[elbe-devel] [PATCH 06/12] elbepack: rfs: make debootstrap use key for primary mirror if there is one

[Thomas Weißschuh]

From: Stefan Kempf <stefan at kempfsn.de>

[thomas: rebase, align with project conventions]

Signed-off-by: Stefan Kempf <stefan at kempfsn.de>
Signed-off-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
---
 elbepack/rfs.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/elbepack/rfs.py b/elbepack/rfs.py
index afb57a424a424fc5c8b00060c5347dc9b4b4a6b1..b4b7681c33dc16faa1594f8d435495804db3116c 100644
--- a/elbepack/rfs.py
+++ b/elbepack/rfs.py
@@ -149,6 +149,11 @@ class BuildEnv:
         for f in {'/etc/resolv.conf', '/etc/hostname'}:
             self.rfs.remove(f)
 
+    def import_debootstrap_key(self, key):
+        if key:
+            k = strip_leading_whitespace_from_lines(key)
+            return self.add_key(unarmor_openpgp_keyring(k), 'elbe-xml-primary-key.gpg')
+
     def debootstrap(self, arch='default'):
 
         cleanup = False
@@ -156,6 +161,10 @@ class BuildEnv:
 
         primary_mirror = self.xml.get_primary_mirror(
             self.rfs.fname('/cdrom/targetrepo'), hostsysroot=self.hostsysroot)
+        primary_key = self.xml.get_primary_key(
+            self.rfs.fname('/cdrom/targetrepo'), hostsysroot=self.hostsysroot)
+
+        debootstrap_key_path = self.import_debootstrap_key(primary_key)
 
         if self.xml.prj.has('mirror/primary_proxy'):
             os.environ['no_proxy'] = '10.0.2.2,localhost,127.0.0.1'
@@ -205,13 +214,15 @@ class BuildEnv:
             else:
                 if self.xml.has('project/mirror/cdrom'):
                     keyring = f' --keyring="{keyring_file}"'
+                elif debootstrap_key_path:
+                    keyring = f' --keyring="{debootstrap_key_path}"'
 
                 cmd = (f'{strapcmd} --arch={arch} '
                        f'{keyring} "{suite}" "{self.rfs.path}" "{primary_mirror}"')
 
             try:
                 self.cdrom_mount()
-                if keyring:
+                if keyring and self.xml.has('project/mirror/cdrom'):
                     self.convert_asc_to_gpg('/cdrom/targetrepo/repo.pub', '/elbe.keyring')
                 do(cmd)
                 self._cleanup_bootstrap()
@@ -231,13 +242,15 @@ class BuildEnv:
         else:
             if self.xml.has('project/mirror/cdrom'):
                 keyring = f' --keyring="{keyring_file}"'
+            elif debootstrap_key_path:
+                keyring = f' --keyring="{debootstrap_key_path}"'
 
             cmd = (f'{strapcmd} --foreign --arch={arch} '
                    f'{keyring} "{suite}" "{self.rfs.path}" "{primary_mirror}"')
 
         try:
             self.cdrom_mount()
-            if keyring:
+            if keyring and self.xml.has('project/mirror/cdrom'):
                 self.convert_asc_to_gpg('/cdrom/targetrepo/repo.pub', '/elbe.keyring')
             do(cmd)
 
@@ -271,6 +284,7 @@ class BuildEnv:
         Adds the binary OpenPGP keyring 'key' as a trusted apt keyring
         with file name 'keyname'.
         """
+        self.rfs.mkdir_p('/etc/apt/trusted.gpg.d')
         keyfile = self.rfs.fname(f'/etc/apt/trusted.gpg.d/{keyname}')
         with open(keyfile, 'wb') as outfile:
             outfile.write(key)

-- 
2.47.0