[main] Adding Mariner's GPG keys to RPM's database in the worker chroot. (#2640)

* Update 'tdnf' to import Mariner GPG keys.

* Removing '--assumeyes'.

SPECS/tdnf/tdnf.spec

@@ -1,7 +1,7 @@
 Summary:        dnf/yum equivalent using C libs
 Name:           tdnf
 Version:        3.2.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        LGPLv2.1 AND GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -37,6 +37,7 @@ Requires:       curl
 Requires:       libmetalink
 Requires:       libsolv
 Requires:       openssl-libs
+Requires:       rpm
 Requires:       rpm-libs
 Requires:       tdnf-cli-libs = %{version}-%{release}
 Obsoletes:      yum
@@ -133,6 +134,12 @@ find %{buildroot} -name '*.pyc' -delete
 
 %ldconfig_scriptlets
 
+%triggerin -n %{name} -- mariner-repos-shared
+for gpg_key in $(rpm -q -l mariner-repos-shared | grep "rpm-gpg")
+do
+    rpm --import "$gpg_key"
+done
+
 %files
 %license COPYING
 %defattr(-,root,root,0755)
@@ -178,6 +185,9 @@ find %{buildroot} -name '*.pyc' -delete
 %{_bindir}/tdnf-automatic
 
 %changelog
+* Thu Mar 31 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.2.2-2
+- Installing Mariner GPG keys when present/installed.
+
 * Wed Jan 12 2022 Mateusz Malisz <mamalisz@microsoft.com> - 3.2.2-1
 - Update to 3.2.2 version
 - Remove upstreamed patches

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -193,10 +193,10 @@ krb5-1.19.2-1.cm2.aarch64.rpm
 curl-7.82.0-1.cm2.aarch64.rpm
 curl-devel-7.82.0-1.cm2.aarch64.rpm
 curl-libs-7.82.0-1.cm2.aarch64.rpm
-tdnf-3.2.2-1.cm2.aarch64.rpm
+tdnf-3.2.2-2.cm2.aarch64.rpm
-tdnf-cli-libs-3.2.2-1.cm2.aarch64.rpm
+tdnf-cli-libs-3.2.2-2.cm2.aarch64.rpm
-tdnf-devel-3.2.2-1.cm2.aarch64.rpm
+tdnf-devel-3.2.2-2.cm2.aarch64.rpm
-tdnf-plugin-repogpgcheck-3.2.2-1.cm2.aarch64.rpm
+tdnf-plugin-repogpgcheck-3.2.2-2.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
 libxml2-2.9.13-1.cm2.aarch64.rpm
 libxml2-devel-2.9.13-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -193,10 +193,10 @@ krb5-1.19.2-1.cm2.x86_64.rpm
 curl-7.82.0-1.cm2.x86_64.rpm
 curl-devel-7.82.0-1.cm2.x86_64.rpm
 curl-libs-7.82.0-1.cm2.x86_64.rpm
-tdnf-3.2.2-1.cm2.x86_64.rpm
+tdnf-3.2.2-2.cm2.x86_64.rpm
-tdnf-cli-libs-3.2.2-1.cm2.x86_64.rpm
+tdnf-cli-libs-3.2.2-2.cm2.x86_64.rpm
-tdnf-devel-3.2.2-1.cm2.x86_64.rpm
+tdnf-devel-3.2.2-2.cm2.x86_64.rpm
-tdnf-plugin-repogpgcheck-3.2.2-1.cm2.x86_64.rpm
+tdnf-plugin-repogpgcheck-3.2.2-2.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
 libxml2-2.9.13-1.cm2.x86_64.rpm
 libxml2-devel-2.9.13-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -542,13 +542,13 @@ systemd-bootstrap-devel-250.3-2.cm2.aarch64.rpm
 systemd-bootstrap-rpm-macros-250.3-2.cm2.noarch.rpm
 tar-1.34-1.cm2.aarch64.rpm
 tar-debuginfo-1.34-1.cm2.aarch64.rpm
-tdnf-3.2.2-1.cm2.aarch64.rpm
+tdnf-3.2.2-2.cm2.aarch64.rpm
-tdnf-autoupdate-3.2.2-1.cm2.aarch64.rpm
+tdnf-autoupdate-3.2.2-2.cm2.aarch64.rpm
-tdnf-cli-libs-3.2.2-1.cm2.aarch64.rpm
+tdnf-cli-libs-3.2.2-2.cm2.aarch64.rpm
-tdnf-debuginfo-3.2.2-1.cm2.aarch64.rpm
+tdnf-debuginfo-3.2.2-2.cm2.aarch64.rpm
-tdnf-devel-3.2.2-1.cm2.aarch64.rpm
+tdnf-devel-3.2.2-2.cm2.aarch64.rpm
-tdnf-plugin-repogpgcheck-3.2.2-1.cm2.aarch64.rpm
+tdnf-plugin-repogpgcheck-3.2.2-2.cm2.aarch64.rpm
-tdnf-python-3.2.2-1.cm2.aarch64.rpm
+tdnf-python-3.2.2-2.cm2.aarch64.rpm
 texinfo-6.8-1.cm2.aarch64.rpm
 texinfo-debuginfo-6.8-1.cm2.aarch64.rpm
 unzip-6.0-19.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -542,13 +542,13 @@ systemd-bootstrap-devel-250.3-2.cm2.x86_64.rpm
 systemd-bootstrap-rpm-macros-250.3-2.cm2.noarch.rpm
 tar-1.34-1.cm2.x86_64.rpm
 tar-debuginfo-1.34-1.cm2.x86_64.rpm
-tdnf-3.2.2-1.cm2.x86_64.rpm
+tdnf-3.2.2-2.cm2.x86_64.rpm
-tdnf-autoupdate-3.2.2-1.cm2.x86_64.rpm
+tdnf-autoupdate-3.2.2-2.cm2.x86_64.rpm
-tdnf-cli-libs-3.2.2-1.cm2.x86_64.rpm
+tdnf-cli-libs-3.2.2-2.cm2.x86_64.rpm
-tdnf-debuginfo-3.2.2-1.cm2.x86_64.rpm
+tdnf-debuginfo-3.2.2-2.cm2.x86_64.rpm
-tdnf-devel-3.2.2-1.cm2.x86_64.rpm
+tdnf-devel-3.2.2-2.cm2.x86_64.rpm
-tdnf-plugin-repogpgcheck-3.2.2-1.cm2.x86_64.rpm
+tdnf-plugin-repogpgcheck-3.2.2-2.cm2.x86_64.rpm
-tdnf-python-3.2.2-1.cm2.x86_64.rpm
+tdnf-python-3.2.2-2.cm2.x86_64.rpm
 texinfo-6.8-1.cm2.x86_64.rpm
 texinfo-debuginfo-6.8-1.cm2.x86_64.rpm
 unzip-6.0-19.cm2.x86_64.rpm

toolkit/tools/imagegen/installutils/installutils.go

@@ -580,7 +580,7 @@ func initializeTdnfConfiguration(installRoot string) (err error) {
 
 	logger.Log.Debugf("Downloading '%s' package to a clean RPM root under '%s'.", releasePackage, installRoot)
 
-	err = shell.ExecuteLive(squashErrors, "tdnf", "download", "--assumeyes", "--alldeps", "--destdir", installRoot, releasePackage)
+	err = shell.ExecuteLive(squashErrors, "tdnf", "download", "--alldeps", "--destdir", installRoot, releasePackage)
 	if err != nil {
 		logger.Log.Errorf("Failed to prepare the RPM database on downloading the 'mariner-release' package: %v", err)
 		return

toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go

@@ -269,7 +269,6 @@ func (r *RpmRepoCloner) Clone(cloneDeps bool, packagesToClone ...*pkgjson.Packag
 
 		logger.Log.Debugf("Cloning: %s", pkgName)
 		args := []string{
-			"--assumeyes",
 			"--destdir",
 			chrootDownloadDir,
 			pkgName,
@@ -302,7 +301,6 @@ func (r *RpmRepoCloner) WhatProvides(pkgVer *pkgjson.PackageVer) (packageNames [
 	baseArgs := []string{
 		"provides",
 		provideQuery,
-		"--assumeyes",
 		fmt.Sprintf("--disablerepo=%s", allRepoIDs),
 	}
 
@@ -425,7 +423,6 @@ func (r *RpmRepoCloner) ClonedRepoContents() (repoContents *repocloner.RepoConte
 		tdnfArgs := []string{
 			"list",
 			"ALL",
-			"--assumeyes",
 			fmt.Sprintf("--disablerepo=%s", allRepoIDs),
 			fmt.Sprintf("--enablerepo=%s", checkedRepoID),
 		}

toolkit/tools/pkggen/worker/create_worker_chroot.sh

@@ -22,7 +22,7 @@ chroot_log="$log_path"/$chroot_name.log
 install_one_toolchain_rpm () {
     error_msg_tail="Inspect $chroot_log for more info. Did you hydrate the toolchain?"
 
-    echo "Adding RPM to worker chroot: $1."  | tee -a "$chroot_log"
+    echo "Adding RPM to worker chroot: $1." | tee -a "$chroot_log"
 
     full_rpm_path=$(find "$rpm_path" -name "$1" -type f 2>>"$chroot_log")
     if [ ! $? -eq 0 ] || [ -z "$full_rpm_path" ]
@@ -55,7 +55,7 @@ while read -r package || [ -n "$package" ]; do
 done < "$packages"
 
 TEMP_DB_PATH=/temp_db
-echo "Setting up a clean RPM database before the Berkeley DB -> SQLite conversion under '$TEMP_DB_PATH'."  | tee -a "$chroot_log"
+echo "Setting up a clean RPM database before the Berkeley DB -> SQLite conversion under '$TEMP_DB_PATH'." | tee -a "$chroot_log"
 chroot "$chroot_builder_folder" mkdir -p "$TEMP_DB_PATH"
 chroot "$chroot_builder_folder" rpm --initdb --dbpath="$TEMP_DB_PATH"
 
@@ -64,16 +64,23 @@ while read -r package || [ -n "$package" ]; do
     full_rpm_path=$(find "$rpm_path" -name "$package" -type f 2>>"$chroot_log")
     cp $full_rpm_path $chroot_builder_folder/$package
 
-    echo "Adding RPM DB entry to worker chroot: $package."  | tee -a "$chroot_log"
+    echo "Adding RPM DB entry to worker chroot: $package." | tee -a "$chroot_log"
 
     chroot "$chroot_builder_folder" rpm -i -v --nodeps --noorder --force --dbpath="$TEMP_DB_PATH" --justdb "$package" &>> "$chroot_log"
     chroot "$chroot_builder_folder" rm $package
 done < "$packages"
 
-echo "Overwriting old RPM database with the results of the conversion."  | tee -a "$chroot_log"
+echo "Overwriting old RPM database with the results of the conversion." | tee -a "$chroot_log"
 chroot "$chroot_builder_folder" rm -rf /var/lib/rpm
 chroot "$chroot_builder_folder" mv "$TEMP_DB_PATH" /var/lib/rpm
 
+echo "Importing CBL-Mariner GPG keys." | tee -a "$chroot_log"
+for gpg_key in $(chroot "$chroot_builder_folder" rpm -q -l mariner-repos-shared | grep "rpm-gpg")
+do
+    echo "Importing GPG key: $gpg_key" | tee -a "$chroot_log"
+    chroot "$chroot_builder_folder" rpm --import "$gpg_key"
+done
+
 HOME=$ORIGINAL_HOME
 
 # In case of Docker based build do not add the below folders into chroot tarball