From 671b6185db3dccd530cc19d69f49f4167781ecd9 Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Sat, 1 Dec 2018 19:36:23 -0500 Subject: arch-nspawn: don't delete the guest gpg configuration It's important to ensure the guest has up to date data because updating a chroot after quite some time can potentially rely on updated archlinux-keyring, something which the host machine either kept up to date on or manually fixed, but it kills automation to mess around with chroot configs like that. Alternatively, signed packages added with -I need to work, and we assume the host is configured to accept these. That is *not* a good reason to completely nuke whatever is in the guest, though. A guest might have been manually configured to accept keys which aren't accepted by the host; one example of this happening in practice, is archlinux32 when building 32-bit packages from an archlinux host. A simple solution is to use pacman-key's native facility to dump the known keys and trust status from one gpg configuration, and import it into another. Use this to append to, rather than overwrite, the chrooted guest's pacman keyring. While we are at it, fix a bug where we didn't respect the host's pacman.conf settings for the GpgDir. While it isn't wildly likely a user will choose to customize this, it is a valid and supported use case and we must think about this ourselves. --- arch-nspawn.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch-nspawn.in b/arch-nspawn.in index 79cff1a..94168b7 100644 --- a/arch-nspawn.in +++ b/arch-nspawn.in @@ -103,7 +103,10 @@ build_mount_args() { } copy_hostconf () { - cp -a /etc/pacman.d/gnupg "$working_dir/etc/pacman.d" + { + pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import "$(pacman-conf GpgDir)" + pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import-trustdb "$(pacman-conf GpgDir)" + } >/dev/null 2>&1 echo "Server = $host_mirror" | \ tee "$working_dir/etc/pacman.d/mirrorlist" > \ "$working_dir/etc/pacman.d/mirrorlist32" -- cgit v1.2.3-70-g09d2