Initialize public key for online repo only when needed

usr/lib/python3.8/spoc/repo_online.py

@@ -15,11 +15,14 @@ from cryptography.hazmat.primitives.serialization import load_pem_public_key
 from .exceptions import AppNotFoundError, ImageNotFoundError
 from .config import ONLINE_PUBKEY, ONLINE_REPO_URL, ONLINE_SIG_URL, TYPE_APP, TYPE_IMAGE
 
-def get_pubkey():
-    pubkey = f'-----BEGIN PUBLIC KEY-----\n{ONLINE_PUBKEY}\n-----END PUBLIC KEY-----'
-    return load_pem_public_key(pubkey.encode(), default_backend())
+public_key = None
 
-PUBLIC_KEY = get_pubkey()
+def get_public_key():
+    global public_key
+    if not public_key:
+        pem = f'-----BEGIN PUBLIC KEY-----\n{ONLINE_PUBKEY}\n-----END PUBLIC KEY-----'
+        public_key = load_pem_public_key(pem.encode(), default_backend())
+    return public_key
 
 def verify_fileobj(fileobj, expected_hash):
     hasher = hashes.Hash(hashes.SHA512(), default_backend())
@@ -28,7 +31,7 @@ def verify_fileobj(fileobj, expected_hash):
         if not data:
             break
         hasher.update(data)
-    PUBLIC_KEY.verify(bytes.fromhex(expected_hash), hasher.finalize(), ec.ECDSA(utils.Prehashed(hashes.SHA512())))
+    get_public_key().verify(bytes.fromhex(expected_hash), hasher.finalize(), ec.ECDSA(utils.Prehashed(hashes.SHA512())))
 
 def download_archive(archive_url, archive_path, expected_hash, observer=None):
     # Check if an archive needs to be downloaded via http(s)
@@ -97,7 +100,7 @@ def load():
             resource = session.get(ONLINE_SIG_URL, timeout=5)
             resource.raise_for_status()
             packages_sig = resource.content
-        PUBLIC_KEY.verify(packages_sig, packages, ec.ECDSA(hashes.SHA512()))
+        get_public_key().verify(packages_sig, packages, ec.ECDSA(hashes.SHA512()))
         data = json.loads(packages.decode())
         mtime = time.time()