From: Michael A Cassaniti <michael@cassaniti.id.au>
Date: Wed, 26 Apr 2023 04:32:12 +0000 (+1000)
Subject: hash signing: Use keyring of running user for non-root builds
X-Git-Tag: v15~193^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1516%2Fhead;p=thirdparty%2Fmkosi.git

hash signing: Use keyring of running user for non-root builds

`gpg` will attempt to use the root user keyring When running as a non-root
user instead of using the keyring of the user that is executing `mkosi`.
This change will attempt to use the keyring given by `GNUPGHOME` and
fallback to using `~/.gnupg`.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 6cddc2dc4..9f6442074 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -848,7 +848,21 @@ def calculate_signature(state: MkosiState) -> None:
             state.staging / state.config.output_checksum.name,
         ]
 
-        run(cmdline)
+        run(
+            cmdline,
+            # Do not output warnings about keyring permissions
+            stderr=subprocess.DEVNULL,
+            env={
+                # Set the path of the keyring to use based on the environment
+                # if possible and fallback to the default path. Without this the
+                # keyring for the root user will instead be used which will fail
+                # for a non-root build.
+                'GNUPGHOME': os.environ.get(
+                    'GNUPGHOME',
+                    Path(os.environ['HOME']).joinpath('.gnupg')
+                )
+            }
+        )
 
 
 def acl_toggle_remove(config: MkosiConfig, root: Path, uid: int, *, allow: bool) -> None: