add "pacman-faketime" wrapper to work around expiring package signing keys (#313)

Also disable gpg trust caching & regeneration to not "burn" the trust database by
running pacman without the faketime wrapper once.

airootfs/root/customize_airootfs.sh

@@ -60,6 +60,11 @@ systemctl mask ldconfig.service
 /usr/bin/pacman-key --populate
 rm -f /etc/pacman.d/gnupg/*~
 
+echo "" >>/etc/pacman.d/gnupg/gpg.conf
+echo "# disable caching & trustdb regeneration to be able to use pacman with faketime in the pacman-faketime wrapper" >>/etc/pacman.d/gnupg/gpg.conf
+echo "no-sig-cache" >>/etc/pacman.d/gnupg/gpg.conf
+echo "no-auto-check-trustdb" >>/etc/pacman.d/gnupg/gpg.conf
+
 # get a list of all packages from sysrescuerepo to exclude them from reinstall by yay-prepare
 mkdir -p /usr/share/sysrescue/lib/
 pacman -Sl sysrescuerepo | sed -e "s/^sysrescuerepo //" \

airootfs/usr/bin/pacman-faketime

@@ -0,0 +1,25 @@
+#! /usr/bin/env bash
+#
+# call pacman and fake the system date to the day this version of SystemRescue was released
+# this can help to work around expired package signatures
+#
+# Author: Gerd v. Egidy
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# see https://www.system-rescue.org/manual/Installing_packages_with_pacman/ for details
+#
+
+# get SystemRescue release date
+RELEASE_DATE=$(grep BUILD_ID /etc/os-release  | sed -e "s/.*\"\(.*\)\"/\1/")
+if [[ -z "$RELEASE_DATE" ]] || ! echo "$RELEASE_DATE" | grep -E -q "^[0-9]{4}-[0-9]{2}-[0-9]{2}$"; then
+    echo "ERROR: can't determine SystemRescue release date"
+    exit 1
+fi
+
+if ! command -v faketime &>/dev/null ; then
+    echo "ERROR: 'faketime' command not found. Is this the correct release of SystemRescue?"
+    exit 1
+fi
+
+# wrap pacman with all arguments
+faketime "$RELEASE_DATE" pacman "$@"

packages

@@ -101,6 +101,7 @@ keepassxc
 kexec-tools
 less
 lftp
+libfaketime
 libisoburn
 libvncserver
 linux-atm