stages/rpm: option to import gpg keys from tree

Add a new option `gpgkeys.fromtree` that when specified will import the specified gpg keys from files located in the tree, such as `/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release`.
2022-03-03 22:00:31 +00:00 · 2022-03-03 22:00:31 +00:00 · 5a5da44c06
commit 5a5da44c06
parent 7676c459e4
1 changed files with 22 additions and 1 deletions
--- a/stages/org.osbuild.rpm
+++ b/stages/org.osbuild.rpm
@ -5,7 +5,9 @@ Verify, and install RPM packages
 The `exclude.docs` option can be used to tell rpm to not install docs.

 `gpgkeys` should be an array of strings containing each GPG key to be used
-to verify the packages.
+to verify the packages. Alternatively, the keys can be imported via files
+located in the tree via `gpgkeys.fromtree`. This is done after the packages
+are installed so it is possible to import keys packaged in rpms.

 `packages` is an array of objects representing RPMs. Each RPM is identified by
 its checksums. Specifically, the content hash of the rpm, not the checksums
@ -65,6 +67,11 @@ SCHEMA = """
    "type": "array",
    "items": { "type": "string" }
  },
+  "gpgkeys.fromtree": {
+    "description": "Array of files in the tree with GPG keys to import",
+    "type": "array",
+    "items": { "type": "string" }
+  },
  "packages": {
    "description": "Array of RPM content hashes",
    "type": "array",
@ -107,6 +114,11 @@ SCHEMA_2 = """
      "type": "array",
      "items": { "type": "string" }
    },
+    "gpgkeys.fromtree": {
+      "description": "Array of files in the tree with GPG keys to import",
+      "type": "array",
+      "items": { "type": "string" }
+    },
    "disable_dracut": {
      "description": "Prevent dracut from running",
      "type": "boolean"
@ -284,6 +296,15 @@ def main(tree, inputs, options):
            "--install", manifest.name
        ], cwd=pkgpath, check=True)

+    for key in options.get("gpgkeys.fromtree", []):
+        path = os.path.join(tree, key.lstrip("/"))
+        subprocess.run([
+            "rpmkeys",
+            "--root", tree,
+            "--import", path
+        ], check=True)
+        print(f"imported gpg keys from '{key}'")
+
    # re-enabled dracut
    if no_dracut:
        enable_dracut(masked_files)