From ff06eabf6fea8d9a311da9fc97b4574c995e9b70 Mon Sep 17 00:00:00 2001
From: tschettervictor <tschetter.victor@gmail.com>
Date: Wed, 3 Dec 2025 16:10:48 -0700
Subject: [PATCH] pkgbase: fix pkg keys dir for base_latest/weekly

---
 usr/local/share/bastille/bootstrap.sh         | 38 ++++++++++---------
 .../share/bastille/pkgbase/FreeBSD-base.conf  |  4 +-
 usr/local/share/bastille/update.sh            | 16 +++++---
 usr/local/share/bastille/upgrade.sh           | 23 +++++------
 4 files changed, 46 insertions(+), 35 deletions(-)

diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh
index 4496aac5..8f0b4cb7 100644
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -320,31 +320,34 @@ bootstrap_release_pkgbase() {
     if [ "${PLATFORM_OS}" = "FreeBSD" ]; then
 
         local abi="${PLATFORM_OS}:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
-        local host_fingerprintsdir="/usr/share/keys/pkgbase-${MAJOR_VERSION}"
-        local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
+        local repo_dir="${bastille_sharedir}/pkgbase"
         if [ "${FREEBSD_BRANCH}" = "release" ]; then
             local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
+            local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
+            local host_fingerprintsdir="/usr/share/keys/pkgbase-${MAJOR_VERSION}"
+            local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
         elif [ "${FREEBSD_BRANCH}" = "current" ]; then
             local repo_name="FreeBSD-base-latest"
+            local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
+            local host_fingerprintsdir="/usr/share/keys/pkg"
+            local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkg"
         fi
-        local repo_dir="${bastille_sharedir}/pkgbase"
 
         # Verify trusted pkg keys
-        if [ ! -f "${host_fingerprintsdir}/trusted/awskms-${MAJOR_VERSION}" ]; then
-            if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/awskms-${MAJOR_VERSION}
-            then
-                ERRORS=$((ERRORS + 1))
-                error_notify "[ERROR]: Failed to fetch trusted pkg keys."
-                return 1
+        if [ "${FREEBSD_BRANCH}" = "release" ]; then
+            if [ ! -f "${host_fingerprintsdir}/trusted/awskms-${MAJOR_VERSION}" ]; then
+                if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/awskms-${MAJOR_VERSION}; then
+                    ERRORS=$((ERRORS + 1))
+                    error_notify "[ERROR]: Failed to fetch trusted pkg keys."
+                    return 1
+                fi
             fi
-        fi
-        if [ ! -f "${host_fingerprintsdir}/trusted/backup-signing-${MAJOR_VERSION}" ]; then
-            if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/backup-signing-${MAJOR_VERSION}
-            then
-                ERRORS=$((ERRORS + 1))
-                error_notify "[ERROR]: Failed to fetch trusted backup pkg keys."
-                return 1
+            if [ ! -f "${host_fingerprintsdir}/trusted/backup-signing-${MAJOR_VERSION}" ]; then
+                if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/backup-signing-${MAJOR_VERSION}; then
+                    ERRORS=$((ERRORS + 1))
+                    error_notify "[ERROR]: Failed to fetch trusted backup pkg keys."
+                    return 1
+                fi
             fi
         fi
 
@@ -504,6 +507,7 @@ bootstrap_template() {
 # Handle options.
 PKGBASE=0
 ERRORS=0
+FETCH_PKG_KEYS=0
 while [ "$#" -gt 0 ]; do
     case "${1}" in
         -h|--help|help)
diff --git a/usr/local/share/bastille/pkgbase/FreeBSD-base.conf b/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
index 6eb8f523..fc2f4c37 100644
--- a/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
+++ b/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
@@ -2,14 +2,14 @@ FreeBSD-base-latest: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_latest",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
+  fingerprints: "/usr/share/keys/pkg",
   enabled: yes
 }
 FreeBSD-base-weekly: {
   url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_weekly",
   mirror_type: "srv",
   signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
+  fingerprints: "/usr/share/keys/pkg",
   enabled: yes
 }
 FreeBSD-base-release-0: {
diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh
index 9b60da3d..56e7a0d3 100644
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -196,13 +196,14 @@ jail_update_pkgbase() {
 
         local jailpath="${bastille_jailsdir}/${TARGET}/root"
         local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${jailpath}/usr/share/keys/pkg"
+        local repo_dir="${bastille_sharedir}/pkgbase"
         if [ "${FREEBSD_BRANCH}" = "release" ]; then
             local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
+            local fingerprints="${jailpath}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
         elif [ "${FREEBSD_BRANCH}" = "current" ]; then
             local repo_name="FreeBSD-base-latest"
+            local fingerprints="${jailpath}/usr/share/keys/pkg"
         fi
-        local repo_dir="${bastille_sharedir}/pkgbase"
 
         # Update repo (pkgbase)
         if ! pkg --rootdir "${jailpath}" \
@@ -330,21 +331,24 @@ release_update() {
 release_update_pkgbase() {
 
     if [ "${RELEASE_PLATFORM_OS}" = "FreeBSD" ]; then
-
+	
         local release_dir="${bastille_releasesdir}/${TARGET}"
         local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${release_dir}/usr/share/keys/pkg"
+        local repo_dir="${bastille_sharedir}/pkgbase"
         if [ "${FREEBSD_BRANCH}" = "release" ]; then
             local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
+            local fingerprints="${release_dir}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
         elif [ "${FREEBSD_BRANCH}" = "current" ]; then
             local repo_name="FreeBSD-base-latest"
+            local fingerprints="${release_dir}/usr/share/keys/pkg"
         fi
-        local repo_dir="${bastille_sharedir}/pkgbase"
 
         # Update repo (pkgbase)
         if ! pkg --rootdir "${release_dir}" \
                  --repo-conf-dir "${repo_dir}" \
                   -o IGNORE_OSVERSION="yes" \
+                  -o VERSION_MAJOR="${MAJOR_VERSION}" \
+                  -o VERSION_MINOR="${MINOR_VERSION}" \
                   -o ABI="${abi}" \
                   -o ASSUME_ALWAYS_YES="yes" \
                   -o FINGERPRINTS="${fingerprints}" \
@@ -357,6 +361,8 @@ release_update_pkgbase() {
         if ! pkg --rootdir "${release_dir}" \
                  --repo-conf-dir "${repo_dir}" \
                   -o IGNORE_OSVERSION="yes" \
+                  -o VERSION_MAJOR="${MAJOR_VERSION}" \
+                  -o VERSION_MINOR="${MINOR_VERSION}" \
                   -o ABI="${abi}" \
                   -o ASSUME_ALWAYS_YES="yes" \
                   -o FINGERPRINTS="${fingerprints}" \
diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh
index 710d71a9..a3bfde0f 100644
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -317,27 +317,28 @@ jail_upgrade_pkgbase() {
 
         local jailpath="${bastille_jailsdir}/${TARGET}/root"
         local abi="FreeBSD:${NEW_MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${jailpath}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
+        local repo_dir="${bastille_sharedir}/pkgbase"
         if [ "${FREEBSD_BRANCH}" = "release" ]; then
             local repo_name="FreeBSD-base-release-${NEW_MINOR_VERSION}"
+            local fingerprints="${jailpath}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
         elif [ "${FREEBSD_BRANCH}" = "current" ]; then
             local repo_name="FreeBSD-base-latest"
+            local fingerprints="${jailpath}/usr/share/keys/pkg"
         fi
-        local repo_dir="${bastille_sharedir}/pkgbase"
 
         info "\n[${TARGET}]:"
 
         # Verify trusted pkg keys
-        if [ ! -f "${fingerprints}/trusted/awskms-${NEW_MAJOR_VERSION}" ]; then
-            if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/awskms-${NEW_MAJOR_VERSION}
-            then
-                error_exit "[ERROR]: Failed to fetch trusted pkg keys."
+        if [ "${FREEBSD_BRANCH}" = "release" ]; then
+            if [ ! -f "${fingerprints}/trusted/awskms-${NEW_MAJOR_VERSION}" ]; then
+                if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/awskms-${NEW_MAJOR_VERSION}; then
+                    error_exit "[ERROR]: Failed to fetch trusted pkg keys."
+                fi
             fi
-        fi
-        if [ ! -f "${fingerprints}/trusted/backup-signing-${NEW_MAJOR_VERSION}" ]; then
-            if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/backup-signing-${NEW_MAJOR_VERSION}
-            then
-                error_exit "[ERROR]: Failed to fetch trusted backup pkg keys."
+            if [ ! -f "${fingerprints}/trusted/backup-signing-${NEW_MAJOR_VERSION}" ]; then
+                if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/backup-signing-${NEW_MAJOR_VERSION}; then
+                    error_exit "[ERROR]: Failed to fetch trusted backup pkg keys."
+                fi
             fi
         fi