From dac6fcdf6c063f1e049ddc7b33f3b299bb643d7f Mon Sep 17 00:00:00 2001 From: Kamil Páral Date: Feb 12 2021 11:53:26 +0000 Subject: [PATCH 1/2] support $releasever=rawhide on Rawhide This commit is necessary to support a fedora-release change which makes $releasever return "rawhide" on Rawhide (please read that commit first [1]). The most important change here is the introduction of the `RPM-GPG-KEY-fedora-rawhide-primary` symlink to the current (numbered) Rawhide key. This is necessary because $releasever resolves to "rawhide" now and therefore the file must be present under the "rawhide" name. There's an additional change present, which seemed related enough to include it in the same commit - the Fedora 36 GPG key is added and it is referenced in Rawhide repo files. The purpose is to have a reliable update process which doesn't break just because users didn't update their system in a month (and therefore missed the window during which gpg keys are changed). This problem might be even more pronounced after this patch and therefore should be addressed together. The fix also paves way for future simplification of fedora-repos (no need for separate rawhide repo files, perhaps). Additional checks have been added to reduce the likelihood of human errors when Rawhide number is bumped. [1] https://src.fedoraproject.org/rpms/fedora-release/pull-request/167 Related: https://pagure.io/releng/issue/7445 Related: https://src.fedoraproject.org/rpms/fedora-release/pull-request/167 --- diff --git a/RPM-GPG-KEY-fedora-36-primary b/RPM-GPG-KEY-fedora-36-primary new file mode 100644 index 0000000..899affa --- /dev/null +++ b/RPM-GPG-KEY-fedora-36-primary @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e +LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2 +zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R +KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS +wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl +yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/ +0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj +6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee +860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1 +0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK +i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB +tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v +cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI +BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ20Y5cZhnxY+NYA/7BYpglySAZYHhjyKh +/+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED +1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV +m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50 +gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH +jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y +MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO +hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM +ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d +k2gQiYSQAaaJ0JJAzHvRkRJLLgK2YQYiHNVy2t3JyFfsram5wSCWOfhPeIyLBTZJ +vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/ +hPIXZrKocK3KLS9/izJQTRltjMA= +=PfT7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/archmap b/archmap index e80ecbd..e4793c4 100644 --- a/archmap +++ b/archmap @@ -75,4 +75,8 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x +fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x + +fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x + fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x diff --git a/fedora-repos.spec b/fedora-repos.spec index c1c7f4e..12f2597 100644 --- a/fedora-repos.spec +++ b/fedora-repos.spec @@ -3,7 +3,7 @@ Summary: Fedora package repositories Name: fedora-repos Version: 35 -Release: 0.1%{?eln:.eln%{eln}} +Release: 0.10%{?eln:.eln%{eln}} License: MIT URL: https://fedoraproject.org/ @@ -72,6 +72,10 @@ Source52: RPM-GPG-KEY-fedora-32-primary Source53: RPM-GPG-KEY-fedora-33-primary Source54: RPM-GPG-KEY-fedora-34-primary Source55: RPM-GPG-KEY-fedora-35-primary +Source56: RPM-GPG-KEY-fedora-36-primary +# When bumping Rawhide to fN, create N+1 key (and update archmap). (This +# ensures users have the next future key installed and referenced, even if they +# don't update very often. This will smooth out Rawhide N->N+1 transition for them). Source100: fedora-modular.repo Source101: fedora-updates-modular.repo @@ -162,7 +166,8 @@ install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ # says "fedora-19-primary: i386 x86_64", # RPM-GPG-KEY-fedora-19-{i386,x86_64} will be symlinked to that key. pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ -# Also add a symlink for ELN keys +# Also add a symlink for Rawhide and ELN keys +ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary for keyfile in RPM-GPG-KEY*; do key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary' @@ -177,6 +182,17 @@ done ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora popd +# Adjust Rawhide repo files to include Rawhide+1 GPG key. +# This is necessary for the period when Rawhide gets bumped to N+1 and packages +# start to be signed with a newer key. Without having the key specified in the +# repo file, the system would consider the new packages as untrusted. +rawhide_next=$((%{rawhide_release}+1)) +for repo in %{_sourcedir}/fedora-rawhide*.repo; do + sed -ir "s@^gpgkey=.*@& file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-\$basearch@" \ + $repo || exit 1 +done + +# Install repo files install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d for file in %{_sourcedir}/fedora*repo ; do install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.d @@ -198,6 +214,28 @@ for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-{rawhide,eln}*.repo; do %endif done +# make sure the Rawhide+1 key wasn't forgotten to be created +rawhide_next=$((%{rawhide_release}+1)) +if ! test -f $RPM_BUILD_ROOT/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-primary; then + echo "ERROR: GPG key for Fedora ${rawhide_next} is not present" + exit 1 +fi + +# make sure the Rawhide+1 key is present in Rawhide repo files +for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-rawhide*.repo; do + gpg_lines=$(grep '^gpgkey=' $repo) + if test -z "$gpg_lines"; then + echo "ERROR: No gpgkey= lines in $repo" + exit 1 + fi + while IFS= read -r line; do + if ! echo "$line" | grep -q "RPM-GPG-KEY-fedora-${rawhide_next}"; then + echo "ERROR: Fedora ${rawhide_next} GPG key missing in $repo" + exit 1 + fi + done <<< "$gpg_lines" +done + %files %dir /etc/yum.repos.d From f1cc1f21d118ddae9f09120d862c18cd1a04e774 Mon Sep 17 00:00:00 2001 From: Kamil Páral Date: Feb 12 2021 11:54:15 +0000 Subject: [PATCH 2/2] make archmap entries mandatory, except symlinks All GPG keys except symlinks must now have an entry in archmap. This is to increase reliability and avoid frequent errors when updating this spec file. --- diff --git a/archmap b/archmap index e4793c4..63d86ce 100644 --- a/archmap +++ b/archmap @@ -1,8 +1,10 @@ fedora-7-primary: i386 x86_64 ppc ppc64 fedora-8-primary: i386 x86_64 ppc ppc64 +fedora-8-primary-original: fedora-9-primary: i386 x86_64 ppc ppc64 +fedora-9-primary-original: fedora-9-secondary: ia64 fedora-10-primary: i386 x86_64 ppc ppc64 @@ -19,7 +21,7 @@ fedora-13-secondary: arm mips fedora-14-primary: i386 x86_64 fedora-14-secondary: arm -fedora-15-primary: i386 x86_64 +fedora-15-primary: i386 x86_64 fedora-15-secondary: arm armhfp ppc ppc64 s390 s390x fedora-16-primary: i386 x86_64 @@ -60,6 +62,7 @@ fedora-27-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x fedora-28-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x fedora-29-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x +fedora-modularity: fedora-30-primary: i386 x86_64 armhfp aarch64 ppc64le s390x @@ -76,7 +79,3 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x - -fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x - -fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x diff --git a/fedora-repos.spec b/fedora-repos.spec index 12f2597..2a89673 100644 --- a/fedora-repos.spec +++ b/fedora-repos.spec @@ -3,7 +3,7 @@ Summary: Fedora package repositories Name: fedora-repos Version: 35 -Release: 0.10%{?eln:.eln%{eln}} +Release: 0.11%{?eln:.eln%{eln}} License: MIT URL: https://fedoraproject.org/ @@ -170,9 +170,14 @@ pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary for keyfile in RPM-GPG-KEY*; do - key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary' - arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) \ - || echo "WARNING: no archmap entry for $key" + # resolve symlinks, so that we don't need to keep duplicate entries in archmap + real_keyfile=$(basename $(readlink -f $keyfile)) + key=${real_keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary' + if ! grep -q "^${key}:" %{_sourcedir}/archmap; then + echo "ERROR: no archmap entry for $key" + exit 1 + fi + arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) for arch in $arches; do # replace last part with $arch (fedora-20-primary -> fedora-20-$arch) ln -s $keyfile ${keyfile%%-*}-$arch # NOTE: RPM replaces %% with %