#99 support $releasever=rawhide on Rawhide
Merged 3 years ago by humaton. Opened 3 years ago by kparal.
rpms/ kparal/fedora-repos releasever  into  rawhide

@@ -0,0 +1,29 @@ 



+ mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e

+ LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2

+ zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R

+ KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS

+ wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl

+ yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/

+ 0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj

+ 6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee

+ 860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1

+ 0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK

+ i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB

+ tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v

+ cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI


+ /+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED

+ 1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV

+ m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50

+ gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH

+ jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y

+ MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO

+ hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM

+ ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d


+ vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/

+ hPIXZrKocK3KLS9/izJQTRltjMA=

+ =PfT7


file modified
+5 -2
@@ -1,8 +1,10 @@ 

  fedora-7-primary: i386 x86_64 ppc ppc64


  fedora-8-primary: i386 x86_64 ppc ppc64

+ fedora-8-primary-original:


  fedora-9-primary: i386 x86_64 ppc ppc64

+ fedora-9-primary-original:

  fedora-9-secondary: ia64


  fedora-10-primary: i386 x86_64 ppc ppc64
@@ -19,7 +21,7 @@ 

  fedora-14-primary: i386 x86_64

  fedora-14-secondary: arm


- fedora-15-primary: i386 x86_64 

+ fedora-15-primary: i386 x86_64

  fedora-15-secondary: arm armhfp ppc ppc64 s390 s390x


  fedora-16-primary: i386 x86_64
@@ -60,6 +62,7 @@ 

  fedora-28-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x


  fedora-29-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x

+ fedora-modularity:


  fedora-30-primary: i386 x86_64 armhfp aarch64 ppc64le s390x

@@ -75,4 +78,4 @@ 


  fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x


- fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x

+ fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x

file modified
+48 -5
@@ -3,7 +3,7 @@ 

  Summary:        Fedora package repositories

  Name:           fedora-repos

  Version:        35

- Release:        0.1%{?eln:.eln%{eln}}

+ Release:        0.11%{?eln:.eln%{eln}}

  License:        MIT

  URL:            https://fedoraproject.org/

@@ -72,6 +72,10 @@ 

  Source53:       RPM-GPG-KEY-fedora-33-primary

  Source54:       RPM-GPG-KEY-fedora-34-primary

  Source55:       RPM-GPG-KEY-fedora-35-primary

+ Source56:       RPM-GPG-KEY-fedora-36-primary

+ # When bumping Rawhide to fN, create N+1 key (and update archmap). (This

+ # ensures users have the next future key installed and referenced, even if they

+ # don't update very often. This will smooth out Rawhide N->N+1 transition for them).


  Source100:      fedora-modular.repo

  Source101:      fedora-updates-modular.repo
@@ -162,12 +166,18 @@ 

  #     says "fedora-19-primary: i386 x86_64",

  #     RPM-GPG-KEY-fedora-19-{i386,x86_64} will be symlinked to that key.

  pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/

- # Also add a symlink for ELN keys

+ # Also add a symlink for Rawhide and ELN keys

+ ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary

  ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary

  for keyfile in RPM-GPG-KEY*; do

-     key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'

-     arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) \

-         || echo "WARNING: no archmap entry for $key"

+     # resolve symlinks, so that we don't need to keep duplicate entries in archmap

+     real_keyfile=$(basename $(readlink -f $keyfile))

+     key=${real_keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'

+     if ! grep -q "^${key}:" %{_sourcedir}/archmap; then

+         echo "ERROR: no archmap entry for $key"

+         exit 1

+     fi

+     arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap)

      for arch in $arches; do

          # replace last part with $arch (fedora-20-primary -> fedora-20-$arch)

          ln -s $keyfile ${keyfile%%-*}-$arch # NOTE: RPM replaces %% with %
@@ -177,6 +187,17 @@ 

  ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora



+ # Adjust Rawhide repo files to include Rawhide+1 GPG key.

+ # This is necessary for the period when Rawhide gets bumped to N+1 and packages

+ # start to be signed with a newer key. Without having the key specified in the

+ # repo file, the system would consider the new packages as untrusted.

+ rawhide_next=$((%{rawhide_release}+1))

+ for repo in %{_sourcedir}/fedora-rawhide*.repo; do

+     sed -ir "s@^gpgkey=.*@& file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-\$basearch@" \

+         $repo || exit 1

+ done


+ # Install repo files

  install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d

  for file in %{_sourcedir}/fedora*repo ; do

    install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.d
@@ -198,6 +219,28 @@ 




+ # make sure the Rawhide+1 key wasn't forgotten to be created

+ rawhide_next=$((%{rawhide_release}+1))

+ if ! test -f $RPM_BUILD_ROOT/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-primary; then

+     echo "ERROR: GPG key for Fedora ${rawhide_next} is not present"

+     exit 1

+ fi


+ # make sure the Rawhide+1 key is present in Rawhide repo files

+ for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-rawhide*.repo; do

+     gpg_lines=$(grep '^gpgkey=' $repo)

+     if test -z "$gpg_lines"; then

+         echo "ERROR: No gpgkey= lines in $repo"

+         exit 1

+     fi

+     while IFS= read -r line; do

+         if ! echo "$line" | grep -q "RPM-GPG-KEY-fedora-${rawhide_next}"; then

+             echo "ERROR: Fedora ${rawhide_next} GPG key missing in $repo"

+             exit 1

+         fi

+     done <<< "$gpg_lines"

+ done




  %dir /etc/yum.repos.d

This PR consists of two commits (it's best to review the diffs individually):

support $releasever=rawhide on Rawhide

This commit is necessary to support a fedora-release change which makes
$releasever return "rawhide" on Rawhide (please read that commit first [1]).

The most important change here is the introduction of the
`RPM-GPG-KEY-fedora-rawhide-primary` symlink to the current (numbered) Rawhide
key. This is necessary because $releasever resolves to "rawhide" now and
therefore the file must be present under the "rawhide" name.

There's an additional change present, which seemed related enough to include it
in the same commit - the Fedora 36 GPG key is added and it is referenced in
Rawhide repo files. The purpose is to have a reliable update process which
doesn't break just because users didn't update their system in a month (and
therefore missed the window during which gpg keys are changed). This problem
might be even more pronounced after this patch and therefore should be addressed
together. The fix also paves way for future simplification of fedora-repos (no
need for separate rawhide repo files, perhaps).

Additional checks have been added to reduce the likelihood of human errors when
Rawhide number is bumped.

[1] https://src.fedoraproject.org/rpms/fedora-release/pull-request/167

Related: https://pagure.io/releng/issue/7445
Related: https://src.fedoraproject.org/rpms/fedora-release/pull-request/167


make archmap entries mandatory, except symlinks

All GPG keys except symlinks must now have an entry in archmap. This is to
increase reliability and avoid frequent errors when updating this spec file.

Please note that this PR is not yet ready for pushing! The Fedora 36 GPG key is bogus, it's a copied Fedora 35 GPG key. Before pushing, it needs to be replaced with a proper infra-generated GPG key, either locally, or please post its contents to comments and I'll update the PR, thanks.

This PR needs to be pushed and built together with:

There's a COPR repo you can add in order to experiment with the built packages:

Build succeeded.

Pull-Request has been merged by humaton

3 years ago

Soo, have you noticed this? :-)

Please note that this PR is not yet ready for pushing! The Fedora 36 GPG key is bogus, it's a copied Fedora 35 GPG key. Before pushing, it needs to be replaced with a proper infra-generated GPG key, either locally, or please post its contents to comments and I'll update the PR, thanks.

It seems the committed gpg key hasn't been replaced with a proper one.

Also please note that it would be best to get a new build of fedora-release+fedora-repos into Rawhide soon, so that we can test whether everything works as expected. Thanks.

@kparal Yes, I noticed that the package was not yet built. I will do the builds later today with the proper f36 key.

This just hit \o/

echo 'ERROR: GPG key for Fedora 37 is not present'

This just hit \o/

echo 'ERROR: GPG key for Fedora 37 is not present'

I'm glad the checks are working :smiley: