Verify RPM packages with third-party GPG keys

README.md

@@ -349,7 +349,7 @@ Key:
 #### External Source Files
 
 SoCks requires external files in order to build this block. The following template packages are available:
-- **AlmaLinux8**: Contains template files to build an AlmaLinux 8 root file system. The optional file `mod_base_install.sh` allows to modify the base root file system after all packages have been added, but before any other modifications have been made to it. The optional file `conclude_install.sh` allows to finalize the creation of the root file system. The optional folder `predefined_fs_layers` allows to add static layers that are added to the base root file system. Every layer requires a shell script that is used to add the layer. The file `dnf_build_time.conf` is the dnf configuration used at build time. This file must contain all repositories that are required to build the root file system including all package specified.
+- **AlmaLinux8**: Contains template files to build an AlmaLinux 8 root file system. The optional file `mod_base_install.sh` allows to modify the base root file system after all packages have been added, but before any other modifications have been made to it. The optional file `conclude_install.sh` allows to finalize the creation of the root file system. The optional folder `predefined_fs_layers` allows to add static layers that are added to the base root file system. Every layer requires a shell script that is used to add the layer. The file `dnf_build_time.conf` is the dnf configuration used at build time. This file must contain all repositories that are required to build the root file system including all package specified. The optional folder `rpm_gpg_keys_build_time` allows to add third-party GPG keys to the build environment. All files in this folder are copied to `/etc/pki/rpm-gpg/` in the build environment (usually the build container). Repositories specified in `dnf_build_time.conf` can use these GPG keys to verify the integrity of packages.
 - **AlmaLinux9**: Contains template files to build an AlmaLinux 9 root file system. The files and folders in this package are equivalent to the ones in the *AlmaLinux8* package.
 
 ### ZynqMP_AlpineLinux_RAMFS_Builder

src/abstract_builders/almalinux_rootfs_builder.py

@@ -37,6 +37,7 @@ def __init__(
         # Project files
         # dnf configuration file to be used to build the file system for the target architecture
         self._dnf_conf_file = self._resources_dir / "dnf_build_time.conf"
+        self._rpm_gpg_keys_dir = self._resources_dir / "rpm_gpg_keys_build_time"
 
     @property
     def _block_deps(self):
@@ -172,6 +173,10 @@ def build_base_file_system(self):
                 f"    mkdir -p {self._build_dir}/usr/bin && "
                 f"    cp -a /usr/bin/qemu-{self._target_arch_qemu}-static {self._build_dir}/usr/bin/; "
                 f"fi",
+                # Copy RPM GPG keys to the default location
+                f"if [ -d {self._rpm_gpg_keys_dir} ]; then "
+                f"    find {self._rpm_gpg_keys_dir} -maxdepth 1 -type f -exec cp -t /etc/pki/rpm-gpg/ {{}} +; "
+                f"fi",
                 # Clean all cache files generated from repository metadata
                 dnf_base_command + "clean all",
                 # Update all the installed packages
@@ -211,6 +216,67 @@ def build_base_file_system(self):
             self._build_log.del_logged_timestamp(identifier=f"function-add_bt_layer-success")
             self._build_log.del_logged_timestamp(identifier=f"function-add_users-success")
 
+    def _run_mod_script(self, mod_script: pathlib.Path, mod_script_params: list[str]):
+        """
+        Runs a user-defined shell script to modify the root file system.
+
+        Args:
+            mod_script_path:
+                Path of the script to be used.
+
+        Returns:
+            None
+
+        Raises:
+            None
+        """
+
+        if not mod_script.is_file():
+            pretty_print.print_info(f"No user-defined file '{mod_script.name}' found. The file system is not modified.")
+            return
+
+        # Check whether the file system needs to be modified
+        if not Build_Validator.check_rebuild_bc_timestamp(
+            src_search_list=[mod_script],
+            out_timestamp=self._build_log.get_logged_timestamp(
+                identifier=f"function-{inspect.getouterframes(inspect.currentframe(), 2)[1][3]}-success"
+            ),
+        ):
+            pretty_print.print_build(f"No need to execute {mod_script.name}. No altered source files detected...")
+            return
+
+        with self._build_log.timestamp(
+            identifier=f"function-{inspect.getouterframes(inspect.currentframe(), 2)[1][3]}-success"
+        ):
+            pretty_print.print_build(f"Executing {mod_script.name}...")
+
+            run_mo_script_commands = [
+                # If a QEMU binary exists, it is likely needed to run binaries for the target architecture on an x86 system during build. So copy it to build_dir.
+                f"if [ -e /usr/bin/qemu-{self._target_arch_qemu}-static ]; then "
+                f"    mkdir -p {self._build_dir}/usr/bin && "
+                f"    cp -a /usr/bin/qemu-{self._target_arch_qemu}-static {self._build_dir}/usr/bin/; "
+                f"fi",
+                # Copy RPM GPG keys to the default location
+                f"if [ -d {self._rpm_gpg_keys_dir} ]; then "
+                f"    find {self._rpm_gpg_keys_dir} -maxdepth 1 -type f -exec cp -t /etc/pki/rpm-gpg/ {{}} +; "
+                f"fi",
+                # Call user-defined script
+                f"chmod a+x {mod_script}",
+                f"{mod_script} {' '.join(mod_script_params)}",
+                # The QEMU binary if only required during build, so delete it if it exists
+                f"rm -f {self._build_dir}/usr/bin/qemu-{self._target_arch_qemu}-static",
+            ]
+
+            # The root user is used in this container. This is necessary in order to build a RootFS image.
+            self.container_executor.exec_sh_commands(
+                commands=run_mo_script_commands,
+                dirs_to_mount=[(self._resources_dir, "Z"), (self._work_dir, "Z")],
+                print_commands=True,
+                run_as_root=True,
+                logfile=self._block_temp_dir / f"{mod_script.stem}.log",
+                output_scrolling=True,
+            )
+
     def run_base_install_mod_script(self):
         """
         Runs a user-defined shell script to make changes to the base installation.
@@ -310,6 +376,10 @@ def add_addl_packages(self):
                 f"    mkdir -p {self._build_dir}/usr/bin && "
                 f"    cp -a /usr/bin/qemu-{self._target_arch_qemu}-static {self._build_dir}/usr/bin/; "
                 f"fi",
+                # Copy RPM GPG keys to the default location
+                f"if [ -d {self._rpm_gpg_keys_dir} ]; then "
+                f"    find {self._rpm_gpg_keys_dir} -maxdepth 1 -type f -exec cp -t /etc/pki/rpm-gpg/ {{}} +; "
+                f"fi",
                 # Update all the installed packages
                 dnf_base_command + "update",
                 # Installing user defined packages
@@ -472,6 +542,10 @@ def add_addl_ext_packages(self):
                 f"    mkdir -p {self._build_dir}/usr/bin && "
                 f"    cp -a /usr/bin/qemu-{self._target_arch_qemu}-static {self._build_dir}/usr/bin/; "
                 f"fi",
+                # Copy RPM GPG keys to the default location
+                f"if [ -d {self._rpm_gpg_keys_dir} ]; then "
+                f"    find {self._rpm_gpg_keys_dir} -maxdepth 1 -type f -exec cp -t /etc/pki/rpm-gpg/ {{}} +; "
+                f"fi",
                 # Update all the installed packages
                 dnf_base_command + "update",
                 # Movo to directory with local packages
@@ -639,3 +713,33 @@ def build_archive(self, prebuilt: bool = False):
             archive_name = self._file_system_name
 
         self._build_archive(archive_name=archive_name, file_extension="tar.xz", tar_compress_param="-I pxz")
+
+    def start_container(self):
+        """
+        Starts an interactive container with which the block can be built.
+
+        Args:
+            None
+
+        Returns:
+            None
+
+        Raises:
+            None
+        """
+
+        potential_mounts = [
+            (self._dependencies_dir, "Z"),
+            (self._block_src_dir, "Z"),
+            (self._work_dir, "Z"),
+            (self._output_dir, "Z"),
+        ]
+
+        init_commands = [
+            # Copy RPM GPG keys to the default location
+            f"if [ -d {self._rpm_gpg_keys_dir} ]; then "
+            f"    find {self._rpm_gpg_keys_dir} -maxdepth 1 -type f -exec sudo cp -t /etc/pki/rpm-gpg/ {{}} +; "
+            f"fi"
+        ]
+
+        self.container_executor.start_container(potential_mounts=potential_mounts, init_commands=init_commands)

src/socks/container/alma8-rootfs-build-env-alma8.containerfile

@@ -9,7 +9,4 @@ RUN dnf -y install make wget git python3 && \
 # Install required packages to modify the base RootFS
     dnf -y install rsync && \
 # Install required packages to package the RootFS
-    dnf -y install pigz pxz
-
-# Install GPG key for CERN repos
-RUN curl -o "/etc/pki/rpm-gpg/RPM-GPG-KEY-kojiv2" "https://gitlab.cern.ch/api/v4/projects/141918/repository/files/src%2FRPM-GPG-KEY-kojiv2/raw?ref=main"
+    dnf -y install pigz pxz

src/socks/container/alma9-rootfs-build-env-alma9.containerfile

@@ -9,7 +9,4 @@ RUN dnf -y install make wget git python3 && \
 # Install required packages to modify the base RootFS
     dnf -y install rsync && \
 # Install required packages to package the RootFS
-    dnf -y install pigz pxz
-
-# Install GPG key for CERN repos
-RUN curl -o "/etc/pki/rpm-gpg/RPM-GPG-KEY-kojiv2" "https://gitlab.cern.ch/api/v4/projects/141918/repository/files/src%2FRPM-GPG-KEY-kojiv2/raw?ref=main"
+    dnf -y install pigz pxz