deb: download keyring in cache directory for mmdebstrap

also avoid sudo if we are root
2026-02-19 11:30:33 +01:00
parent 87b48bf9c8
commit b508dd3d82
2 changed files with 65 additions and 36 deletions
--- a/src/deb/ephemeral.rs
+++ b/src/deb/ephemeral.rs
@@ -143,22 +143,17 @@ impl EphemeralContextGuard {
            .arg(lockfile_path.to_string_lossy().to_string())
            .status()?;

-        // Make sure we have the right apt keyrings to mmdebstrap the chroot
-        // Check for root privileges before downloading keyring
-        if crate::utils::root::is_root()? {
-            crate::apt::keyring::download_trust_keyring(Some(ctx.clone()), series).await?;
-        } else {
-            log::info!(
-                "Lacking root privileges. Please ensure that the keyrings for the target distribution are present on your system."
-            );
-        }
+        // Download the keyring to the cache directory
+        let keyring_path =
+            crate::apt::keyring::download_cache_keyring(Some(ctx.clone()), series).await?;

        // Use mmdebstrap to download the tarball to the cache directory
        let mut cmd = ctx.command("mmdebstrap");
        cmd.arg("--variant=buildd")
            .arg("--mode=unshare")
            .arg("--include=mount,curl,ca-certificates")
-            .arg("--format=tar");
+            .arg("--format=tar")
+            .arg(format!("--keyring={}", keyring_path.display()));

        // Add architecture if specified
        if let Some(a) = arch {
@@ -238,10 +233,15 @@ impl EphemeralContextGuard {
            .arg(dev_zero_path.to_string_lossy().to_string())
            .status();

-        // Create new device nodes using fakeroot and mknod
-        let status_null = ctx
-            .command("sudo")
-            .arg("mknod")
+        // Check if we're running as root
+        let is_root = crate::utils::root::is_root()?;
+
+        // Create new device nodes using mknod (with sudo if not root)
+        let mut cmd_null = ctx.command(if is_root { "mknod" } else { "sudo" });
+        if !is_root {
+            cmd_null.arg("mknod");
+        }
+        let status_null = cmd_null
            .arg("-m")
            .arg("666")
            .arg(dev_null_path.to_string_lossy().to_string())
@@ -250,9 +250,11 @@ impl EphemeralContextGuard {
            .arg("3")
            .status()?;

-        let status_zero = ctx
-            .command("sudo")
-            .arg("mknod")
+        let mut cmd_zero = ctx.command(if is_root { "mknod" } else { "sudo" });
+        if !is_root {
+            cmd_zero.arg("mknod");
+        }
+        let status_zero = cmd_zero
            .arg("-m")
            .arg("666")
            .arg(dev_zero_path.to_string_lossy().to_string())
@@ -288,12 +290,24 @@ impl Drop for EphemeralContextGuard {
                "Build succeeded, removing chroot directory: {}",
                self.chroot_path.display()
            );
-            let result = context::current()
-                .command("sudo")
-                .arg("rm")
-                .arg("-rf")
-                .arg(&self.chroot_path)
-                .status();
+
+            // Check if we're running as root to avoid unnecessary sudo
+            let is_root = crate::utils::root::is_root().unwrap_or(false);
+
+            let result = if is_root {
+                context::current()
+                    .command("rm")
+                    .arg("-rf")
+                    .arg(&self.chroot_path)
+                    .status()
+            } else {
+                context::current()
+                    .command("sudo")
+                    .arg("rm")
+                    .arg("-rf")
+                    .arg(&self.chroot_path)
+                    .status()
+            };

            match result {
                Ok(status) => {