Include GPG keys in katello-repos and check for non-nightly

Including the GPG keys is better because it gives a higher degree of trust because the RPM is GPG signed. It also helps because dnf doesn't refresh HTTPS URLs and purging old entries is tedious. While the repos aren't typically installed that long, I've had it happen to me with one of my personal COPR repositories. The downside is that after branching you need to update the GPG key in the repository. It also makes GPG key checking correct by looking at the correct values. This allows enabling GPG for candlepin (which is using a signed release) while not enabling it for Pulp or Katello (which are nightly).
theforeman · Aug 21, 2024 · fbf8836 · fbf8836
1 parent 770f538
commit fbf8836
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 7 deletions.
diff --git a/packages/katello/katello-repos/katello-repos.spec b/packages/katello/katello-repos/katello-repos.spec
@@ -6,7 +6,7 @@
 
 %global prereleasesource nightly
 %global prerelease %{?prereleasesource:.}%{?prereleasesource}
-%global release 2
+%global release 3
 
 Name:           katello-repos
 Version:        4.14
@@ -18,6 +18,7 @@ License:        GPLv2
 URL:            https://theforeman.org/plugins/katello/
 Source0:        katello.repo
 Source1:        candlepin.gpg
+Source2:        pulpcore.gpg
 
 BuildArch:      noarch
 
@@ -41,6 +42,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
 
 install -m 644 %{SOURCE0} %{buildroot}%{repo_dir}/
 install -Dpm0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-candlepin
+install -Dpm0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 
 if [[ '%{release}' == *"nightly"* ]];then
     REPO_VERSION='nightly'
@@ -53,6 +55,18 @@ else
     REPO_GPGCHECK=1
 fi
 
+if [[ '%{pulpcore_version}' == nightly ]] ; then
+    PULPCORE_REPO_GPGCHECK=0
+else
+    PULPCORE_REPO_GPGCHECK=1
+fi
+
+if [[ '%{candlepin_version}' == nightly ]] ; then
+    CANDLEPIN_REPO_GPGCHECK=0
+else
+    CANDLEPIN_REPO_GPGCHECK=1
+fi
+
 for repofile in %{buildroot}%{repo_dir}/*.repo; do
     trimmed_dist=`echo %{repo_dist} | sed 's/^\.//'`
     sed -i "s/@DIST@/${trimmed_dist}/" $repofile
@@ -61,7 +75,9 @@ for repofile in %{buildroot}%{repo_dir}/*.repo; do
     sed -i "s/@REPO_NAME@/${REPO_NAME}/" $repofile
     sed -i "s/@REPO_GPGCHECK@/${REPO_GPGCHECK}/" $repofile
     sed -i "s/@PULPCORE_VERSION@/%pulpcore_version/" $repofile
+    sed -i "s/@PULPCORE_REPO_GPGCHECK@/${PULPCORE_REPO_GPGCHECK}/" $repofile
     sed -i "s/@CANDLEPIN_VERSION@/%candlepin_version/" $repofile
+    sed -i "s/@CANDLEPIN_REPO_GPGCHECK@/${CANDLEPIN_REPO_GPGCHECK}/" $repofile
 done
 
 %clean
@@ -71,8 +87,13 @@ rm -rf %{buildroot}
 %defattr(-, root, root)
 %config %{repo_dir}/*.repo
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-candlepin
+%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 
 %changelog
+* Thu Aug 15 2024 Ewoud Kohl van Wijngaarden <[email protected]> - 4.14-0.3.nightly
+- Include all GPG keys in the repo file itself
+- Consistently enable GPG checking only on non-nightly
+
 * Mon Jun 03 2024 Evgeni Golov - 4.14-0.2.nightly
 - Update Candlepin 4.4 key
 

diff --git a/packages/katello/katello-repos/katello.repo b/packages/katello/katello-repos/katello.repo
@@ -15,14 +15,14 @@ name=Candlepin: an open source entitlement management system.
 baseurl=https://yum.theforeman.org/candlepin/@CANDLEPIN_VERSION@/@DIST@/$basearch/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-candlepin
 enabled=1
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@CANDLEPIN_REPO_GPGCHECK@
 
 [pulpcore]
 name=pulpcore: Fetch, Upload, Organize, and Distribute Software Packages.
 baseurl=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/@DIST@/$basearch/
-gpgkey=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/GPG-RPM-KEY-pulpcore
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 enabled=1
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@PULPCORE_REPO_GPGCHECK@
 
 # source repositories
 
@@ -38,11 +38,11 @@ name=Katello Candlepin source
 baseurl=https://yum.theforeman.org/candlepin/@REPO_VERSION@/@DIST@/source/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-candlepin
 enabled=0
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@CANDLEPIN_REPO_GPGCHECK@
 
 [pulpcore-source]
 name=pulpcore source
 baseurl=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/@DIST@/source/
-gpgkey=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/GPG-RPM-KEY-pulpcore
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 enabled=0
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@PULPCORE_REPO_GPGCHECK@
diff --git a/packages/katello/katello-repos/pulpcore.gpg b/packages/katello/katello-repos/pulpcore.gpg