simplest reproducer of the original problem can be found from ~bluca here, however the setup i had was adding cachyos repositories.

while i can see why it's happening after the fact, i cannot replicate the build failure even on a completely fresh config, so i'll need to spend some time reverse-investigating to find a middle ground.

This does not work because we need to sync the repository metadata to be able to download the Arch keyring using pacman if --repository-key-fetch= is enabled.

posted on matrix but copying it here because it's easier to follow.

i guess my core issue is that i need to call pacman-key --init and pacman-key --populate --populate-from /usr/share/pacman/keyrings before the first sync, but because of how pacman-key and pacman expect to work with this keyring i need to do this inside the sandbox. this worked prior to #4093 because the keyring package download and import happened out of band, which indirectly picked up any other signing keys that existed in the directory.

i patched my local to simply call Pacman.keyring a second (technically a first, as it will fire first) time at setup. this doesn't appear to have had any adverse effects, but i'm not sure this is the approach you'd want to take. if that makes sense to you i'm happy to update the pr.

i have a few alternatives in mind but all of them would require a bigger rework of the DistributionInstaller, and it's only really used for arch and specific flavours of opensuse at the moment.

alright double keyring calling it is. unsetting RepositoryKeyFetch and preloading all keys into mkosi.sandbox/usr/share/pacman/keyrings doesn't solve this for arch due to it being unable to import those into the keyring at sync time.

running pacman-key --init when a keyring exists isn't harmful to the existing keyring, and this is isolated to arch so doesn't affect opensuse's keyring components.

Seems to solve it for me !

Any update on this ? This does seem to make it possible to use obs-repos with particleos on Arch.