particle-os/deb-mock
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deb-mock/docs/feature-gpg-and-ssl.md
robojerk 4c0dcb2522
Some checks failed
Build Deb-Mock Package / build (push) Successful in 54s
Details
Lint Code / Lint All Code (push) Failing after 1s
Details
Test Deb-Mock Build / test (push) Failing after 36s
Details
enhance: Add comprehensive .gitignore for deb-mock project 
- Add mock-specific build artifacts (chroot/, mock-*, mockroot/)
- Include package build files (*.deb, *.changes, *.buildinfo)
- Add development tools (.coverage, .pytest_cache, .tox)
- Include system files (.DS_Store, Thumbs.db, ._*)
- Add temporary and backup files (*.tmp, *.bak, *.backup)
- Include local configuration overrides (config.local.yaml, .env.local)
- Add test artifacts and documentation builds
- Comprehensive coverage for Python build system project

This ensures build artifacts, chroot environments, and development
tools are properly ignored in version control.
2025-08-18 23:37:49 -07:00

1.9 KiB
Raw Permalink Blame History

layout title
default GPG keys and SSL certificates

GPG Keys

When you want to verify GPG keys during installation in build root you can use something like in the config:

config_opts['dnf.conf'] = """
... SNIP
[appstream]
name=CentOS Stream $releasever - AppStream
metalink=https://mirrors.centos.org/metalink?repo=centos-appstream-$releasever-stream&arch=$basearch
gpgkey=file:///usr/share/distribution-gpg-keys/centos/RPM-GPG-KEY-CentOS-Official
gpgcheck=1
... SNIP
"""

The path in gpgkey refers to the path in a buildchroot. How do you get your GPG key to buildchroot? There are several ways:

Distribution-GPG-Keys

The package distribution-gpg-key is a requirement of Mock and is installed into buildchroot. The easiest way is to add your package to distribution-gpg-key project and then your key will be automatically present in both of host and buildroot.

This is the preferred way for any new config added to mock-core-configs.

Local key

Any file named RPM-GPG-KEY-* in the /etc/pki/mock/ on the host is copied to buildchroot to the same path.

You can use it for your personal GPG keys.

SSL certificates

Mock copy whole /etc/pki/ca-trust/extracted directory from the host to chroot. So the chroot environment should recognize all SSL certificates your host knows. If you need to add some specific certificate, you can add this part in your config:

# Copy host's SSL certificate bundle ('/etc/pki/tls/certs/ca-bundle.crt') into
# specified location inside chroot.  This usually isn't needed because we copy
# the whole /etc/pki/ca-trust/extracted directory recursively by default, and
# Fedora or EL systems work with that.  But some destination chroots can have
# different configuration, and copying the bundle helps.
#config_opts['ssl_ca_bundle_path'] = None