initialise keyring earlier in the sandbox lifecycle

[arcayr]

#4093 moved the keyring initialisation later in the setup lifecycle as part of normalising arch/pacman setup. if any custom repositories are used, pacman requires the keys to exist for all configured repositories from the get-go or exits immediately. let's set this up earlier in the sandbox lifecycle to provide the requisite keys.

i haven't verified if this breaks any distro other than arch, but i couldn't find any rationale for moving it in the git commit logs so i don't know if it was moved intentionally or incidentally.

original cut of this simply had the pacman installer run pacman-key twice (once at setup, and once where it currently runs), but that's is basically begging for hysteresis and i couldn't find any other example of that sort of special casing in the codebase.

marked as draft because i'll check other distributions this weekend. if i'm operating on a bad assumption here i can rework this as required.

[arcayr]

simplest reproducer of the original problem can be found from ~bluca here, however the setup i had was adding cachyos repositories.

while i can see why it's happening after the fact, i cannot replicate the build failure even on a completely fresh config, so i'll need to spend some time reverse-investigating to find a middle ground.

[daandemeyer]

This does not work because we need to sync the repository metadata to be able to download the Arch keyring using pacman if --repository-key-fetch= is enabled.

[arcayr]

posted on matrix but copying it here because it's easier to follow.

i guess my core issue is that i need to call pacman-key --init and pacman-key --populate --populate-from /usr/share/pacman/keyrings before the first sync, but because of how pacman-key and pacman expect to work with this keyring i need to do this inside the sandbox. this worked prior to #4093 because the keyring package download and import happened out of band, which indirectly picked up any other signing keys that existed in the directory.

i patched my local to simply call Pacman.keyring a second (technically a first, as it will fire first) time at setup. this doesn't appear to have had any adverse effects, but i'm not sure this is the approach you'd want to take. if that makes sense to you i'm happy to update the pr.

i have a few alternatives in mind but all of them would require a bigger rework of the DistributionInstaller, and it's only really used for arch and specific flavours of opensuse at the moment.

[arcayr]

alright double keyring calling it is. unsetting RepositoryKeyFetch and preloading all keys into mkosi.sandbox/usr/share/pacman/keyrings doesn't solve this for arch due to it being unable to import those into the keyring at sync time.

running pacman-key --init when a keyring exists isn't harmful to the existing keyring, and this is isolated to arch so doesn't affect opensuse's keyring components.

[cvlc12]

Seems to solve it for me !

[cvlc12]

Hmm apparently I'm not having any problems any more without this patch either...