Hi,
Isn't the problem that mock uses rpm and dnf from the host environment and expects the GPG key to be there too?
The point is that mock has to be able to install into empty chroots and that's why it's using package manager and configuration from the host environment.
Dne 21. 01. 21 v 21:30 Michael Ivanov napsal(a):
Hallo,
I have the following problem: I'm trying to install rpm packages, signed with my local key, into mock chroot.
I use the following procedure:
Create chroot: mock --arch=x86_64 -r rpm/cs8.cfg --init Copy my rpm key file into chroot: mock --arch=x86_64 -r rpm/cs8.cfg --cache-alterations --copyin /etc/pki/rpm-gpg/Local-KEY /etc/pki/rpm-gpg Install my package into chroot: mock --arch=x86_64 -r rpm/cs8.cfg --cache-alterations --install my-rpm-package
During package install I get the following error:
Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/Local-KEY [Couldn't open file /etc/pki/rpm-gpg/Local-KEY]
I check chroot contents with: mock --arch=x86_64 -r rpm/cs8.cfg --shell "ls -l /etc/pki/rpm-gpg/Local-KEY"
and it shows me that the file is present. I doublecheck with:
ls -l /var/lib/mock/cs8/root/etc/pki/rpm-gpg
and this also shows that file is present. The file is also present on host system in /etc/pki/rpm-gpg
What I'm doing wrong?
Best regards,
-- \ / | | (OvO) | Михаил Иванов | (^^^) | | ^/ | E-mail:ivans@isle.spb.ru | ^ ^ | |
buildsys mailing list -- buildsys@lists.fedoraproject.org To unsubscribe send an email to buildsys-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.o...
On Friday, January 22, 2021 8:55:02 AM CET Daniel Mach wrote:
Isn't the problem that mock uses rpm and dnf from the host environment and expects the GPG key to be there too?
That would be good guess, with '--no-bootstrap-chroot'. But nowadays there are two steps by default:
* Host RPM/DNF installs target RPM/DNF into "bootstrap" chroot * RPM/DNF from bootstrap is used to install the final chroot
And so the gpg keys need to be available in bootstrap chroot, and sometimes also on host, depending on use-case.
There's a mock's internal method [1] which copies GPG keys into both bootstrap and normal chroot, but it only looks at /usr/share/distribution-gpg-keys - so the easiest way is to put the custom GPG keys there. Sometimes it might be a good idea to talk to distribution-gpg-keys [2] maintainer (Mirek Suchý) and include the keys there by default.
[1] https://github.com/rpm-software-management/mock/blob/cbee491d6309222e70f530a... [2] https://github.com/xsuchy/distribution-gpg-keys
Pavel
The point is that mock has to be able to install into empty chroots and that's why it's using package manager and configuration from the host environment.
Dne 21. 01. 21 v 21:30 Michael Ivanov napsal(a):
Hallo,
I have the following problem: I'm trying to install rpm packages, signed with my local key, into mock chroot.
I use the following procedure:
Create chroot: mock --arch=x86_64 -r rpm/cs8.cfg --init Copy my rpm key file into chroot: mock --arch=x86_64 -r rpm/cs8.cfg --cache-alterations --copyin /etc/pki/rpm-gpg/Local-KEY /etc/pki/rpm-gpg Install my package into chroot: mock --arch=x86_64 -r rpm/cs8.cfg --cache-alterations --install my-rpm-package
During package install I get the following error:
Curl error (37): Couldn't read a file:// file for file:///etc/pki/rpm-gpg/Local-KEY [Couldn't open file /etc/pki/rpm-gpg/Local-KEY]
I check chroot contents with: mock --arch=x86_64 -r rpm/cs8.cfg --shell "ls -l /etc/pki/rpm-gpg/Local-KEY"
and it shows me that the file is present. I doublecheck with:
ls -l /var/lib/mock/cs8/root/etc/pki/rpm-gpg
and this also shows that file is present. The file is also present on host system in /etc/pki/rpm-gpg
What I'm doing wrong?
Best regards,
-- \ / | | (OvO) | Михаил Иванов | (^^^) | | ^/ | E-mail:ivans@isle.spb.ru | ^ ^ | |
buildsys mailing list -- buildsys@lists.fedoraproject.org To unsubscribe send an email to buildsys-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.o...
buildsys mailing list -- buildsys@lists.fedoraproject.org To unsubscribe send an email to buildsys-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.o...
Pavel Raiskup wrote:
On Friday, January 22, 2021 8:55:02 AM CET Daniel Mach wrote:
Isn't the problem that mock uses rpm and dnf from the host environment and expects the GPG key to be there too?
That would be good guess, with '--no-bootstrap-chroot'. But nowadays there are two steps by default:
- Host RPM/DNF installs target RPM/DNF into "bootstrap" chroot
- RPM/DNF from bootstrap is used to install the final chroot
And so the gpg keys need to be available in bootstrap chroot, and sometimes also on host, depending on use-case.
There's a mock's internal method [1] which copies GPG keys into both bootstrap and normal chroot, but it only looks at /usr/share/distribution-gpg-keys - so the easiest way is to put the custom GPG keys there.
Or in /etc/pki/mock, named RPM-GPG-KEY-*. For keys which are not likely to be added to distribution-gpg-keys, this is probably a better location. And then be sure to set the gpgkey parameter in rpm/cs8.cfg appropriately, e.g.:
gpgkey=file:///etc/pki/mock/RPM-GPG-KEY-foo
buildsys@lists.fedoraproject.org