go.mod: bump osbuild/images to 0.55

vendor/github.com/osbuild/images/pkg/distro/fedora/version.go

@@ -1,4 +1,4 @@
 package fedora
 
-const VERSION_BRANCHED = "40"
+const VERSION_BRANCHED = "41"
 const VERSION_RAWHIDE = "41"

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel10/ami.go

@@ -125,7 +125,7 @@ func baseEc2ImageConfig() *distro.ImageConfig {
 				Dropin: "10-rh-enable-for-ec2.conf",
 				Config: osbuild.SystemdServiceUnitDropin{
 					Service: &osbuild.SystemdUnitServiceSection{
-						Environment: "NM_CLOUD_SETUP_EC2=yes",
+						Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_EC2", Value: "yes"}},
 					},
 				},
 			},

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel10/azure.go

@@ -294,7 +294,7 @@ var defaultAzureImageConfig = &distro.ImageConfig{
 			Dropin: "10-rh-enable-for-azure.conf",
 			Config: osbuild.SystemdServiceUnitDropin{
 				Service: &osbuild.SystemdUnitServiceSection{
-					Environment: "NM_CLOUD_SETUP_AZURE=yes",
+					Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_AZURE", Value: "yes"}},
 				},
 			},
 		},

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/ami.go

@@ -269,7 +269,7 @@ func baseEc2ImageConfig() *distro.ImageConfig {
 				Dropin: "10-rh-enable-for-ec2.conf",
 				Config: osbuild.SystemdServiceUnitDropin{
 					Service: &osbuild.SystemdUnitServiceSection{
-						Environment: "NM_CLOUD_SETUP_EC2=yes",
+						Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_EC2", Value: "yes"}},
 					},
 				},
 			},

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel8/azure.go

@@ -644,7 +644,7 @@ var defaultAzureImageConfig = &distro.ImageConfig{
 			Dropin: "10-rh-enable-for-azure.conf",
 			Config: osbuild.SystemdServiceUnitDropin{
 				Service: &osbuild.SystemdUnitServiceSection{
-					Environment: "NM_CLOUD_SETUP_AZURE=yes",
+					Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_AZURE", Value: "yes"}},
 				},
 			},
 		},

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel9/ami.go

@@ -126,7 +126,7 @@ func baseEc2ImageConfig() *distro.ImageConfig {
 				Dropin: "10-rh-enable-for-ec2.conf",
 				Config: osbuild.SystemdServiceUnitDropin{
 					Service: &osbuild.SystemdUnitServiceSection{
-						Environment: "NM_CLOUD_SETUP_EC2=yes",
+						Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_EC2", Value: "yes"}},
 					},
 				},
 			},

vendor/github.com/osbuild/images/pkg/distro/rhel/rhel9/azure.go

@@ -593,7 +593,7 @@ var defaultAzureImageConfig = &distro.ImageConfig{
 			Dropin: "10-rh-enable-for-azure.conf",
 			Config: osbuild.SystemdServiceUnitDropin{
 				Service: &osbuild.SystemdUnitServiceSection{
-					Environment: "NM_CLOUD_SETUP_AZURE=yes",
+					Environment: []osbuild.EnvironmentVariable{{Key: "NM_CLOUD_SETUP_AZURE", Value: "yes"}},
 				},
 			},
 		},

vendor/github.com/osbuild/images/pkg/dnfjson/dnfjson.go

@@ -18,6 +18,7 @@ import (
 	"crypto/sha256"
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -25,6 +26,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/osbuild/images/internal/common"
 	"github.com/osbuild/images/pkg/rhsm"
 	"github.com/osbuild/images/pkg/rpmmd"
 )
@@ -139,6 +141,11 @@ type Solver struct {
 	// for each distribution.
 	distro string
 
+	rootDir string
+
+	// Proxy to use while depsolving. This is used in DNF's base configuration.
+	proxy string
+
 	subscriptions *rhsm.Subscriptions
 }
 
@@ -148,6 +155,13 @@ func NewSolver(modulePlatformID, releaseVer, arch, distro, cacheDir string) *Sol
 	return s.NewWithConfig(modulePlatformID, releaseVer, arch, distro)
 }
 
+// SetRootDir sets a path from which repository configurations, gpg keys, and
+// vars are loaded during depsolve, instead of (or in addition to) the
+// repositories and keys included in each depsolve request.
+func (s *Solver) SetRootDir(path string) {
+	s.rootDir = path
+}
+
 // GetCacheDir returns a distro specific rpm cache directory
 // It ensures that the distro name is below the root cache directory, and if there is
 // a problem it returns the root cache instead of an error.
@@ -160,14 +174,23 @@ func (s *Solver) GetCacheDir() string {
 	return filepath.Join(s.cache.root, b)
 }
 
+// Set the proxy to use while depsolving. The proxy will be set in DNF's base configuration.
+func (s *Solver) SetProxy(proxy string) error {
+	if _, err := url.ParseRequestURI(proxy); err != nil {
+		return fmt.Errorf("proxy URL %q is invalid", proxy)
+	}
+	s.proxy = proxy
+	return nil
+}
+
 // Depsolve the list of required package sets with explicit excludes using
 // their associated repositories.  Each package set is depsolved as a separate
 // transactions in a chain.  It returns a list of all packages (with solved
 // dependencies) that will be installed into the system.
-func (s *Solver) Depsolve(pkgSets []rpmmd.PackageSet) ([]rpmmd.PackageSpec, error) {
-	req, repoMap, err := s.makeDepsolveRequest(pkgSets)
+func (s *Solver) Depsolve(pkgSets []rpmmd.PackageSet) ([]rpmmd.PackageSpec, []rpmmd.RepoConfig, error) {
+	req, rhsmMap, err := s.makeDepsolveRequest(pkgSets)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	// get non-exclusive read lock
@@ -176,22 +199,25 @@ func (s *Solver) Depsolve(pkgSets []rpmmd.PackageSet) ([]rpmmd.PackageSpec, erro
 
 	output, err := run(s.dnfJsonCmd, req)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	// touch repos to now
 	now := time.Now().Local()
-	for _, r := range repoMap {
+	for _, r := range req.Arguments.Repos {
 		// ignore errors
 		_ = s.cache.touchRepo(r.Hash(), now)
 	}
 	s.cache.updateInfo()
 
-	var result packageSpecs
-	if err := json.Unmarshal(output, &result); err != nil {
-		return nil, err
+	var result depsolveResult
+	dec := json.NewDecoder(bytes.NewReader(output))
+	dec.DisallowUnknownFields()
+	if err := dec.Decode(&result); err != nil {
+		return nil, nil, err
 	}
 
-	return result.toRPMMD(repoMap), nil
+	packages, repos := result.toRPMMD(rhsmMap)
+	return packages, repos, nil
 }
 
 // FetchMetadata returns the list of all the available packages in repos and
@@ -309,15 +335,15 @@ func (s *Solver) reposFromRPMMD(rpmRepos []rpmmd.RepoConfig) ([]repoConfig, erro
 		}
 
 		if rr.CheckGPG != nil {
-			dr.CheckGPG = *rr.CheckGPG
+			dr.GPGCheck = *rr.CheckGPG
 		}
 
 		if rr.CheckRepoGPG != nil {
-			dr.CheckRepoGPG = *rr.CheckRepoGPG
+			dr.RepoGPGCheck = *rr.CheckRepoGPG
 		}
 
 		if rr.IgnoreSSL != nil {
-			dr.IgnoreSSL = *rr.IgnoreSSL
+			dr.SSLVerify = common.ToPtr(!*rr.IgnoreSSL)
 		}
 
 		if rr.RHSM {
@@ -347,9 +373,9 @@ type repoConfig struct {
 	Metalink       string   `json:"metalink,omitempty"`
 	MirrorList     string   `json:"mirrorlist,omitempty"`
 	GPGKeys        []string `json:"gpgkeys,omitempty"`
-	CheckGPG       bool     `json:"gpgcheck"`
-	CheckRepoGPG   bool     `json:"check_repogpg"`
-	IgnoreSSL      bool     `json:"ignoressl"`
+	GPGCheck       bool     `json:"gpgcheck"`
+	RepoGPGCheck   bool     `json:"repo_gpgcheck"`
+	SSLVerify      *bool    `json:"sslverify,omitempty"`
 	SSLCACert      string   `json:"sslcacert,omitempty"`
 	SSLClientKey   string   `json:"sslclientkey,omitempty"`
 	SSLClientCert  string   `json:"sslclientcert,omitempty"`
@@ -366,30 +392,31 @@ func (r *repoConfig) Hash() string {
 	return r.repoHash
 }
 
-// Helper function for creating a depsolve request payload.
-// The request defines a sequence of transactions, each depsolving one of the
-// elements of `pkgSets` in the order they appear.  The `repoConfigs` are used
-// as the base repositories for all transactions.  The extra repository configs
-// in `pkgsetsRepos` are used for each of the `pkgSets` with matching index.
-// The length of `pkgsetsRepos` must match the length of `pkgSets` or be empty
-// (nil or empty slice).
+// Helper function for creating a depsolve request payload. The request defines
+// a sequence of transactions, each depsolving one of the elements of `pkgSets`
+// in the order they appear. The repositories are collected in the request
+// arguments indexed by their ID, and each transaction lists the repositories
+// it will use for depsolving.
+//
+// The second return value is a map of repository IDs that have RHSM enabled.
+// The RHSM property is not part of the dnf repository configuration so it's
+// returned separately for setting the value on each package that requires it.
 //
 // NOTE: Due to implementation limitations of DNF and dnf-json, each package set
 // in the chain must use all of the repositories used by its predecessor.
 // An error is returned if this requirement is not met.
-func (s *Solver) makeDepsolveRequest(pkgSets []rpmmd.PackageSet) (*Request, map[string]rpmmd.RepoConfig, error) {
-
+func (s *Solver) makeDepsolveRequest(pkgSets []rpmmd.PackageSet) (*Request, map[string]bool, error) {
 	// dedupe repository configurations but maintain order
 	// the order in which repositories are added to the request affects the
 	// order of the dependencies in the result
 	repos := make([]rpmmd.RepoConfig, 0)
-	rpmRepoMap := make(map[string]rpmmd.RepoConfig)
+	rhsmMap := make(map[string]bool)
 
 	for _, ps := range pkgSets {
 		for _, repo := range ps.Repositories {
 			id := repo.Hash()
-			if _, ok := rpmRepoMap[id]; !ok {
-				rpmRepoMap[id] = repo
+			if _, ok := rhsmMap[id]; !ok {
+				rhsmMap[id] = repo.RHSM
 				repos = append(repos, repo)
 			}
 		}
@@ -429,6 +456,7 @@ func (s *Solver) makeDepsolveRequest(pkgSets []rpmmd.PackageSet) (*Request, map[
 	}
 	args := arguments{
 		Repos:        dnfRepoMap,
+		RootDir:      s.rootDir,
 		Transactions: transactions,
 	}
 
@@ -436,11 +464,13 @@ func (s *Solver) makeDepsolveRequest(pkgSets []rpmmd.PackageSet) (*Request, map[
 		Command:          "depsolve",
 		ModulePlatformID: s.modulePlatformID,
 		Arch:             s.arch,
+		Releasever:       s.releaseVer,
 		CacheDir:         s.GetCacheDir(),
+		Proxy:            s.proxy,
 		Arguments:        args,
 	}
 
-	return &req, rpmRepoMap, nil
+	return &req, rhsmMap, nil
 }
 
 // Helper function for creating a dump request payload
@@ -453,7 +483,9 @@ func (s *Solver) makeDumpRequest(repos []rpmmd.RepoConfig) (*Request, error) {
 		Command:          "dump",
 		ModulePlatformID: s.modulePlatformID,
 		Arch:             s.arch,
+		Releasever:       s.releaseVer,
 		CacheDir:         s.GetCacheDir(),
+		Proxy:            s.proxy,
 		Arguments: arguments{
 			Repos: dnfRepos,
 		},
@@ -472,6 +504,8 @@ func (s *Solver) makeSearchRequest(repos []rpmmd.RepoConfig, packages []string)
 		ModulePlatformID: s.modulePlatformID,
 		Arch:             s.arch,
 		CacheDir:         s.GetCacheDir(),
+		Releasever:       s.releaseVer,
+		Proxy:            s.proxy,
 		Arguments: arguments{
 			Repos: dnfRepos,
 			Search: searchArgs{
@@ -482,9 +516,12 @@ func (s *Solver) makeSearchRequest(repos []rpmmd.RepoConfig, packages []string)
 	return &req, nil
 }
 
-// convert internal a list of PackageSpecs to the rpmmd equivalent and attach
-// key and subscription information based on the repository configs.
-func (pkgs packageSpecs) toRPMMD(repos map[string]rpmmd.RepoConfig) []rpmmd.PackageSpec {
+// convert internal a list of PackageSpecs and map of repoConfig to the rpmmd
+// equivalents and attach key and subscription information based on the
+// repository configs.
+func (result depsolveResult) toRPMMD(rhsm map[string]bool) ([]rpmmd.PackageSpec, []rpmmd.RepoConfig) {
+	pkgs := result.Packages
+	repos := result.Repos
 	rpmDependencies := make([]rpmmd.PackageSpec, len(pkgs))
 	for i, dep := range pkgs {
 		repo, ok := repos[dep.RepoID]
@@ -499,22 +536,46 @@ func (pkgs packageSpecs) toRPMMD(repos map[string]rpmmd.RepoConfig) []rpmmd.Pack
 		rpmDependencies[i].Arch = dep.Arch
 		rpmDependencies[i].RemoteLocation = dep.RemoteLocation
 		rpmDependencies[i].Checksum = dep.Checksum
-		if repo.CheckGPG != nil {
-			rpmDependencies[i].CheckGPG = *repo.CheckGPG
-		}
-		if repo.IgnoreSSL != nil {
-			rpmDependencies[i].IgnoreSSL = *repo.IgnoreSSL
+		rpmDependencies[i].CheckGPG = repo.GPGCheck
+		if verify := repo.SSLVerify; verify != nil {
+			rpmDependencies[i].IgnoreSSL = !*verify
 		}
 
 		// The ssl secrets will also be set if rhsm is true,
 		// which should take priority.
-		if repo.RHSM {
+		if rhsm[dep.RepoID] {
 			rpmDependencies[i].Secrets = "org.osbuild.rhsm"
 		} else if repo.SSLClientKey != "" {
 			rpmDependencies[i].Secrets = "org.osbuild.mtls"
 		}
 	}
-	return rpmDependencies
+
+	repoConfigs := make([]rpmmd.RepoConfig, 0, len(repos))
+	for repoID := range repos {
+		repo := repos[repoID]
+		var ignoreSSL bool
+		if sslVerify := repo.SSLVerify; sslVerify != nil {
+			ignoreSSL = !*sslVerify
+		}
+		repoConfigs = append(repoConfigs, rpmmd.RepoConfig{
+			Id:             repo.ID,
+			Name:           repo.Name,
+			BaseURLs:       repo.BaseURLs,
+			Metalink:       repo.Metalink,
+			MirrorList:     repo.MirrorList,
+			GPGKeys:        repo.GPGKeys,
+			CheckGPG:       &repo.GPGCheck,
+			CheckRepoGPG:   &repo.RepoGPGCheck,
+			IgnoreSSL:      &ignoreSSL,
+			MetadataExpire: repo.MetadataExpire,
+			ModuleHotfixes: repo.ModuleHotfixes,
+			Enabled:        common.ToPtr(true),
+			SSLCACert:      repo.SSLCACert,
+			SSLClientKey:   repo.SSLClientKey,
+			SSLClientCert:  repo.SSLClientCert,
+		})
+	}
+	return rpmDependencies, repoConfigs
 }
 
 // Request command and arguments for dnf-json
@@ -525,12 +586,18 @@ type Request struct {
 	// Platform ID, e.g., "platform:el8"
 	ModulePlatformID string `json:"module_platform_id"`
 
+	// Distro Releasever, e.e., "8"
+	Releasever string `json:"releasever"`
+
 	// System architecture
 	Arch string `json:"arch"`
 
 	// Cache directory for the DNF metadata
 	CacheDir string `json:"cachedir"`
 
+	// Proxy to use
+	Proxy string `json:"proxy"`
+
 	// Arguments for the action defined by Command
 	Arguments arguments `json:"arguments"`
 }
@@ -563,6 +630,10 @@ type arguments struct {
 
 	// Depsolve package sets and repository mappings for this request
 	Transactions []transactionArgs `json:"transactions"`
+
+	// Load repository configurations, gpg keys, and vars from an os-root-like
+	// tree.
+	RootDir string `json:"root_dir"`
 }
 
 type searchArgs struct {
@@ -591,6 +662,11 @@ type transactionArgs struct {
 
 type packageSpecs []PackageSpec
 
+type depsolveResult struct {
+	Packages packageSpecs          `json:"packages"`
+	Repos    map[string]repoConfig `json:"repos"`
+}
+
 // Package specification
 type PackageSpec struct {
 	Name           string `json:"name"`

vendor/github.com/osbuild/images/pkg/manifest/anaconda_installer.go

@@ -174,7 +174,7 @@ func (p *AnacondaInstaller) getPackageSpecs() []rpmmd.PackageSpec {
 	return p.packageSpecs
 }
 
-func (p *AnacondaInstaller) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec) {
+func (p *AnacondaInstaller) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec, rpmRepos []rpmmd.RepoConfig) {
 	if len(p.packageSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}
@@ -182,6 +182,7 @@ func (p *AnacondaInstaller) serializeStart(packages []rpmmd.PackageSpec, _ []con
 	if p.kernelName != "" {
 		p.kernelVer = rpmmd.GetVerStrFromPackageSpecListPanic(p.packageSpecs, p.kernelName)
 	}
+	p.repos = append(p.repos, rpmRepos...)
 }
 
 func (p *AnacondaInstaller) serializeEnd() {

vendor/github.com/osbuild/images/pkg/manifest/anaconda_installer_iso_tree.go

@@ -156,7 +156,7 @@ func (p *AnacondaInstallerISOTree) getBuildPackages(_ Distro) []string {
 	return packages
 }
 
-func (p *AnacondaInstallerISOTree) serializeStart(_ []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec) {
+func (p *AnacondaInstallerISOTree) serializeStart(_ []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec, _ []rpmmd.RepoConfig) {
 	if p.ostreeCommitSpec != nil || p.containerSpec != nil {
 		panic("double call to serializeStart()")
 	}

vendor/github.com/osbuild/images/pkg/manifest/build.go

@@ -99,11 +99,12 @@ func (p *BuildrootFromPackages) getPackageSpecs() []rpmmd.PackageSpec {
 	return p.packageSpecs
 }
 
-func (p *BuildrootFromPackages) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec) {
+func (p *BuildrootFromPackages) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec, rpmRepos []rpmmd.RepoConfig) {
 	if len(p.packageSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}
 	p.packageSpecs = packages
+	p.repos = append(p.repos, rpmRepos...)
 }
 
 func (p *BuildrootFromPackages) serializeEnd() {
@@ -198,7 +199,7 @@ func (p *BuildrootFromContainer) getContainerSpecs() []container.Spec {
 	return p.containerSpecs
 }
 
-func (p *BuildrootFromContainer) serializeStart(_ []rpmmd.PackageSpec, containerSpecs []container.Spec, _ []ostree.CommitSpec) {
+func (p *BuildrootFromContainer) serializeStart(_ []rpmmd.PackageSpec, containerSpecs []container.Spec, _ []ostree.CommitSpec, _ []rpmmd.RepoConfig) {
 	if len(p.containerSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}

vendor/github.com/osbuild/images/pkg/manifest/commit_server_tree.go

@@ -80,11 +80,12 @@ func (p *OSTreeCommitServer) getPackageSpecs() []rpmmd.PackageSpec {
 	return p.packageSpecs
 }
 
-func (p *OSTreeCommitServer) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec) {
+func (p *OSTreeCommitServer) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec, rpmRepos []rpmmd.RepoConfig) {
 	if len(p.packageSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}
 	p.packageSpecs = packages
+	p.repos = append(p.repos, rpmRepos...)
 }
 
 func (p *OSTreeCommitServer) serializeEnd() {

vendor/github.com/osbuild/images/pkg/manifest/coreos_installer.go

@@ -136,7 +136,7 @@ func (p *CoreOSInstaller) getPackageSpecs() []rpmmd.PackageSpec {
 	return p.packageSpecs
 }
 
-func (p *CoreOSInstaller) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec) {
+func (p *CoreOSInstaller) serializeStart(packages []rpmmd.PackageSpec, _ []container.Spec, _ []ostree.CommitSpec, rpmRepos []rpmmd.RepoConfig) {
 	if len(p.packageSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}
@@ -144,6 +144,7 @@ func (p *CoreOSInstaller) serializeStart(packages []rpmmd.PackageSpec, _ []conta
 	if p.kernelName != "" {
 		p.kernelVer = rpmmd.GetVerStrFromPackageSpecListPanic(p.packageSpecs, p.kernelName)
 	}
+	p.repos = append(p.repos, rpmRepos...)
 }
 
 func (p *CoreOSInstaller) getInline() []string {

vendor/github.com/osbuild/images/pkg/manifest/empty.go

@@ -22,6 +22,8 @@ type ContentTest struct {
 	containerSpecs []container.Spec
 	commitSpecs    []ostree.CommitSpec
 
+	repos []rpmmd.RepoConfig
+
 	// serialization flag
 	serializing bool
 }
@@ -63,13 +65,14 @@ func (p *ContentTest) getOSTreeCommits() []ostree.CommitSpec {
 	return p.commitSpecs
 }
 
-func (p *ContentTest) serializeStart(pkgs []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec) {
+func (p *ContentTest) serializeStart(pkgs []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec, rpmRepos []rpmmd.RepoConfig) {
 	if p.serializing {
 		panic("double call to serializeStart()")
 	}
 	p.packageSpecs = pkgs
 	p.containerSpecs = containers
 	p.commitSpecs = commits
+	p.repos = rpmRepos
 
 	p.serializing = true
 }

vendor/github.com/osbuild/images/pkg/manifest/manifest.go

@@ -138,14 +138,14 @@ func (m Manifest) GetOSTreeSourceSpecs() map[string][]ostree.SourceSpec {
 	return ostreeSpecs
 }
 
-func (m Manifest) Serialize(packageSets map[string][]rpmmd.PackageSpec, containerSpecs map[string][]container.Spec, ostreeCommits map[string][]ostree.CommitSpec) (OSBuildManifest, error) {
+func (m Manifest) Serialize(packageSets map[string][]rpmmd.PackageSpec, containerSpecs map[string][]container.Spec, ostreeCommits map[string][]ostree.CommitSpec, rpmRepos map[string][]rpmmd.RepoConfig) (OSBuildManifest, error) {
 	pipelines := make([]osbuild.Pipeline, 0)
 	packages := make([]rpmmd.PackageSpec, 0)
 	commits := make([]ostree.CommitSpec, 0)
 	inline := make([]string, 0)
 	containers := make([]container.Spec, 0)
 	for _, pipeline := range m.pipelines {
-		pipeline.serializeStart(packageSets[pipeline.Name()], containerSpecs[pipeline.Name()], ostreeCommits[pipeline.Name()])
+		pipeline.serializeStart(packageSets[pipeline.Name()], containerSpecs[pipeline.Name()], ostreeCommits[pipeline.Name()], rpmRepos[pipeline.Name()])
 	}
 	for _, pipeline := range m.pipelines {
 		commits = append(commits, pipeline.getOSTreeCommits()...)

vendor/github.com/osbuild/images/pkg/manifest/os.go

@@ -338,7 +338,7 @@ func (p *OS) getContainerSpecs() []container.Spec {
 	return p.containerSpecs
 }
 
-func (p *OS) serializeStart(packages []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec) {
+func (p *OS) serializeStart(packages []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec, rpmRepos []rpmmd.RepoConfig) {
 	if len(p.packageSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}
@@ -355,6 +355,8 @@ func (p *OS) serializeStart(packages []rpmmd.PackageSpec, containers []container
 	if p.KernelName != "" {
 		p.kernelVer = rpmmd.GetVerStrFromPackageSpecListPanic(p.packageSpecs, p.KernelName)
 	}
+
+	p.repos = append(p.repos, rpmRepos...)
 }
 
 func (p *OS) serializeEnd() {

vendor/github.com/osbuild/images/pkg/manifest/ostree_deployment.go

@@ -161,7 +161,7 @@ func (p *OSTreeDeployment) getContainerSources() []container.SourceSpec {
 	}
 }
 
-func (p *OSTreeDeployment) serializeStart(packages []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec) {
+func (p *OSTreeDeployment) serializeStart(_ []rpmmd.PackageSpec, containers []container.Spec, commits []ostree.CommitSpec, _ []rpmmd.RepoConfig) {
 	if p.ostreeSpec != nil || p.containerSpec != nil {
 		panic("double call to serializeStart()")
 	}

vendor/github.com/osbuild/images/pkg/manifest/pipeline.go

@@ -53,7 +53,7 @@ type Pipeline interface {
 	// its full Spec. See the ostree package for more details.
 	getOSTreeCommitSources() []ostree.SourceSpec
 
-	serializeStart([]rpmmd.PackageSpec, []container.Spec, []ostree.CommitSpec)
+	serializeStart([]rpmmd.PackageSpec, []container.Spec, []ostree.CommitSpec, []rpmmd.RepoConfig)
 	serializeEnd()
 	serialize() osbuild.Pipeline
 
@@ -166,7 +166,7 @@ func NewBase(name string, build Build) Base {
 
 // serializeStart must be called exactly once before each call
 // to serialize().
-func (p Base) serializeStart([]rpmmd.PackageSpec, []container.Spec, []ostree.CommitSpec) {
+func (p Base) serializeStart([]rpmmd.PackageSpec, []container.Spec, []ostree.CommitSpec, []rpmmd.RepoConfig) {
 }
 
 // serializeEnd must be called exactly once after each call to

vendor/github.com/osbuild/images/pkg/manifest/raw_bootc.go

@@ -66,7 +66,7 @@ func (p *RawBootcImage) getContainerSpecs() []container.Spec {
 	return p.containerSpecs
 }
 
-func (p *RawBootcImage) serializeStart(_ []rpmmd.PackageSpec, containerSpecs []container.Spec, _ []ostree.CommitSpec) {
+func (p *RawBootcImage) serializeStart(_ []rpmmd.PackageSpec, containerSpecs []container.Spec, _ []ostree.CommitSpec, _ []rpmmd.RepoConfig) {
 	if len(p.containerSpecs) > 0 {
 		panic("double call to serializeStart()")
 	}

vendor/github.com/osbuild/images/pkg/osbuild/rpm_stage.go

@@ -2,6 +2,7 @@ package osbuild
 
 import (
 	"github.com/osbuild/images/pkg/rpmmd"
+	"golang.org/x/exp/slices"
 )
 
 type RPMStageOptions struct {
@@ -138,14 +139,21 @@ func pkgRefs(specs []rpmmd.PackageSpec) FilesInputRef {
 }
 
 func NewRPMStageOptions(repos []rpmmd.RepoConfig) *RPMStageOptions {
-	var gpgKeys []string
+	gpgKeys := make([]string, 0)
+	keyMap := make(map[string]bool) // for deduplicating keys
 	for _, repo := range repos {
 		if len(repo.GPGKeys) == 0 {
 			continue
 		}
-		gpgKeys = append(gpgKeys, repo.GPGKeys...)
+		for _, key := range repo.GPGKeys {
+			if !keyMap[key] {
+				gpgKeys = append(gpgKeys, key)
+				keyMap[key] = true
+			}
+		}
 	}
 
+	slices.Sort(gpgKeys)
 	return &RPMStageOptions{
 		GPGKeys: gpgKeys,
 	}

vendor/github.com/osbuild/images/pkg/osbuild/systemd_unit_create_stage.go

@@ -1,5 +1,10 @@
 package osbuild
 
+import (
+	"fmt"
+	"regexp"
+)
+
 type serviceType string
 type unitPath string
 
@@ -26,11 +31,13 @@ type Unit struct {
 }
 
 type Service struct {
-	Type            serviceType `json:"Type,omitempty"`
-	RemainAfterExit bool        `json:"RemainAfterExit,omitempty"`
-	ExecStartPre    []string    `json:"ExecStartPre,omitempty"`
-	ExecStopPost    []string    `json:"ExecStopPost,omitempty"`
-	ExecStart       []string    `json:"ExecStart,omitempty"`
+	Type            serviceType           `json:"Type,omitempty"`
+	RemainAfterExit bool                  `json:"RemainAfterExit,omitempty"`
+	ExecStartPre    []string              `json:"ExecStartPre,omitempty"`
+	ExecStopPost    []string              `json:"ExecStopPost,omitempty"`
+	ExecStart       []string              `json:"ExecStart,omitempty"`
+	Environment     []EnvironmentVariable `json:"Environment,omitempty"`
+	EnvironmentFile []string              `json:"EnvironmentFile,omitempty"`
 }
 
 type Install struct {
@@ -53,7 +60,22 @@ type SystemdUnitCreateStageOptions struct {
 
 func (SystemdUnitCreateStageOptions) isStageOptions() {}
 
+func (o *SystemdUnitCreateStageOptions) validate() error {
+	vre := regexp.MustCompile(envVarRegex)
+	if service := o.Config.Service; service != nil {
+		for _, envVar := range service.Environment {
+			if !vre.MatchString(envVar.Key) {
+				return fmt.Errorf("variable name %q doesn't conform to schema (%s)", envVar.Key, envVarRegex)
+			}
+		}
+	}
+	return nil
+}
+
 func NewSystemdUnitCreateStageOptions(options *SystemdUnitCreateStageOptions) *Stage {
+	if err := options.validate(); err != nil {
+		panic(err)
+	}
 	return &Stage{
 		Type:    "org.osbuild.systemd.unit.create",
 		Options: options,

vendor/github.com/osbuild/images/pkg/osbuild/systemd_unit_stage.go

@@ -1,5 +1,10 @@
 package osbuild
 
+import (
+	"fmt"
+	"regexp"
+)
+
 type unitType string
 
 const (
@@ -16,7 +21,22 @@ type SystemdUnitStageOptions struct {
 
 func (SystemdUnitStageOptions) isStageOptions() {}
 
+func (o *SystemdUnitStageOptions) validate() error {
+	vre := regexp.MustCompile(envVarRegex)
+	if service := o.Config.Service; service != nil {
+		for _, envVar := range service.Environment {
+			if !vre.MatchString(envVar.Key) {
+				return fmt.Errorf("variable name %q doesn't conform to schema (%s)", envVar.Key, envVarRegex)
+			}
+		}
+	}
+	return nil
+}
+
 func NewSystemdUnitStage(options *SystemdUnitStageOptions) *Stage {
+	if err := options.validate(); err != nil {
+		panic(err)
+	}
 	return &Stage{
 		Type:    "org.osbuild.systemd.unit",
 		Options: options,
@@ -32,7 +52,8 @@ type SystemdServiceUnitDropin struct {
 // 'Service' configuration section of a unit file
 type SystemdUnitServiceSection struct {
 	// Sets environment variables for executed process
-	Environment string `json:"Environment,omitempty"`
+	Environment     []EnvironmentVariable `json:"Environment,omitempty"`
+	EnvironmentFile []string              `json:"EnvironmentFile,omitempty"`
 }
 
 // 'Unit' configuration section of a unit file

vendor/github.com/osbuild/images/pkg/policies/policies.go

@@ -57,27 +57,29 @@ var CustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy
 
 // CustomFilesPolicies is a set of default policies for custom files
 var CustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
-	"/":           {},
-	"/bin":        {Deny: true},
-	"/boot":       {Deny: true},
-	"/dev":        {Deny: true},
-	"/efi":        {Deny: true},
-	"/etc/fstab":  {Deny: true},
-	"/etc/group":  {Deny: true},
-	"/etc/passwd": {Deny: true},
-	"/etc/shadow": {Deny: true},
-	"/lib":        {Deny: true},
-	"/lib64":      {Deny: true},
-	"/lost+found": {Deny: true},
-	"/proc":       {Deny: true},
-	"/run":        {Deny: true},
-	"/sbin":       {Deny: true},
-	"/sys":        {Deny: true},
-	"/sysroot":    {Deny: true},
-	"/tmp":        {Deny: true},
-	"/usr":        {Deny: true},
-	"/var/run":    {Deny: true},
-	"/var/tmp":    {Deny: true},
+	"/":               {},
+	"/usr/local/bin":  {},
+	"/usr/local/sbin": {},
+	"/bin":            {Deny: true},
+	"/boot":           {Deny: true},
+	"/dev":            {Deny: true},
+	"/efi":            {Deny: true},
+	"/etc/fstab":      {Deny: true},
+	"/etc/group":      {Deny: true},
+	"/etc/passwd":     {Deny: true},
+	"/etc/shadow":     {Deny: true},
+	"/lib":            {Deny: true},
+	"/lib64":          {Deny: true},
+	"/lost+found":     {Deny: true},
+	"/proc":           {Deny: true},
+	"/run":            {Deny: true},
+	"/sbin":           {Deny: true},
+	"/sys":            {Deny: true},
+	"/sysroot":        {Deny: true},
+	"/tmp":            {Deny: true},
+	"/usr":            {Deny: true},
+	"/var/run":        {Deny: true},
+	"/var/tmp":        {Deny: true},
 })
 
 // MountpointPolicies for ostree