Allow specifying OpenPGP implementation to use for signing

Fixes: systemd#3042
wiktor-k · Sep 30, 2024 · d64bd5e · d64bd5e
1 parent 6c358ae
commit d64bd5e
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 27 deletions.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -2010,41 +2010,67 @@ def calculate_signature(context: Context) -> None:
     if not context.config.sign or not context.config.checksum:
         return
 
-    cmdline: list[PathString] = ["gpg", "--detach-sign", "--pinentry-mode", "loopback"]
+    tool = context.config.openpgp_tool
+    if tool is None or tool == "gpg":
+        cmdline: list[PathString] = ["gpg", "--detach-sign", "--pinentry-mode", "loopback"]
 
-    # Need to specify key before file to sign
-    if context.config.key is not None:
-        cmdline += ["--default-key", context.config.key]
+        # Need to specify key before file to sign
+        if context.config.key is not None:
+            cmdline += ["--default-key", context.config.key]
 
-    cmdline += [
-        "--output", workdir(context.staging / context.config.output_signature),
-        workdir(context.staging / context.config.output_checksum),
-    ]
+        cmdline += [
+            "--output", workdir(context.staging / context.config.output_signature),
+            workdir(context.staging / context.config.output_checksum),
+        ]
 
-    home = Path(context.config.environment.get("GNUPGHOME", INVOKING_USER.home() / ".gnupg"))
-    if not home.exists():
-        die(f"GPG home {home} not found")
+        home = Path(context.config.environment.get("GNUPGHOME", INVOKING_USER.home() / ".gnupg"))
+        if not home.exists():
+            die(f"GPG home {home} not found")
 
-    env = dict(GNUPGHOME=os.fspath(home))
-    if sys.stderr.isatty():
-        env |= dict(GPG_TTY=os.ttyname(sys.stderr.fileno()))
+        env = dict(GNUPGHOME=os.fspath(home))
+        if sys.stderr.isatty():
+            env |= dict(GPG_TTY=os.ttyname(sys.stderr.fileno()))
 
-    options: list[PathString] = [
-        "--bind", home, home,
-        "--bind", context.staging, workdir(context.staging),
-        "--bind", "/run", "/run",
-    ]
+        options: list[PathString] = [
+            "--bind", home, home,
+            "--bind", context.staging, workdir(context.staging),
+            "--bind", "/run", "/run",
+        ]
 
-    with (complete_step("Signing SHA256SUMS…")):
-        run(
-            cmdline,
-            env=env,
-            sandbox=context.sandbox(
-                binary="gpg",
-                options=options,
+        with (complete_step("Signing SHA256SUMS…")):
+            run(
+                cmdline,
+                env=env,
+                sandbox=context.sandbox(
+                    binary="gpg",
+                    options=options,
+                )
             )
-        )
 
+    else:
+        cmdline: list[PathString] = [tool, "sign", "/signing-key.pgp"]
+
+        options: list[PathString] = [
+            "--bind", context.config.key, "/signing-key.pgp",
+            "--bind", context.staging, workdir(context.staging),
+            "--bind", "/run", "/run",
+        ]
+
+        with (
+                complete_step("Signing SHA256SUMS…"),
+                open(context.staging / context.config.output_checksum, "rb") as i,
+                open(context.staging / context.config.output_signature, "wb") as o,
+        ):
+            run(
+                cmdline,
+                env=context.config.environment,
+                stdin=i,
+                stdout=o,
+                sandbox=context.sandbox(
+                    binary=tool,
+                    options=options,
+                )
+            )
 
 def dir_size(path: Union[Path, os.DirEntry[str]]) -> int:
     dir_sum = 0

diff --git a/mkosi/config.py b/mkosi/config.py
@@ -1535,6 +1535,7 @@ class Config:
     passphrase: Optional[Path]
     checksum: bool
     sign: bool
+    openpgp_tool: Optional[str]
     key: Optional[str]
 
     tools_tree: Optional[Path]
@@ -2730,6 +2731,12 @@ def parse_ini(path: Path, only_sections: Collection[str] = ()) -> Iterator[tuple
         section="Validation",
         help="GPG key to use for signing",
     ),
+    ConfigSetting(
+        dest="openpgp_tool",
+        section="Validation",
+        default="gpg",
+        help="OpenPGP implementation to use for signing",
+    ),
 
     ConfigSetting(
         dest="tools_tree",
@@ -4337,6 +4344,7 @@ def summary(config: Config) -> str:
                          Passphrase: {none_to_none(config.passphrase)}
                            Checksum: {yes_no(config.checksum)}
                                Sign: {yes_no(config.sign)}
+                       OpenPGP Tool: ({"gpg" if config.openpgp_tool is None else config.openpgp_tool})
                             GPG Key: ({"default" if config.key is None else config.key})
 """