Merge pull request #2931 from DaanDeMeyer/debian

 Introduce RepositoryKeyFetch=

.github/workflows/ci.yml

@@ -155,6 +155,14 @@ jobs:
         QemuKvm=yes
         EOF
 
+        # TODO: Drop once distribution-gpg-keys is in noble-backports.
+        if [[ "${{ matrix.tools }}" =~ opensuse|fedora|ubuntu ]]; then
+            tee --append mkosi.local.conf <<EOF
+        [Distribution]
+        RepositoryKeyFetch=yes
+        EOF
+        fi
+
         # TODO: Remove once all distros have recent enough systemd that knows systemd.default_device_timeout_sec.
         mkdir -p mkosi-initrd/mkosi.extra/usr/lib/systemd/system.conf.d
         tee mkosi-initrd/mkosi.extra/usr/lib/systemd/system.conf.d/device-timeout.conf <<EOF

mkosi.conf

@@ -35,7 +35,12 @@ RemoveFiles=
         /usr/lib/kernel/install.d/50-dracut.install
 
 # Make sure that SELinux doesn't run in enforcing mode even if it's pulled in as a dependency.
-KernelCommandLine=enforcing=0
+KernelCommandLine=
+        enforcing=0
+        systemd.log_ratelimit_kmsg=0
+        systemd.crash_shell
+        printk.devkmsg=on
+        systemd.early_core_pattern=/core
 
 KernelModulesInitrdExclude=.*
 KernelModulesInitrdInclude=default

mkosi.conf.d/30-debian-ubuntu/mkosi.conf

@@ -6,6 +6,8 @@ Distribution=|ubuntu
 
 [Content]
 Packages=
+        ?exact-name(systemd-boot)
+        ?exact-name(systemd-resolved)
         ^libtss2-esys-[0-9.]+-0$
         ^libtss2-mu[0-9.-]+$
         bash

mkosi/__init__.py

@@ -1807,6 +1807,7 @@ def finalize_default_initrd(
         "--architecture", str(config.architecture),
         *(["--mirror", config.mirror] if config.mirror else []),
         "--repository-key-check", str(config.repository_key_check),
+        "--repository-key-fetch", str(config.repository_key_fetch),
         "--repositories", ",".join(config.repositories),
         "--package-manager-tree", ",".join(str(t) for t in config.package_manager_trees),
         # Note that when compress_output == Compression.none == 0 we don't pass --compress-output which means the
@@ -4477,6 +4478,7 @@ def finalize_default_tools(args: Args, config: Config, *, resources: Path) -> Co
         "--repositories", ",".join(config.tools_tree_repositories),
         "--package-manager-tree", ",".join(str(t) for t in config.tools_tree_package_manager_trees),
         "--repository-key-check", str(config.repository_key_check),
+        "--repository-key-fetch", str(config.repository_key_fetch),
         "--cache-only", str(config.cacheonly),
         *(["--output-dir", str(config.output_dir)] if config.output_dir else []),
         *(["--workspace-dir", str(config.workspace_dir)] if config.workspace_dir else []),

mkosi/config.py

@@ -1402,6 +1402,7 @@ class Config:
     mirror: Optional[str]
     local_mirror: Optional[str]
     repository_key_check: bool
+    repository_key_fetch: bool
     repositories: list[str]
     cacheonly: Cacheonly
     package_manager_trees: list[ConfigTree]
@@ -1961,6 +1962,16 @@ def parse_ini(path: Path, only_sections: Collection[str] = ()) -> Iterator[tuple
         help="Controls signature and key checks on repositories",
         universal=True,
     ),
+    ConfigSetting(
+        dest="repository_key_fetch",
+        metavar="BOOL",
+        nargs="?",
+        section="Distribution",
+        default=False,
+        parse=config_parse_boolean,
+        help="Controls whether distribution GPG keys can be fetched remotely",
+        universal=True,
+    ),
     ConfigSetting(
         dest="repositories",
         metavar="REPOS",
@@ -4066,6 +4077,7 @@ def bold(s: Any) -> str:
                              Mirror: {none_to_default(config.mirror)}
                Local Mirror (build): {none_to_none(config.local_mirror)}
            Repo Signature/Key check: {yes_no(config.repository_key_check)}
+              Fetch Repository Keys: {yes_no(config.repository_key_fetch)}
                        Repositories: {line_join_list(config.repositories)}
              Use Only Package Cache: {config.cacheonly}
               Package Manager Trees: {line_join_list(config.package_manager_trees)}

mkosi/distributions/alma.py

@@ -16,7 +16,8 @@ def gpgurls(context: Context) -> tuple[str, ...]:
             find_rpm_gpgkey(
                 context,
                 f"RPM-GPG-KEY-AlmaLinux-{context.config.release}",
-            ) or f"https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-{context.config.release}",
+                f"https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-{context.config.release}",
+            ),
         )
 
     @classmethod

mkosi/distributions/centos.py

@@ -100,7 +100,7 @@ def architecture(cls, arch: Architecture) -> str:
     def gpgurls(context: Context) -> tuple[str, ...]:
         rel = "RPM-GPG-KEY-CentOS-Official" if context.config.release == "9" else "RPM-GPG-KEY-CentOS-Official-SHA256"
         return tuple(
-            find_rpm_gpgkey(context, key) or f"https://www.centos.org/keys/{key}"
+            find_rpm_gpgkey(context, key, f"https://www.centos.org/keys/{key}")
             for key in (rel, "RPM-GPG-KEY-CentOS-SIG-Extras")
         )
 
@@ -196,7 +196,8 @@ def epel_repositories(cls, context: Context) -> Iterable[RpmRepository]:
             find_rpm_gpgkey(
                 context,
                 f"RPM-GPG-KEY-EPEL-{context.config.release}",
-            ) or f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{context.config.release}",
+                f"https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{context.config.release}",
+            ),
         )
 
         if context.config.local_mirror:
@@ -299,7 +300,7 @@ def sig_repositories(cls, context: Context) -> Iterable[RpmRepository]:
         )
 
         for sig, components, keys in sigs:
-            gpgurls = tuple(find_rpm_gpgkey(context, key) or f"https://www.centos.org/keys/{key}" for key in keys)
+            gpgurls = tuple(find_rpm_gpgkey(context, key, f"https://www.centos.org/keys/{key}") for key in keys)
 
             for c in components:
                 if mirror := context.config.mirror:

mkosi/distributions/fedora.py

@@ -20,8 +20,8 @@
 
 @tuplify
 def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
-    key1 = find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{context.config.release}-primary")
-    key2 = find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{context.config.release}-secondary")
+    key1 = find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{context.config.release}-primary", required=False)
+    key2 = find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{context.config.release}-secondary", required=False)
 
     if key1:
         # During branching, there is always a kerfuffle with the key transition.
@@ -38,9 +38,15 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
                     yield key3
 
         yield key1
+
     if key2:
         yield key2
+
     if not key1 and not key2:
+        if not context.config.repository_key_fetch:
+            die("Fedora GPG keys not found in /usr/share/distribution-gpg-keys",
+                hint="Make sure the distribution-gpg-keys package is installed")
+
         yield "https://fedoraproject.org/fedora.gpg"
 
 

mkosi/distributions/mageia.py

@@ -34,7 +34,8 @@ def repositories(cls, context: Context) -> Iterable[RpmRepository]:
             find_rpm_gpgkey(
                 context,
                 "RPM-GPG-KEY-Mageia",
-            ) or "https://mirrors.kernel.org/mageia/distrib/$releasever/$basearch/media/core/release/media_info/pubkey",
+                "https://mirrors.kernel.org/mageia/distrib/$releasever/$basearch/media/core/release/media_info/pubkey",
+            ),
         )
 
         if context.config.local_mirror:

mkosi/distributions/openmandriva.py

@@ -36,7 +36,8 @@ def repositories(cls, context: Context) -> Iterable[RpmRepository]:
             find_rpm_gpgkey(
                 context,
                 "RPM-GPG-KEY-OpenMandriva",
-            ) or "https://raw.githubusercontent.com/OpenMandrivaAssociation/openmandriva-repos/master/RPM-GPG-KEY-OpenMandriva",
+                "https://raw.githubusercontent.com/OpenMandrivaAssociation/openmandriva-repos/master/RPM-GPG-KEY-OpenMandriva",
+            ),
         )
 
         if context.config.local_mirror:

mkosi/distributions/opensuse.py

@@ -94,11 +94,28 @@ def repositories(cls, context: Context) -> Iterable[RpmRepository]:
         mirror = context.config.mirror or "https://download.opensuse.org"
 
         if context.config.release == "tumbleweed" or context.config.release.isdigit():
-            gpgurls = (
-                *([p] if (p := find_rpm_gpgkey(context, key="RPM-GPG-KEY-openSUSE-Tumbleweed")) else []),
-                *([p] if (p := find_rpm_gpgkey(context, key="RPM-GPG-KEY-openSUSE")) else []),
+            gpgkeys = tuple(
+                p
+                for key in ("RPM-GPG-KEY-openSUSE-Tumbleweed", "RPM-GPG-KEY-openSUSE")
+                if (p := find_rpm_gpgkey(context, key, required=False))
             )
 
+            if not gpgkeys and not context.config.repository_key_fetch:
+                die("OpenSUSE GPG keys not found in /usr/share/distribution-gpg-keys",
+                    hint="Make sure the distribution-gpg-keys package is installed")
+
+            if zypper and gpgkeys:
+                run(
+                    ["rpm", "--root=/buildroot", "--import", *(key.removeprefix("file://") for key in gpgkeys)],
+                    sandbox=context.sandbox(
+                        binary="rpm",
+                        mounts=[
+                            Mount(context.root, "/buildroot"),
+                            *finalize_crypto_mounts(context.config)
+                        ],
+                    )
+                )
+
             if context.config.release == "tumbleweed":
                 if context.config.architecture == Architecture.x86_64:
                     subdir = ""
@@ -115,7 +132,7 @@ def repositories(cls, context: Context) -> Iterable[RpmRepository]:
                 yield RpmRepository(
                     id=repo,
                     url=f"baseurl={url}",
-                    gpgurls=gpgurls or (fetch_gpgurls(context, url) if not zypper else ()),
+                    gpgurls=gpgkeys or (fetch_gpgurls(context, url) if not zypper else ()),
                     enabled=repo == "oss",
                 )
 
@@ -125,7 +142,7 @@ def repositories(cls, context: Context) -> Iterable[RpmRepository]:
                         yield RpmRepository(
                             id=f"{repo}-{d}",
                             url=f"baseurl={url}",
-                            gpgurls=gpgurls or (fetch_gpgurls(context, url) if not zypper else ()),
+                            gpgurls=gpgkeys or (fetch_gpgurls(context, url) if not zypper else ()),
                             enabled=False,
                         )
 
@@ -134,14 +151,14 @@ def repositories(cls, context: Context) -> Iterable[RpmRepository]:
                 yield RpmRepository(
                     id="oss-update",
                     url=f"baseurl={url}",
-                    gpgurls=gpgurls or (fetch_gpgurls(context, url) if not zypper else ()),
+                    gpgurls=gpgkeys or (fetch_gpgurls(context, url) if not zypper else ()),
                 )
 
                 url = join_mirror(mirror, f"{subdir}/update/tumbleweed-non-oss")
                 yield RpmRepository(
                     id="non-oss-update",
                     url=f"baseurl={url}",
-                    gpgurls=gpgurls or (fetch_gpgurls(context, url) if not zypper else ()),
+                    gpgurls=gpgkeys or (fetch_gpgurls(context, url) if not zypper else ()),
                     enabled=False,
                 )
         else:

mkosi/distributions/rhel.py

@@ -24,7 +24,8 @@ def gpgurls(context: Context) -> tuple[str, ...]:
             find_rpm_gpgkey(
                 context,
                 f"RPM-GPG-KEY-redhat{major}-release",
-            ) or "https://access.redhat.com/security/data/fd431d51.txt",
+                "https://access.redhat.com/security/data/fd431d51.txt",
+            ),
         )
 
     @staticmethod

mkosi/distributions/rhel_ubi.py

@@ -21,7 +21,8 @@ def gpgurls(context: Context) -> tuple[str, ...]:
             find_rpm_gpgkey(
                 context,
                 f"RPM-GPG-KEY-redhat{major}-release",
-            ) or "https://access.redhat.com/security/data/fd431d51.txt",
+                "https://access.redhat.com/security/data/fd431d51.txt",
+            ),
         )
 
     @classmethod

mkosi/distributions/rocky.py

@@ -16,7 +16,8 @@ def gpgurls(context: Context) -> tuple[str, ...]:
             find_rpm_gpgkey(
                 context,
                 f"RPM-GPG-KEY-Rocky-{context.config.release}",
-            ) or f"https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-{context.config.release}",
+                f"https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-{context.config.release}",
+            ),
         )
 
     @classmethod

mkosi/installer/rpm.py

@@ -4,9 +4,10 @@
 import subprocess
 import textwrap
 from pathlib import Path
-from typing import Optional
+from typing import Literal, Optional, overload
 
 from mkosi.context import Context
+from mkosi.log import die
 from mkosi.run import run
 from mkosi.types import PathString
 
@@ -23,7 +24,33 @@ class RpmRepository:
     priority: Optional[int] = None
 
 
-def find_rpm_gpgkey(context: Context, key: str) -> Optional[str]:
+@overload
+def find_rpm_gpgkey(
+    context: Context,
+    key: str,
+    fallback: Optional[str] = None,
+    *,
+    required: Literal[True] = True,
+) -> str: ...
+
+
+@overload
+def find_rpm_gpgkey(
+    context: Context,
+    key: str,
+    fallback: Optional[str] = None,
+    *,
+    required: Literal[False]
+) -> Optional[str]: ...
+
+
+def find_rpm_gpgkey(
+    context: Context,
+    key: str,
+    fallback: Optional[str] = None,
+    *,
+    required: bool = True
+) -> Optional[str]:
     root = context.config.tools() if context.config.tools_tree_certificates else Path("/")
 
     if gpgpath := next((root / "usr/share/distribution-gpg-keys").rglob(key), None):
@@ -32,6 +59,13 @@ def find_rpm_gpgkey(context: Context, key: str) -> Optional[str]:
     if gpgpath := next(Path(context.pkgmngr / "etc/pki/rpm-gpg").rglob(key), None):
         return (Path("/") / gpgpath.relative_to(context.pkgmngr)).as_uri()
 
+    if context.config.repository_key_fetch:
+        return fallback
+
+    if required:
+        die(f"{key} GPG key not found in /usr/share/distribution-gpg-keys",
+            hint="Make sure the distribution-gpg-keys package is installed")
+
     return None
 
 

mkosi/installer/zypper.py

@@ -109,9 +109,10 @@ def cmd(cls, context: Context) -> list[PathString]:
             "zypper",
             "--installroot=/buildroot",
             "--cache-dir=/var/cache/zypp",
-            "--gpg-auto-import-keys" if context.config.repository_key_check else "--no-gpg-checks",
             "--non-interactive",
             "--no-refresh",
+            *(["--gpg-auto-import-keys"] if context.config.repository_key_fetch else []),
+            *(["--no-gpg-checks"] if not context.config.repository_key_check else []),
             *([f"--plus-content={repo}" for repo in context.config.repositories]),
         ]
 

mkosi/qemu.py

@@ -351,8 +351,9 @@ def start_virtiofsd(config: Config, directory: PathString, *, name: str, selinux
             gid = INVOKING_USER.gid if os.getgid() != INVOKING_USER.gid else None
             scope = scope_cmd(name=name, description=description, user=uid, group=gid)
         elif not uidmap and (os.getuid() == 0 or unshare_version() >= "2.38"):
-            runas = become_root_cmd()
             scope = scope_cmd(name=name, description=description)
+            if scope:
+                runas = become_root_cmd()
 
         with spawn(
             cmdline,

mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu/mkosi.conf

@@ -6,8 +6,13 @@ Distribution=|ubuntu
 
 [Content]
 Packages=
+        ?exact-name(distribution-gpg-keys)
+        ?exact-name(grub-pc-bin)
+        ?exact-name(systemd-boot)
         ?exact-name(systemd-repart)
         ?exact-name(systemd-ukify)
+        ?exact-name(ubuntu-keyring)
+        ?exact-name(virtiofsd)
         apt
         archlinux-keyring
         btrfs-progs