From fedc90c76b319a8219fe032748cfb939b57439c8 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 6 Feb 2025 12:05:05 +0100
Subject: [PATCH] rpm: Fix root locations for GPG searching

We should always look in the tools tree for /usr/share/distribution-gpg-keys,
regardless of the value of ToolsTreeCertificates= since the setting has no
impact on which /usr/share/distribution-gpg-keys directory we end up using.

We should look in the host or tools tree for /etc/pki/rpm-gpg, based on the
value of ToolsTreeCertificates=, not in the sandbox tree, because the /etc/pki
directory from the host or tools tree will always be used and mounted over the
directory from the sandbox tree, so there's no point in looking for rpm gpg keys
in the sandbox tree at all.
---
 mkosi/installer/rpm.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/mkosi/installer/rpm.py b/mkosi/installer/rpm.py
index b8dcc5541..c6afd06f8 100644
--- a/mkosi/installer/rpm.py
+++ b/mkosi/installer/rpm.py
@@ -52,15 +52,18 @@ def find_rpm_gpgkey(
     *,
     required: bool = True,
 ) -> Optional[str]:
-    root = context.config.tools() if context.config.tools_tree_certificates else Path("/")
-
     # We assume here that GPG keys will only ever be relative symlinks and never absolute symlinks.
 
-    if gpgpath := next((root / "usr/share/distribution-gpg-keys").rglob(key), None):
-        return (Path("/") / gpgpath.resolve().relative_to(root)).as_uri()
+    if gpgpath := next((context.config.tools() / "usr/share/distribution-gpg-keys").rglob(key), None):
+        return (Path("/") / gpgpath.resolve().relative_to(context.config.tools())).as_uri()
 
-    if gpgpath := next(Path(context.sandbox_tree / "etc/pki/rpm-gpg").rglob(key), None):
-        return (Path("/") / gpgpath.resolve().relative_to(context.sandbox_tree)).as_uri()
+    # ToolsTreeCertificates= only applies to certificates but the rpm gpg keys in /etc are located within the
+    # /etc/pki certificates directory so as a result the option has to apply to the rpm gpg keys in /etc as
+    # well
+    root = context.config.tools() if context.config.tools_tree_certificates else Path("/")
+
+    if gpgpath := next(Path(root / "etc/pki/rpm-gpg").rglob(key), None):
+        return (Path("/") / gpgpath.resolve().relative_to(root)).as_uri()
 
     if fallback and context.config.repository_key_fetch:
         return fallback
-- 
2.47.2