From 5a5da44c06433c2f79c6c021986b36a971b930ec Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Thu, 3 Mar 2022 22:00:31 +0000
Subject: [PATCH] stages/rpm: option to import gpg keys from tree

Add a new option `gpgkeys.fromtree` that when specified will
import the specified gpg keys from files located in the tree,
such as `/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release`.
---
 stages/org.osbuild.rpm | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/stages/org.osbuild.rpm b/stages/org.osbuild.rpm
index ca3671fc..6389babe 100755
--- a/stages/org.osbuild.rpm
+++ b/stages/org.osbuild.rpm
@@ -5,7 +5,9 @@ Verify, and install RPM packages
 The `exclude.docs` option can be used to tell rpm to not install docs.
 
 `gpgkeys` should be an array of strings containing each GPG key to be used
-to verify the packages.
+to verify the packages. Alternatively, the keys can be imported via files
+located in the tree via `gpgkeys.fromtree`. This is done after the packages
+are installed so it is possible to import keys packaged in rpms.
 
 `packages` is an array of objects representing RPMs. Each RPM is identified by
 its checksums. Specifically, the content hash of the rpm, not the checksums
@@ -65,6 +67,11 @@ SCHEMA = """
     "type": "array",
     "items": { "type": "string" }
   },
+  "gpgkeys.fromtree": {
+    "description": "Array of files in the tree with GPG keys to import",
+    "type": "array",
+    "items": { "type": "string" }
+  },
   "packages": {
     "description": "Array of RPM content hashes",
     "type": "array",
@@ -107,6 +114,11 @@ SCHEMA_2 = """
       "type": "array",
       "items": { "type": "string" }
     },
+    "gpgkeys.fromtree": {
+      "description": "Array of files in the tree with GPG keys to import",
+      "type": "array",
+      "items": { "type": "string" }
+    },
     "disable_dracut": {
       "description": "Prevent dracut from running",
       "type": "boolean"
@@ -284,6 +296,15 @@ def main(tree, inputs, options):
             "--install", manifest.name
         ], cwd=pkgpath, check=True)
 
+    for key in options.get("gpgkeys.fromtree", []):
+        path = os.path.join(tree, key.lstrip("/"))
+        subprocess.run([
+            "rpmkeys",
+            "--root", tree,
+            "--import", path
+        ], check=True)
+        print(f"imported gpg keys from '{key}'")
+
     # re-enabled dracut
     if no_dracut:
         enable_dracut(masked_files)