ToolsTreeCertificates=yes still looks for hosts gpg keys for ubuntu, and debian

[Vasu77df]

mkosi commit the issue has been seen with

23.1

Used host distribution

Debian bookworm

Used target distribution

Ubuntu noble

Linux kernel version used

6.8.11-200.fc39.x86_64

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

From my understanding of ToolsTreeCertificates option from this line in the mkosi docs:

• https://github.com/systemd/mkosi/blob/main/mkosi/resources/mkosi.md?plain=1#L1551

When ToolsTree is enabled and ToolsTreeCertificates is enabled,mkosi, will look for gpg keys in the tools image and not the host, but that does not seem to be the case for ubuntu, debian, or rather the apt.py installer.

I suspect the explicit path in signedby lines here is the issue:

• https://github.com/systemd/mkosi/blob/main/mkosi/distributions/debian.py#L61
• https://github.com/systemd/mkosi/blob/main/mkosi/distributions/ubuntu.py#L50
• https://github.com/systemd/mkosi/blob/main/mkosi/installer/apt.py#L118

Used mkosi config

[Distribution]
Distribution=ubuntu
Release=noble
Repositories=main,universe

[Content]
Bootable=yes
Autologin=yes
Packages=linux-image-generic
         systemd
         systemd-sysv
         udev
         dbus
         adduser
         apparmor
         apt
         apt-listchanges
         apt-utils
         base-files
         base-passwd
         bash
         bash-completion
         bind9-host
         bind9-libs
         ca-certificates
         cpio
         curl
         dash
         dbus
         dbus-bin
         dbus-daemon
         dbus-session-bus-common
         dbus-system-bus-common
         systemd-sysv
     squashfs-tools
         ca-certificates
         gpgv
     grep
         systemd-sysv
         sysvinit-utils
     e2fsprogs
         fdisk
         iproute2
         iputils-ping
         jq
         less
         login
         lsb-release
     neofetch
         locales
         netplan.io
         procps
         python3-pytest
         rsyslog
         sudo
         tzdata
         testinfra
         ubuntu-standard
         unzip
         vim
RemovePackages=
    casper

[Host]
ToolsTree=default
ToolsTreeCertificates=yes

mkosi output

mkosi --debug build
‣ Including configuration file /workspaces/debian/ubuntu_basic/mkosi.conf
‣ Including configuration file /tmp/tmpbx1nhnlz/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpbx1nhnlz/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu.conf
‣ Including configuration file /tmp/tmpbx1nhnlz/resources/mkosi-tools/mkosi.conf
‣ Including configuration file /tmp/tmpbx1nhnlz/resources/mkosi-tools/mkosi.conf.d/10-debian-ubuntu.conf
‣ + stat --file-system --format %T /var/tmp/mkosi-workspace-jmonuk6l
‣ Keyring for repo http://archive.ubuntu.com/ubuntu not found at /usr/share/keyrings/ubuntu-archive-keyring.gpg
‣ (Make sure the right keyring package (e.g. debian-archive-keyring or ubuntu-keyring) is installed)
‣ + rm -rf -- /var/tmp/mkosi-workspace-jmonuk6l
Traceback (most recent call last):
  File "/workspaces/debian/mkosi/mkosi/run.py", line 60, in uncaught_exception_handler
    yield
  File "/workspaces/debian/mkosi/mkosi/run.py", line 101, in fork_and_wait
    target(*args, **kwargs)
  File "/workspaces/debian/mkosi/mkosi/__init__.py", line 4564, in run_sync
    context.config.distribution.setup(context)
  File "/workspaces/debian/mkosi/mkosi/distributions/__init__.py", line 115, in setup
    return self.installer().setup(context)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/workspaces/debian/mkosi/mkosi/distributions/debian.py", line 104, in setup
    Apt.setup(context, cls.repositories(context))
  File "/workspaces/debian/mkosi/mkosi/installer/apt.py", line 119, in setup
    die(
  File "/workspaces/debian/mkosi/mkosi/log.py", line 31, in die
    sys.exit(1)
SystemExit: 1
‣ + tput cnorm
‣ + tput smam

[DaanDeMeyer]

@Vasu77df We need the keyring on the host to build the tools tree image. Isn't that the issue here?

[DaanDeMeyer]

@Vasu77df Ping?

[Vasu77df]

@DaanDeMeyer , sorry about the delayed response, and thank you for taking a look at this. Now thinking about it, it makes sense, yes, to build the tools tree we do need to the host's keyring. On this matter we can close this issue.

I have a question, on whether mkosi will support any other Mirror= or ToolsTreeMirror= keyring other than the ubuntu-archive-keyring.gpg for ubuntu and the equivalent for debian? Are there any plans to support a user defined key for the main Mirror?

Understanding from this line it's hardcoded to a specific key.

[DaanDeMeyer]

@Vasu77df We generally assume the mirrors are signed with the same key. If you want to use a different one, you can override it by putting your own key in the same location using PackageManagerTrees=.

For any other questions, please use the discussions tab in github or join the matrix channel