From 6868158dec7c341fd9bca809b903ba2f18b35104 Mon Sep 17 00:00:00 2001
From: Guillaume Chinal <guiiix@invisiblethingslab.com>
Date: Wed, 23 Apr 2025 23:44:30 +0200
Subject: [PATCH] write GPG key and SSL certs sent though qubes.TemplateSearch
 and qubes.TemplateDownload

files destination path are replaced by the temp directory to prevent permission issues
and conflicts with existing files on the VM.
---
 qubes-rpc/qvm-template-repo-query | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/qubes-rpc/qvm-template-repo-query b/qubes-rpc/qvm-template-repo-query
index c0908ede3..3a7c1986e 100644
--- a/qubes-rpc/qvm-template-repo-query
+++ b/qubes-rpc/qvm-template-repo-query
@@ -26,6 +26,25 @@ repodir=$(mktemp -d)
 trap 'rm -r "$repodir"' EXIT
 cat > "$repodir/template.repo"
 
+# extract keys from wrapper in repo file
+mkdir "$repodir/keys"
+sed -i "s~/etc/qubes/repo-templates/keys/~$repodir/keys/~" "$repodir/template.repo"
+in_wrapper=false
+line_is_filename=true
+while read -r line; do
+    [[ "$line" == "###!Q!BEGIN-QUBES-WRAPPER!Q!###" ]] && in_wrapper=true && continue
+    [[ "$line" == "###!Q!END-QUBES-WRAPPER!Q!###" ]] && in_wrapper=false && continue
+    $in_wrapper || continue
+    if $line_is_filename; then
+        filename="${line:1}"
+        line_is_filename=false
+    else
+        mkdir -p "$(dirname "$filename")"
+        echo "${line:1}" | base64 -d > "$filename"
+        line_is_filename=true
+    fi
+done < "$repodir/template.repo"
+
 DNF5=false
 if [ "$(readlink /usr/bin/dnf)" = "dnf5" ]; then
     DNF5=true