of-date when rawhide branches, so let's
instead fetch the rawhide key from distribution-gpg-keys on Github
which does seem to get updated before rawhide branches.
---

diff --git a/mkosi/curl.py b/mkosi/curl.py
new file mode 100644
index 000000000..900c392e9
--- /dev/null
+++ b/mkosi/curl.py
@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+from pathlib import Path
+
+from mkosi.config import Config
+from mkosi.mounts import finalize_crypto_mounts
+from mkosi.run import run
+
+
+def curl(config: Config, url: str, output_dir: Path) -> None:
+    run(
+        [
+            "curl",
+            "--location",
+            "--output-dir", output_dir,
+            "--remote-name",
+            "--no-progress-meter",
+            "--fail",
+            *(["--proxy", config.proxy_url] if config.proxy_url else []),
+            *(["--noproxy", ",".join(config.proxy_exclude)] if config.proxy_exclude else []),
+            *(["--proxy-capath", "/proxy.cacert"] if config.proxy_peer_certificate else []),
+            *(["--proxy-cert", "/proxy.clientcert"] if config.proxy_client_certificate else []),
+            *(["--proxy-key", "/proxy.clientkey"] if config.proxy_client_key else []),
+            url,
+        ],
+        sandbox=config.sandbox(
+            binary="curl",
+            network=True,
+            options=["--bind", output_dir, output_dir, *finalize_crypto_mounts(config)],
+        ),
+    )
diff --git a/mkosi/distributions/fedora.py b/mkosi/distributions/fedora.py
index 97008311a..356e8b4bd 100644
--- a/mkosi/distributions/fedora.py
+++ b/mkosi/distributions/fedora.py
@@ -1,11 +1,13 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 import re
+import tempfile
 from collections.abc import Iterable, Sequence
 from pathlib import Path
 
 from mkosi.config import Architecture, Config
 from mkosi.context import Context
+from mkosi.curl import curl
 from mkosi.distributions import (
     DistributionInstaller,
     PackageType,
@@ -47,7 +49,22 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
             die("Fedora GPG keys not found in /usr/share/distribution-gpg-keys",
                 hint="Make sure the distribution-gpg-keys package is installed")
 
-        yield "https://fedoraproject.org/fedora.gpg"
+        if context.config.release == "rawhide":
+            # https://fedoraproject.org/fedora.gpg is always outdated when the rawhide key changes. Instead, let's
+            # fetch it from distribution-gpg-keys on github, which is generally up-to-date.
+            keys = "https://raw.githubusercontent.com/rpm-software-management/distribution-gpg-keys/main/keys/fedora"
+
+            # The rawhide key is a symlink and github doesn't redirect those to the actual file for some reason, so we
+            # fetch the file and read the release it points to ourselves.
+            with tempfile.TemporaryDirectory() as d:
+                curl(context.config, f"{keys}/RPM-GPG-KEY-fedora-rawhide-primary", Path(d))
+                key = (Path(d) / "RPM-GPG-KEY-fedora-rawhide-primary").read_text()
+
+            keyurl = f"{keys}/{key}"
+        else:
+            keyurl = "https://fedoraproject.org/fedora.gpg"
+
+        yield keyurl
 
 
 class Installer(DistributionInstaller):
diff --git a/mkosi/distributions/opensuse.py b/mkosi/distributions/opensuse.py
index 0b4dc5ba6..98539d38a 100644
--- a/mkosi/distributions/opensuse.py
+++ b/mkosi/distributions/opensuse.py
@@ -7,6 +7,7 @@ from xml.etree import ElementTree
 
 from mkosi.config import Architecture, Config
 from mkosi.context import Context
+from mkosi.curl import curl
 from mkosi.distributions import DistributionInstaller, PackageType, join_mirror
 from mkosi.installer import PackageManager
 from mkosi.installer.dnf import Dnf
@@ -239,27 +240,7 @@ def fetch_gpgurls(context: Context, repourl: str) -> tuple[str, ...]:
     gpgurls = [f"{repourl}/repodata/repomd.xml.key"]
 
     with tempfile.TemporaryDirectory() as d:
-        run(
-            [
-                "curl",
-                "--location",
-                "--output-dir", d,
-                "--remote-name",
-                "--no-progress-meter",
-                "--fail",
-                *(["--proxy", context.config.proxy_url] if context.config.proxy_url else []),
-                *(["--noproxy", ",".join(context.config.proxy_exclude)] if context.config.proxy_exclude else []),
-                *(["--proxy-capath", "/proxy.cacert"] if context.config.proxy_peer_certificate else []),
-                *(["--proxy-cert", "/proxy.clientcert"] if context.config.proxy_client_certificate else []),
-                *(["--proxy-key", "/proxy.clientkey"] if context.config.proxy_client_key else []),
-                f"{repourl}/repodata/repomd.xml",
-            ],
-            sandbox=context.sandbox(
-                binary="curl",
-                network=True,
-                options=["--bind", d, d, *finalize_crypto_mounts(context.config)],
-            ),
-        )
+        curl(context.config, f"{repourl}/repodata/repomd.xml", Path(d))
         xml = (Path(d) / "repomd.xml").read_text()
 
     root = ElementTree.fromstring(xml)