Allow specifying OpenPGP implementation to use for signing

[wiktor-k]

Hi 👋

I'm pushing a first preview of SOP signing for SHA256SUMs. I've tested that locally and also added tests for rsop and old gpg (just in case) and will begin to refactor this a bit. Since I'm new to both mkosi and Python I think it's good to get feedback earlier in the process if something looks particularly wrong here.

Note that I've tried to make it as minimal as possible with no nice-to-have adjustments mentioned in #3042.

Fixes: #3042
CC: @dvzrv

[DaanDeMeyer]

I'm curious about hardware tokens. Will those be supported with a unified CLI interface as well?

[wiktor-k]

I'm curious about hardware tokens. Will those be supported with a unified CLI interface as well?

Yes, I actually tested that with my Yubikey and found a couple of issues I fixed. This, of course, depends on the underlying SOP implementation that's used. rsop implements it.

[wiktor-k]

Okay folks, thanks for the great feedback! I need to install the type-checking tools locally not to spam the CI. I'll be back with the adjustments (all valid points! 🙇 )

[behrmann]

Just so we don't forget: This also needs an entry in the man page.

[behrmann]

Not that it matters a lot in the test, but why does the directory holding the key need to be world readable?

[behrmann]

Let's really not have a world-writable thing, even in tests.

[wiktor-k]

The issue here is that gpg during its operation writes temporary files to that directory and since the tests starts as root but then switch user during image.build the directory must be readable to both root and that temporary build user.

I'll try to minimize the number of chmods. With the sop case the key and cert files need to be just readable by both users but in GPG case it needs writeable access sadly :/

[wiktor-k]

Okay, I think I minimized it as much as possible. Removed all dependencies to the point where removing anything else triggers CI failures.

One thing that is consistently failing is the opensuse/arch build with a rather peculiar message:

Failed:
    dbus-1-common-1.14.10-3.1.noarch                                              
    system-group-hardware-20170617-25.4.noarch                                    
    system-group-kvm-20170617-25.4.noarch                                         
    system-user-lp-20170617-25.4.noarch                                           
  
  Cleaning up.
  Plugins were unloaded.
  
  Traceback (most recent call last):
    File "/usr/lib/python3.12/site-packages/dnf/cli/main.py", line 67, in main
      return _main(base, args, cli_class, option_parser_class)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/site-packages/dnf/cli/main.py", line 106, in _main
      return cli_run(cli, base)
             ^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/site-packages/dnf/cli/main.py", line 130, in cli_run
      ret = resolving(cli, base)
            ^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/site-packages/dnf/cli/main.py", line 183, in resolving
      base.do_transaction(display=displays)
    File "/usr/lib/python3.12/site-packages/dnf/cli/cli.py", line 272, in do_transaction
      raise dnf.exceptions.Error(_('Transaction failed'))
  dnf.exceptions.Error: Transaction failed

If you have any ideas on what to optimize here I'm all ears. Sadly the GnuPG tests require world-writable dirs (since the dir is setup before the image.build thing is executed). I could also remove that test but I think it's a good idea to see if signing works. If there are other approaches I can try, I'm happy to adjust the code.

Thanks for your time! 👋