frontend: prefer dnf over tdnf to work around tdnf GPG and forcearch limitations

cpuguy83 · cpuguy83 · commit d465f161b31e · 2026-03-10T17:17:20.000-07:00
tdnf fails when installing signed local RPMs (from the @cmdline virtual repo) into an installroot with a populated RPM database, because it requires a gpgkey entry for @cmdline which is a synthetic repo with no config. This manifests when building containers with a custom base image on azlinux/mariner distros. Rather than working around individual tdnf bugs, prefer dnf when it is available. The install script now checks for dnf at runtime and switches from tdnf transparently. The same-platform worker bootstrap is updated to install dnf as a separate first step (mirroring the cross-arch path) so that subsequent installs benefit from dnf. Also remove hardcoded GPG email from test key ID lookups in favor of selecting the first available key. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
diff --git a/targets/linux/rpm/distro/dnf_install.go b/targets/linux/rpm/distro/dnf_install.go
@@ -183,12 +183,18 @@ if [ -x "$import_keys_path" ]; then
 	"$import_keys_path"
 fi
 
+if [ "$cmd" = "tdnf" ] && command -v dnf &>/dev/null; then
+	# tdnf has a lot of limitations that cause issues (no --forcearch, issues with gpg keys on local file installs)
+	# We already have dnf, so prefer that.
+	cmd="dnf"
+fi
+
 if [ -n "$force_arch" ]; then
-        if [ "$cmd" = "tdnf" ]; then
-                echo "tdnf does not support --forcearch; cross-arch installs must use dnf" >&2
-                exit 70
-        fi
-        install_flags="$install_flags --forcearch=$force_arch"
+	if [ "$cmd" = "tdnf" ]; then
+		echo "tdnf does not support --forcearch; cross-arch installs must use dnf" >&2
+		exit 70
+	fi
+	install_flags="$install_flags --forcearch=$force_arch"
 fi
 
 $cmd $dnf_sub_cmd $install_flags "${@}"
@@ -276,6 +282,8 @@ func DnfInstall(cfg *dnfInstallConfig, releaseVer string, pkgs []string) llb.Run
 	return dnfCommand(cfg, releaseVer, "dnf", append([]string{"install"}, pkgs...), nil)
 }
 
+// TdnfInstall uses tdnf to install packages
+// NOTE: tdnf will be automatically upgraded to dnf to work around tdnf limitations *if* dnf is available
 func TdnfInstall(cfg *dnfInstallConfig, releaseVer string, pkgs []string) llb.RunOption {
 	return dnfCommand(cfg, releaseVer, "tdnf", append([]string{"install"}, pkgs...), nil)
 }
diff --git a/targets/linux/rpm/distro/worker.go b/targets/linux/rpm/distro/worker.go
@@ -3,6 +3,7 @@ package distro
 import (
 	"context"
 	"encoding/json"
+	"slices"
 
 	"github.com/containerd/platforms"
 	"github.com/moby/buildkit/client/llb"
@@ -142,6 +143,14 @@ func (cfg *Config) workerWithBuildPlatform(sOpt dalec.SourceOpts, buildPlat ocis
 	}
 
 	if samePlatform(targetPlat, buildPlat) {
+		if slices.Contains(cfg.BuilderPackages, "dnf") {
+			// Install dnf first since this will be bootstrapped with a different package manager
+			// This keeps the package cache for the bootstrap mananager separate from the other base packages we use.
+			targetBase = targetBase.Run(
+				dalec.WithConstraints(append(opts, llb.Platform(targetPlat))...),
+				cfg.Install([]string{"dnf"}, installOpts...),
+			).Root()
+		}
 		return targetBase.Run(
 			dalec.WithConstraints(append(opts, llb.Platform(targetPlat))...),
 			cfg.Install(cfg.BuilderPackages, installOpts...),
diff --git a/test/signing_test.go b/test/signing_test.go
@@ -598,3 +598,105 @@ func distroSkipSigningTest(t *testing.T, spec *dalec.Spec, buildTarget string, e
 		}
 	}
 }
+
+// signRPMs signs all RPM files in the package state using a GPG key.
+// The worker state must have rpmsign available (or tdnf/dnf to install it).
+// The gpgKey state is expected to have a private key at /private.key
+// (as produced by [generateGPGKey]).
+// The pkgState is expected to have RPMs under /RPMS/<arch>/*.rpm
+// (the standard package target output).
+// It returns the modified package state with signed RPMs.
+func signRPMs(worker llb.State, gpgKey llb.State, pkgState llb.State) llb.State {
+	pg := dalec.ProgressGroup("Sign RPMs with GPG key")
+
+	scriptDt := `#!/usr/bin/env bash
+set -eux -o pipefail
+
+if ! command -v rpmsign &> /dev/null; then
+	if command -v tdnf &> /dev/null; then
+		tdnf install -y rpm-sign
+	elif command -v dnf &> /dev/null; then
+		dnf install -y rpm-sign
+	fi
+fi
+
+gpg --import < /tmp/gpg/private.key
+ID=$(gpg --list-keys --keyid-format LONG | awk '/^pub/{print $2}' | cut -d/ -f2 | head -1)
+
+echo "%_gpg_name $ID" > ~/.rpmmacros
+
+find /tmp/rpms/RPMS -name "*.rpm" -exec rpmsign --addsign {} \;
+`
+
+	script := llb.Scratch().File(
+		llb.Mkfile("/script.sh", 0o755, []byte(scriptDt)),
+		pg,
+	)
+
+	return worker.Run(
+		llb.AddMount("/tmp/signing", script, llb.Readonly),
+		llb.AddMount("/tmp/gpg", gpgKey, llb.Readonly),
+		llb.AddMount("/tmp/rpms", pkgState),
+		dalec.ShArgs("/tmp/signing/script.sh"),
+		pg,
+	).GetMount("/tmp/rpms")
+}
+
+// testSignedRPMCustomBaseImage tests that signed RPMs can be installed into
+// a container with a custom base image.
+//
+// This reproduces a bug where the tdnfrepogpgcheck plugin rejects signed RPMs
+// installed via "tdnf install /path/to/signed.rpm --installroot=/tmp/rootfs"
+// because the @cmdline virtual repo has no gpgkey entry.
+//
+// The distroImageRef parameter is the image reference for the distro's base
+// image (e.g., azlinux.Azlinux3Ref), which is used as the custom base image
+// in the spec.
+func testSignedRPMCustomBaseImage(ctx context.Context, t *testing.T, targetCfg targetConfig, distroImageRef string) {
+	t.Run("signed rpm with custom base image", func(t *testing.T) {
+		t.Parallel()
+		ctx := startTestSpan(ctx, t)
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, client gwclient.Client) {
+			// Get the worker state — we need it to generate GPG keys and sign RPMs.
+			sr := newSolveRequest(withBuildTarget(targetCfg.Worker), withSpec(ctx, t, nil))
+			w := reqToState(ctx, client, sr, t)
+
+			// Generate a GPG key pair for signing.
+			gpgKey := generateGPGKey(w, true)
+
+			// Create a simple spec and build the RPM package.
+			spec := newSimpleSpec()
+			pkgSr := newSolveRequest(withSpec(ctx, t, spec), withBuildTarget(targetCfg.Package))
+			pkgSt := reqToState(ctx, client, pkgSr, t)
+
+			// Sign the RPMs on the worker using rpmsign --addsign.
+			signedPkgSt := signRPMs(w, gpgKey, pkgSt)
+
+			// Create a container spec with a custom base image.
+			// This triggers skipBase=true in BuildContainer, meaning the RPMs
+			// are installed via "tdnf install /path/to/signed.rpm --installroot=/tmp/rootfs"
+			// into the custom base image's rootfs.
+			spec.Image = &dalec.ImageConfig{
+				Entrypoint: "/usr/bin/foo",
+				Bases: []dalec.BaseImage{
+					{
+						Rootfs: dalec.Source{
+							DockerImage: &dalec.SourceDockerImage{
+								Ref: distroImageRef,
+							},
+						},
+					},
+				},
+			}
+
+			containerSr := newSolveRequest(
+				withSpec(ctx, t, spec),
+				withBuildTarget(targetCfg.Container),
+				withBuildContext(ctx, t, dalec.GenericPkg, signedPkgSt),
+			)
+
+			solveT(ctx, t, client, containerSr)
+		})
+	})
+}
diff --git a/test/target_almalinux_test.go b/test/target_almalinux_test.go
@@ -1,6 +1,7 @@
 package test
 
 import (
+	"context"
 	"testing"
 
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
@@ -11,7 +12,7 @@ func TestAlmalinux9(t *testing.T) {
 	t.Parallel()
 
 	ctx := startTestSpan(baseCtx, t)
-	testLinuxDistro(ctx, t, testLinuxConfig{
+	cfg := testLinuxConfig{
 		Target: targetConfig{
 			Key:       "almalinux9",
 			Package:   "almalinux9/rpm",
@@ -51,14 +52,16 @@ func TestAlmalinux9(t *testing.T) {
 			{OS: "linux", Architecture: "arm64"},
 		},
 		PackageOutputPath: rpmTargetOutputPath("el9"),
-	})
+	}
+	testLinuxDistro(ctx, t, cfg)
+	testAlmalinuxExtra(ctx, t, cfg, almalinux.ConfigV9.ImageRef)
 }
 
 func TestAlmalinux8(t *testing.T) {
 	t.Parallel()
 
 	ctx := startTestSpan(baseCtx, t)
-	testLinuxDistro(ctx, t, testLinuxConfig{
+	cfg := testLinuxConfig{
 		Target: targetConfig{
 			Package:   "almalinux8/rpm",
 			Container: "almalinux8/container",
@@ -97,5 +100,11 @@ func TestAlmalinux8(t *testing.T) {
 			{OS: "linux", Architecture: "arm64"},
 		},
 		PackageOutputPath: rpmTargetOutputPath("el8"),
-	})
+	}
+	testLinuxDistro(ctx, t, cfg)
+	testAlmalinuxExtra(ctx, t, cfg, almalinux.ConfigV8.ImageRef)
+}
+
+func testAlmalinuxExtra(ctx context.Context, t *testing.T, cfg testLinuxConfig, distroImageRef string) {
+	testSignedRPMCustomBaseImage(ctx, t, cfg.Target, distroImageRef)
 }
diff --git a/test/target_azlinux_test.go b/test/target_azlinux_test.go
@@ -79,7 +79,7 @@ func TestMariner2(t *testing.T) {
 	}
 
 	testLinuxDistro(ctx, t, cfg)
-	testAzlinuxExtra(ctx, t, cfg)
+	testAzlinuxExtra(ctx, t, cfg, azlinux.Mariner2Config.ImageRef)
 }
 
 func TestAzlinux3(t *testing.T) {
@@ -122,7 +122,7 @@ func TestAzlinux3(t *testing.T) {
 		PackageOutputPath: rpmTargetOutputPath("azl3"),
 	}
 	testLinuxDistro(ctx, t, cfg)
-	testAzlinuxExtra(ctx, t, cfg)
+	testAzlinuxExtra(ctx, t, cfg, azlinux.Azlinux3Config.ImageRef)
 
 	t.Run("ca-certs override", func(t *testing.T) {
 		t.Parallel()
@@ -131,12 +131,14 @@ func TestAzlinux3(t *testing.T) {
 	})
 }
 
-func testAzlinuxExtra(ctx context.Context, t *testing.T, cfg testLinuxConfig) {
+func testAzlinuxExtra(ctx context.Context, t *testing.T, cfg testLinuxConfig, distroImageRef string) {
 	t.Run("base deps", func(t *testing.T) {
 		t.Parallel()
 		ctx := startTestSpan(ctx, t)
 		testAzlinuxBaseDeps(ctx, t, cfg.Target)
 	})
+
+	testSignedRPMCustomBaseImage(ctx, t, cfg.Target, distroImageRef)
 }
 
 func testAzlinuxCaCertsOverride(ctx context.Context, t *testing.T, target targetConfig) {
@@ -187,7 +189,7 @@ func signRepoAzLinux(gpgKey llb.State, repoPath string) llb.StateOption {
 set -eux -o pipefail
 
 gpg --import < /tmp/gpg/private.key
-ID=$(gpg --list-keys --keyid-format LONG | grep -B 2 'test@example.com' | grep 'pub' | awk '{print $2}' | cut -d'/' -f2)
+ID=$(gpg --list-keys --keyid-format LONG | awk '/^pub/{print $2}' | cut -d/ -f2 | head -1)
 
 # For tdnf-based distros, only sign repo metadata, not individual packages
 # tdnf only checks repo metadata signatures, not package signatures
@@ -233,7 +235,7 @@ if ! command -v rpm-sign &> /dev/null; then
 fi
 
 gpg --import < /tmp/gpg/private.key
-ID=$(gpg --list-keys --keyid-format LONG | grep -B 2 'test@example.com' | grep 'pub' | awk '{print $2}' | cut -d'/' -f2)
+ID=$(gpg --list-keys --keyid-format LONG | awk '/^pub/{print $2}' | cut -d/ -f2 | head -1)
 
 echo "%_gpg_name $ID" > ~/.rpmmacros
 find ` + repoPath + `/RPMS -name "*.rpm" -exec rpmsign --addsign {} \;
diff --git a/test/target_rockylinux_test.go b/test/target_rockylinux_test.go
@@ -1,6 +1,7 @@
 package test
 
 import (
+	"context"
 	"testing"
 
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
@@ -11,7 +12,7 @@ func TestRockylinux9(t *testing.T) {
 	t.Parallel()
 
 	ctx := startTestSpan(baseCtx, t)
-	testLinuxDistro(ctx, t, testLinuxConfig{
+	cfg := testLinuxConfig{
 		Target: targetConfig{
 			Key:       "rockylinux9",
 			Package:   "rockylinux9/rpm",
@@ -51,14 +52,16 @@ func TestRockylinux9(t *testing.T) {
 			{OS: "linux", Architecture: "arm64"},
 		},
 		PackageOutputPath: rpmTargetOutputPath("el9"),
-	})
+	}
+	testLinuxDistro(ctx, t, cfg)
+	testRockylinuxExtra(ctx, t, cfg, rockylinux.ConfigV9.ImageRef)
 }
 
 func TestRockylinux8(t *testing.T) {
 	t.Parallel()
 
 	ctx := startTestSpan(baseCtx, t)
-	testLinuxDistro(ctx, t, testLinuxConfig{
+	cfg := testLinuxConfig{
 		Target: targetConfig{
 			Package:   "rockylinux8/rpm",
 			Container: "rockylinux8/container",
@@ -97,5 +100,11 @@ func TestRockylinux8(t *testing.T) {
 			{OS: "linux", Architecture: "arm64"},
 		},
 		PackageOutputPath: rpmTargetOutputPath("el8"),
-	})
+	}
+	testLinuxDistro(ctx, t, cfg)
+	testRockylinuxExtra(ctx, t, cfg, rockylinux.ConfigV8.ImageRef)
+}
+
+func testRockylinuxExtra(ctx context.Context, t *testing.T, cfg testLinuxConfig, distroImageRef string) {
+	testSignedRPMCustomBaseImage(ctx, t, cfg.Target, distroImageRef)
 }
diff --git a/test/target_ubuntu_test.go b/test/target_ubuntu_test.go
@@ -123,7 +123,7 @@ func signRepoUbuntu(gpgKey llb.State, repoPath string) llb.StateOption {
 			llb.AddMount("/tmp/gpg", gpgKey, llb.Readonly),
 			dalec.ProgressGroup("Importing gpg key")).
 			Run(
-				dalec.ShArgs(`ID=$(gpg --list-keys --keyid-format LONG | grep -B 2 'test@example.com' | grep 'pub' | awk '{print $2}' | cut -d'/' -f2) && \
+				dalec.ShArgs(`ID=$(gpg --list-keys --keyid-format LONG | awk '/^pub/{print $2}' | cut -d/ -f2 | head -1) && \
 					gpg --list-keys --keyid-format LONG && \
 					gpg --default-key $ID -abs -o `+repoPath+`/Release.gpg `+repoPath+`/Release && \
 					gpg --default-key "$ID" --clearsign -o `+repoPath+`/InRelease `+repoPath+`/Release`),
