Skip to content

pacstrap: try to copy the host keyring before installing packages

Jelle van der Waa requested to merge github/fork/eli-schwartz/fix-keyring into master

Created by: eli-schwartz

When there is no keyring in the new root, attempting to install e.g. archlinux-keyring will result in the post-install script silently failing to do anything (because there are no keys, and, critically, no secret keys). The potentially very outdated keyring is then copied over from the host, secret key and all, so subsequent pacman operations have a trusted keyring that is at least as recent as the ISO or other host system... but if there has been a keyring update between the date of the ISO creation and the date of the install, those keys will continue to be missing until the next keyring update, resulting in a bad out-of-the-box experience.

This also means that if a thirdparty keyring package was scheduled to be installed, it will not be populated at all; this affects downstream archlinux32 build chroots.

There's no reason to delay this until after packages are installed -- we aren't afraid of e.g. the mirrorlist resulting in file conflicts due to a packaged pacman-mirrorlist, because the gnupg configuration should not be getting packaged directly.

Fixes FS#61296 FS#61304 FS#61309 FS#61312 FS#62355

Merge request reports