From 1cd0a1771cfc840bc387bb185870b28ba806378d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 4 Jan 2025 01:48:02 +0100 Subject: [PATCH 1/3] Revert "installer: adjust options for dnf5" dnf5 download doesn't handle groups yet: https://github.com/rpm-software-management/dnf5/issues/1129 This reverts commit 9292d2cb5747caaf1ef165bc8806680d0190ed20. --- qubesbuilder/plugins/installer/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/qubesbuilder/plugins/installer/Makefile b/qubesbuilder/plugins/installer/Makefile index e75b149f..3c43c1ba 100644 --- a/qubesbuilder/plugins/installer/Makefile +++ b/qubesbuilder/plugins/installer/Makefile @@ -130,12 +130,12 @@ iso-packages-anaconda: $(DNF) $(DNF_OPTS) clean all # workaround for https://github.com/rpm-software-management/dnf/issues/1974 rpmkeys --root=$(DNF_ROOT) --import $$(sed -n '/gpgkey *= *file:/{s,.*file://,,;p}' $(DNF_ROOT)/etc/yum.repos.d/*.repo) - umask 022; $(DNF) $(DNF_OPTS) download --destdir=$(BASE_DIR)/os/Packages --resolve $(shell cat $(DNF_PACKAGES)) + umask 022; $(DNF) $(DNF_OPTS) --downloaddir=$(BASE_DIR)/os/Packages --downloadonly install $(shell cat $(DNF_PACKAGES)) pushd $(BASE_DIR)/os/ && $(CREATEREPO) -q -g $(TMP_DIR)/comps.xml . iso-packages-lorax: $(DNF) $(DNF_OPTS) clean all - umask 022; $(DNF) $(DNF_OPTS) download --destdir=$(INSTALLER_DIR)/yum/installer/rpm --resolve $(shell cat $(LORAX_PACKAGES)) + umask 022; $(DNF) $(DNF_OPTS) --downloaddir=$(INSTALLER_DIR)/yum/installer/rpm --downloadonly install $(shell cat $(LORAX_PACKAGES)) pushd $(INSTALLER_DIR)/yum/installer && $(CREATEREPO) -q -g $(TMP_DIR)/comps.xml --update . iso-templates-cache: iso-prepare iso-parse-kickstart @@ -149,7 +149,7 @@ iso-templates-cache: iso-prepare iso-parse-kickstart $(DNF) $(DNF_OPTS) clean all rpmkeys --root=$(DNF_ROOT) --import $$(sed -n '/gpgkey *= *file:/{s,.*file://,,;p}' $(DNF_ROOT)/etc/yum.repos.d/*.repo) - umask 022; $(DNF) $(DNF_OPTS_TEMPLATES) download --destdir=$(BUILDER_DIR)/repository/templates $(TEMPLATE_PACKAGES) + umask 022; $(DNF) $(DNF_OPTS_TEMPLATES) --downloaddir=$(INSTALLER_DIR)/yum/installer/rpm --downloaddir=$(BUILDER_DIR)/repository/templates download $(TEMPLATE_PACKAGES) # # CAGE -> MOCK From 6a696490847de471c0a6091463101de350b3a0a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 4 Jan 2025 16:48:32 +0100 Subject: [PATCH 2/3] installer: use old dnf until dnf5 fixes signature verification dnf5 install --downloadonly does not verifies signatures, so use the old one for the time being. Workaround for https://github.com/rpm-software-management/dnf5/issues/1985 --- qubesbuilder/plugins/installer/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qubesbuilder/plugins/installer/Makefile b/qubesbuilder/plugins/installer/Makefile index 3c43c1ba..93a792c4 100644 --- a/qubesbuilder/plugins/installer/Makefile +++ b/qubesbuilder/plugins/installer/Makefile @@ -40,7 +40,7 @@ ISO_VOLID := $(shell echo $(ISO_NAME) | tr a-z A-Z | tr -s -c [:alnum:]'\n' - | BASE_DIR := $(INSTALLER_DIR)/work/$(ISO_VERSION)/x86_64 TMP_DIR:= $(BUILDER_DIR)/tmp -DNF := /usr/bin/dnf +DNF := /usr/bin/dnf-3 DNF_ROOT := $(BUILDER_DIR)/dnfroot DNF_REPO := $(DNF_ROOT)/etc/yum.repos.d/installer.repo DNF_PACKAGES := $(DNF_ROOT)/tmp/packages.list From 05b7bc101d943febe39ac73bdbbe81a8ad28d195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 6 Jan 2025 04:35:24 +0100 Subject: [PATCH 3/3] tests: fix setting temporary gpg home When $GPGHOME is set to $HOME/.gnupg, gpg will use default gpg-agent socket path ($XDG_RUNTIME_DIR/gnupg/S.gpg-agent). If there is gpg-agent for the original home already running, it will get used, instead of the one for modified $HOME/$GNUPGHOME. Fix this by setting $GNUPGHOME to a slightly modified dir, so it doesn't fall into the default case. --- tests/test_cli.py | 39 ++++++++++++++++++------------------ tests/test_cli_repository.py | 6 +++--- tests/test_scripts.py | 10 ++++----- 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/tests/test_cli.py b/tests/test_cli.py index d950965d..05131c0b 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -464,7 +464,7 @@ def test_component_host_fc37_sign(artifacts_dir): ) with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" # Better copy testing keyring into a separate directory to prevent locks inside # local sources (when executed locally). shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) @@ -526,7 +526,7 @@ def test_component_host_fc37_sign(artifacts_dir): def test_component_host_fc37_publish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -746,7 +746,7 @@ def test_component_host_fc37_publish(artifacts_dir): def test_component_host_fc37_upload(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) builder_conf = tmpdir + "/builder.yml" @@ -852,7 +852,7 @@ def test_component_host_fc37_build_skip(artifacts_dir): def test_component_host_fc37_sign_skip(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -893,7 +893,7 @@ def test_component_host_fc37_sign_skip(artifacts_dir): def test_component_host_fc37_unpublish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1101,7 +1101,7 @@ def test_component_vm_bookworm_build(artifacts_dir): def test_component_vm_bookworm_sign(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1152,7 +1152,7 @@ def test_component_vm_bookworm_sign(artifacts_dir): def test_component_vm_bookworm_publish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1338,7 +1338,7 @@ def test_component_vm_bookworm_build_skip(artifacts_dir): def test_component_vm_bookworm_sign_skip(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1376,7 +1376,7 @@ def test_component_vm_bookworm_unpublish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1492,7 +1492,7 @@ def test_increment_component_fetch(artifacts_dir): def test_increment_component_build(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1658,7 +1658,7 @@ def test_component_vm_archlinux_sign(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" # Better copy testing keyring into a separate directory to prevent locks inside # local sources (when executed locally). shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) @@ -1702,7 +1702,7 @@ def test_component_vm_archlinux_sign(artifacts_dir): def test_component_vm_archlinux_publish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -1823,7 +1823,7 @@ def test_component_vm_archlinux_publish(artifacts_dir): def test_component_vm_archlinux_upload(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) builder_conf = tmpdir + "/builder.yml" @@ -1960,7 +1960,7 @@ def test_template_fedora_40_build(artifacts_dir): def test_template_fedora_40_minimal_sign(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" # Better copy testing keyring into a separate directory to prevent locks inside # local sources (when executed locally). shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) @@ -1970,6 +1970,7 @@ def test_template_fedora_40_minimal_sign(artifacts_dir): # We prevent rpm to find ~/.rpmmacros env["HOME"] = tmpdir + qb_call( DEFAULT_BUILDER_CONF, artifacts_dir, @@ -2004,7 +2005,7 @@ def test_template_fedora_40_minimal_sign(artifacts_dir): def test_template_fedora_40_minimal_publish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -2095,7 +2096,7 @@ def test_template_fedora_40_minimal_publish(artifacts_dir): def test_template_fedora_40_minimal_publish_new(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -2220,7 +2221,7 @@ def test_template_fedora_40_minimal_publish_new(artifacts_dir): def test_template_fedora_40_minimal_unpublish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -2407,7 +2408,7 @@ def test_template_debian_12_minimal_build(artifacts_dir): def test_template_debian_12_minimal_sign(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" # Better copy testing keyring into a separate directory to prevent locks inside # local sources (when executed locally). shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) @@ -2451,7 +2452,7 @@ def test_template_debian_12_minimal_sign(artifacts_dir): def test_template_debian_12_minimal_publish(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) diff --git a/tests/test_cli_repository.py b/tests/test_cli_repository.py index 1ea281da..79f7d97c 100644 --- a/tests/test_cli_repository.py +++ b/tests/test_cli_repository.py @@ -57,7 +57,7 @@ def qb_call_output(builder_conf, artifacts_dir, *args, **kwargs): def test_repository_create_vm_fc40(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -98,7 +98,7 @@ def test_repository_create_vm_fc40(artifacts_dir): def test_repository_create_vm_bookworm(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) @@ -130,7 +130,7 @@ def test_repository_create_vm_bookworm(artifacts_dir): def test_repository_create_template(artifacts_dir): env = os.environ.copy() with tempfile.TemporaryDirectory() as tmpdir: - gnupghome = f"{tmpdir}/.gnupg" + gnupghome = f"{tmpdir}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) diff --git a/tests/test_scripts.py b/tests/test_scripts.py index f5e520fb..0987bd30 100644 --- a/tests/test_scripts.py +++ b/tests/test_scripts.py @@ -29,7 +29,7 @@ def temp_directory(): @pytest.fixture def home_directory(temp_directory): - gnupghome = f"{temp_directory}/.gnupg" + gnupghome = f"{temp_directory}/gnupg" shutil.copytree(PROJECT_PATH / "tests/gnupg", gnupghome) os.chmod(gnupghome, 0o700) # Initialize the conf @@ -390,7 +390,7 @@ def test_non_qubesos_repository_with_maintainer_and_signed_tag( def test_repository_with_multiple_distinct_signatures( temp_directory, home_directory ): - gnupg_dir = home_directory / ".gnupg" + gnupg_dir = home_directory / "gnupg" remote_repo_dir = temp_directory / "remote_repo" repo_dir = temp_directory / "repo" key_ids = [ @@ -443,7 +443,7 @@ def test_repository_with_multiple_distinct_signatures( def test_repository_with_multiple_non_distinct_signatures( temp_directory, home_directory ): - gnupg_dir = home_directory / ".gnupg" + gnupg_dir = home_directory / "gnupg" remote_repo_dir = temp_directory / "remote_repo" repo_dir = temp_directory / "repo" key_ids = [ @@ -502,7 +502,7 @@ def test_repository_with_multiple_non_distinct_signatures( def test_repository_with_multiple_distinct_signatures_not_in_maintainers( temp_directory, home_directory ): - gnupg_dir = home_directory / ".gnupg" + gnupg_dir = home_directory / "gnupg" remote_repo_dir = temp_directory / "remote_repo" repo_dir = temp_directory / "repo" key_ids = [ @@ -553,7 +553,7 @@ def test_repository_with_multiple_distinct_signatures_not_in_maintainers( def test_repository_with_signed_commit(capsys, temp_directory, home_directory): - gnupg_dir = home_directory / ".gnupg" + gnupg_dir = home_directory / "gnupg" remote_repo_dir = temp_directory / "remote_repo" repo_dir = temp_directory / "repo" key_ids = [