Only pick up /etc/pki/tls and /etc/pki/ca-trust as certificate dirs

Extra rpm GPG keys can be configured in /etc/pki/rpm-gpg. Let's not
assume /etc/pki consists solely of certificates but instead, let's pick
out the two directories out of there that do concern themselves with
certificates.

This allows copying extra rpm gpg keys to /etc/pki/rpm-gpg with
SandboxTrees= without these getting overridden by the /etc/pki bind
mount we used to have before.

Fixes #3687

diff --git a/action.yaml b/action.yaml
index e5823195cac4d5bb541de20fe2d91bbd3e35f83c..ced80781b21f6edf94ff61cde908f8ed410e9902 100644 (file)
--- a/action.yaml
+++ b/action.yaml
@@ -62,7 +62,7 @@ runs:
     - name: Create missing mountpoints
       shell: bash
       run: |
-        for p in /etc/pki /etc/ssl /etc/ca-certificates /var/lib/ca-certificates /etc/crypto-policies; do
+        for p in /etc/pki/ca-trust /etc/pki/tls /etc/ssl /etc/ca-certificates /var/lib/ca-certificates /etc/crypto-policies; do
           if [[ ! -e "$p" ]]; then
             sudo mkdir -p "$p"
           fi

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 5f97fa64214388f064545eb7d7bfeb64a5c800d7..9c84510724a58f6511fd57c2cdcf2b4b98e2a4b3 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1202,7 +1202,8 @@ def install_sandbox_trees(config: Config, dst: Path) -> None:
     # Create various mountpoints in /etc as /etc from the sandbox tree is mounted read-only into the sandbox.
 
     for d in (
-        "etc/pki",
+        "etc/pki/ca-trust",
+        "etc/pki/tls",
         "etc/ssl",
         "etc/ca-certificates",
         "etc/pacman.d/gnupg",

diff --git a/mkosi/mounts.py b/mkosi/mounts.py
index 8efefb6795bb991496c0dabbd2a1a456876ea845..863316965d7880ce25c5d462b8b81aa975c96763 100644 (file)
--- a/mkosi/mounts.py
+++ b/mkosi/mounts.py
@@ -141,7 +141,8 @@ def finalize_certificate_mounts(config: Config, relaxed: bool = False) -> list[P
         mounts += [
             (root / subdir, Path("/") / subdir)
             for subdir in (
-                Path("etc/pki"),
+                Path("etc/pki/ca-trust"),
+                Path("etc/pki/tls"),
                 Path("etc/ssl"),
                 Path("etc/ca-certificates"),
                 Path("var/lib/ca-certificates"),

diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index 5a8612210f469d08d2c1c0cda1e5874aaa5e1ce0..429c9c9e018fb1aa0d720125e3acbd82d7050e6a 100644 (file)
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1447,10 +1447,10 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 
 `ToolsTreeCertificates=`, `--tools-tree-certificates=`
 :   Specify whether to use certificates and keys from the tools tree.
-    Enabled by default. If enabled, `/etc/pki`, `/etc/ssl`,
-    `/etc/ca-certificates`, and `/var/lib/ca-certificates` from the
-    tools tree are used. Otherwise, these directories are picked up from
-    the host.
+    Enabled by default. If enabled, `/etc/pki/ca-trust`, `/etc/pki/tls`,
+    `/etc/ssl`, `/etc/ca-certificates`, and `/var/lib/ca-certificates`
+    from the tools tree are used. Otherwise, these directories are
+    picked up from the host.
 
 `ExtraSearchPaths=`, `--extra-search-path=`
 :   List of colon-separated paths to look for tools in, before using the