#6600 Mock and sigined rawhides
Closed 3 years ago Opened 5 years ago by msuchy.

We have signed rawhides now. Great. So I (as mock maintainer) am going to enable gpgcheck in rawhide configs. But there will be problem around branching.

When we branch F26, you will create new gpg key for F27 and rawhide will be signed by F27 keys. So until people update mock (which may take 2 weeks) on EPEL. They will have invalid GPG key for rawhide and therefore mock rawhide builds will fail for them.

There is one option as you can put in yum/dnf config more than one GPG keys. E.g.:100:
gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-25-primary,file:///fooo/bar

But which one as F27 keys does not exists yet. And DNF will complain on nonexistent file (just tested that).

So the question is: what to put in mock config so
1) DNF in mock check gpgkey on rawhide
2) it does not cause problem to users during branching period
3) ideally it does not change rawhide mock config every release (so update does not create .rpmnew files).


So, we now do have a f27 key. I have been signing the rawhide content with it over the weekend.

Hopefully at branching time this week everything will be signed by both f26 and f27 keys and when we branch both will all be signed.

I don't know that there is a great answer on the mock side tho. You will need to do a package update of mock with the new f26 config anyhow. We could provide a link to the current key from a "RPM-GPG-KEY-fedora-rawhide" so the rawhide config doesnt change? (ie, we just change the links)

thoughts?

the issue with the link to rawhise is that it is always changing and will cause other issues and race conditions. The change is just plain clunky.

Metadata Update from @ausil:
- Issue untagged with: meeting

4 years ago

@msuchy, do you still want this change? Not sure how to implement it.

In the mean time, the fedora-rawhide-repos get the update and have gpgcheck enable. So I copied the code and in commit 3470111296ff001f51c2406ff35376af64783e8a in mock.git I enabled it.

So I do not need anything from rel-eng.

Metadata Update from @msuchy:
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata