vhaudiquet/pkh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apt/keyring: always download in binary format
Some checks failed
CI / build (push) Failing after 13m17s
Details
CI / snap (push) Has been skipped
Details

Browse Source
This commit is contained in:
Valentin Haudiquet
2026-02-19 14:33:59 +01:00
parent b508dd3d82
commit 3e9ec95886
1 changed files with 35 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/apt/keyring.rs
View File

@@ -22,12 +22,15 @@ struct LaunchpadPpaResponse {
/// instead of the system apt keyring directory, allowing non-root usage. /// instead of the system apt keyring directory, allowing non-root usage.
/// The returned path can be passed to mmdebstrap via --keyring. /// The returned path can be passed to mmdebstrap via --keyring.
/// ///
/// For Debian keyrings (which are ASCII-armored .asc files), the key is
/// converted to binary GPG format using gpg --dearmor.
///
/// # Arguments /// # Arguments
/// * `ctx` - Optional context to use /// * `ctx` - Optional context to use
/// * `series` - The distribution series (e.g., "noble", "sid") /// * `series` - The distribution series (e.g., "noble", "sid")
/// ///
/// # Returns /// # Returns
/// The path to the downloaded keyring file /// The path to the downloaded keyring file (in binary GPG format)
pub async fn download_cache_keyring( pub async fn download_cache_keyring(
ctx: Option<Arc<context::Context>>, ctx: Option<Arc<context::Context>>,
series: &str, series: &str,
@@ -54,7 +57,7 @@ pub async fn download_cache_keyring(
.next_back() .next_back()
.unwrap_or("pkh-{}.gpg") .unwrap_or("pkh-{}.gpg")
.replace("{}", series); .replace("{}", series);
let keyring_path = cache_dir.join(&filename); let download_path = cache_dir.join(&filename);
// Download the keyring using curl // Download the keyring using curl
let mut curl_cmd = ctx.command("curl"); let mut curl_cmd = ctx.command("curl");
@@ -64,13 +67,42 @@ pub async fn download_cache_keyring(
.arg("-L") .arg("-L")
.arg(&keyring_url) .arg(&keyring_url)
.arg("--output") .arg("--output")
.arg(&keyring_path); .arg(&download_path);
let status = curl_cmd.status()?; let status = curl_cmd.status()?;
if !status.success() { if !status.success() {
return Err(format!("Failed to download keyring from {}", keyring_url).into()); return Err(format!("Failed to download keyring from {}", keyring_url).into());
} }
// If the downloaded file is an ASCII-armored key (.asc), convert it to binary GPG format
// mmdebstrap's --keyring option expects binary GPG keyrings
let keyring_path = if filename.ends_with(".asc") {
let binary_filename = filename.strip_suffix(".asc").unwrap_or(&filename);
let binary_path = cache_dir.join(format!("{}.gpg", binary_filename));
log::debug!("Converting ASCII-armored key to binary GPG format");
let mut gpg_cmd = ctx.command("gpg");
gpg_cmd
.arg("--dearmor")
.arg("--output")
.arg(&binary_path)
.arg(&download_path);
let status = gpg_cmd.status()?;
if !status.success() {
return Err("Failed to convert keyring to binary format"
.to_string()
.into());
}
// Remove the original .asc file
let _ = ctx.command("rm").arg("-f").arg(&download_path).status();
binary_path
} else {
download_path
};
log::info!( log::info!(
"Successfully downloaded keyring for {} to {}", "Successfully downloaded keyring for {} to {}",
series, series,