move gpg key to separate config item

This commit is contained in:
Louis Abel 2024-05-29 17:44:16 -07:00
parent de40f18582
commit 86787a7347
Signed by untrusted user: label
GPG Key ID: 2A6975660E424560
14 changed files with 54 additions and 44 deletions

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10/SOURCES/RPM-GPG-KEY-Rocky-10'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10/SOURCES/RPM-GPG-KEY-Rocky-10-Testing'
allowed_arches:
- x86_64
- aarch64
@ -207,9 +210,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10/'
branch: 'r10'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-Rocky-10'
testing: 'SOURCES/RPM-GPG-KEY-Rocky-10-Testing'
list:
- 'SOURCES/Contributors'
- 'SOURCES/COMMUNITY-CHARTER'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10s/SOURCES/RPM-GPG-KEY-Rocky-10'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10s/SOURCES/RPM-GPG-KEY-Rocky-10-Testing'
allowed_arches:
- x86_64
- aarch64
@ -207,9 +210,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10s/'
branch: 'r10s'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-Rocky-10'
testing: 'SOURCES/RPM-GPG-KEY-Rocky-10-Testing'
list:
- 'SOURCES/Contributors'
- 'SOURCES/COMMUNITY-CHARTER'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockyofficial'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockytesting'
allowed_arches:
- x86_64
- aarch64
@ -137,9 +140,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/'
branch: 'r8'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-rockyofficial'
testing: 'SOURCES/RPM-GPG-KEY-rockytesting'
list:
- 'SOURCES/COMMUNITY-CHARTER'
- 'SOURCES/EULA'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockyofficial'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockytesting'
allowed_arches:
- x86_64
- aarch64
@ -175,9 +178,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/'
branch: 'r8'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-rockyofficial'
testing: 'SOURCES/RPM-GPG-KEY-rockytesting'
list:
- 'SOURCES/COMMUNITY-CHARTER'
- 'SOURCES/EULA'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockyofficial'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockytesting'
allowed_arches:
- x86_64
- aarch64
@ -137,9 +140,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/'
branch: 'r8'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-rockyofficial'
testing: 'SOURCES/RPM-GPG-KEY-rockytesting'
list:
- 'SOURCES/COMMUNITY-CHARTER'
- 'SOURCES/EULA'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9-beta/SOURCES/RPM-GPG-KEY-Rocky-9'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9-beta/SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
allowed_arches:
- x86_64
- aarch64
@ -214,9 +217,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/'
branch: 'r9-beta'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-Rocky-9'
testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
list:
- 'SOURCES/Contributors'
- 'SOURCES/COMMUNITY-CHARTER'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
allowed_arches:
- x86_64
- aarch64
@ -214,9 +217,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/'
branch: 'r9'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-Rocky-9'
testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
list:
- 'SOURCES/Contributors'
- 'SOURCES/COMMUNITY-CHARTER'

View File

@ -12,6 +12,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
allowed_arches:
- armv7hl
- riscv64
@ -47,9 +50,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/'
branch: 'r9'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-Rocky-9'
testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
list:
- 'SOURCES/Contributors'
- 'SOURCES/COMMUNITY-CHARTER'

View File

@ -11,6 +11,9 @@
bugurl: 'https://bugs.rockylinux.org'
checksum: 'sha256'
fedora_major: '20'
gpg_key:
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9s/SOURCES/RPM-GPG-KEY-Rocky-9'
- 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9s/SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
allowed_arches:
- x86_64
- aarch64
@ -214,9 +217,6 @@
git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git'
git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/'
branch: 'r9s'
gpg:
stable: 'SOURCES/RPM-GPG-KEY-Rocky-9'
testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing'
list:
- 'SOURCES/Contributors'
- 'SOURCES/COMMUNITY-CHARTER'

View File

@ -5,7 +5,7 @@ baseurl={{ repo.baseurl }}
enabled=1
gpgcheck={{ gpg_check }}
repo_gpgcheck={{ repo_gpg_check }}
gpgkey={{ repo.gpgkey }}
gpgkey={{ repo.gpgkey|join(' ') }}
[{{ repo.name }}-debug]
name={{repo.name}}
@ -13,7 +13,7 @@ baseurl={{ repo.baseurl }}-debug
enabled=1
gpgcheck={{ gpg_check }}
repo_gpgcheck={{ repo_gpg_check }}
gpgkey={{ repo.gpgkey }}
gpgkey={{ repo.gpgkey|join(' ') }}
[{{ repo.name }}-source]
name={{repo.name}}
@ -21,6 +21,6 @@ baseurl={{ repo.srcbaseurl }}
enabled=1
gpgcheck={{ gpg_check }}
repo_gpgcheck={{ repo_gpg_check }}
gpgkey={{ repo.gpgkey }}
gpgkey={{ repo.gpgkey|join(' ') }}
{% endfor %}

View File

@ -1,6 +1,8 @@
#!/bin/bash
set -o pipefail
{{ import_gpg_cmd }} | tee -a {{ sync_log }}
{% for key in gpg_key_list %}
{{ import_gpg_cmd }} {{ key }} | tee -a {{ sync_log }}
{% endfor %}
{{ dnf_plugin_cmd }} | tee -a {{ sync_log }}
sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/*.repo
{{ metadata_cmd }} | tee -a {{ sync_log }}

View File

@ -1,6 +1,8 @@
#!/bin/bash
set -o pipefail
{{ import_gpg_cmd }} | tee -a {{ sync_log }}
{% for key in gpg_key_list %}
{{ import_gpg_cmd }} {{ key }} | tee -a {{ sync_log }}
{% endfor %}
{{ arch_force_cp }} | tee -a {{ sync_log }}
{{ dnf_plugin_cmd }} | tee -a {{ sync_log }}
sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/*.repo

View File

@ -53,7 +53,6 @@ class RepoSync:
dryrun: bool = False,
fullrun: bool = False,
nofail: bool = False,
gpgkey: str = 'stable',
gpg_check: bool = True,
repo_gpg_check: bool = True,
rlmode: str = 'stable',
@ -106,7 +105,9 @@ class RepoSync:
self.multilib = rlvars['provide_multilib']
self.repo = repo
self.extra_files = rlvars['extra_files']
self.gpgkey = gpgkey
self.gpgkey = rlvars['gpg_key']
if rlvars['repo_gpg_key']:
self.gpgkey = rlvars['gpg_key'] + rlvars['repo_gpg_key']
self.checksum = rlvars['checksum']
self.gpg_check = gpg_check
self.repo_gpg_check = repo_gpg_check
@ -348,7 +349,6 @@ class RepoSync:
reposync_delete = '--delete' if self.reposync_clean_old else ''
self.log.info('Generating container entries')
entries_dir = os.path.join(work_root, "entries")
gpg_key_url = self.extra_files['git_raw_path'] + self.extra_files['gpg'][self.gpgkey]
if not os.path.exists(entries_dir):
os.makedirs(entries_dir, exist_ok=True)
@ -412,7 +412,8 @@ class RepoSync:
'debug/tree'
)
import_gpg_cmd = f"/usr/bin/rpm --import {gpg_key_url}"
gpg_key_list = self.gpgkey
import_gpg_cmd = f"/usr/bin/rpm --import"
arch_force_cp = f"/usr/bin/sed 's|$basearch|{a}|g' "\
f"{self.dnf_config} > {self.dnf_config}.{a}"
@ -437,6 +438,7 @@ class RepoSync:
sync_template = self.tmplenv.get_template('reposync.tmpl')
sync_output = sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
arch_force_cp=arch_force_cp,
dnf_plugin_cmd=dnf_plugin_cmd,
@ -448,6 +450,7 @@ class RepoSync:
debug_sync_template = self.tmplenv.get_template('reposync.tmpl')
debug_sync_output = debug_sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
arch_force_cp=arch_force_cp,
dnf_plugin_cmd=dnf_plugin_cmd,
@ -498,6 +501,7 @@ class RepoSync:
ks_sync_template = self.tmplenv.get_template('reposync.tmpl')
ks_sync_output = ks_sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
arch_force_cp=arch_force_cp,
dnf_plugin_cmd=dnf_plugin_cmd,
@ -538,6 +542,7 @@ class RepoSync:
source_sync_template = self.tmplenv.get_template('reposync-src.tmpl')
source_sync_output = source_sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
dnf_plugin_cmd=dnf_plugin_cmd,
sync_cmd=source_sync_cmd,
@ -1593,7 +1598,6 @@ class SigRepoSync:
dryrun: bool = False,
fullrun: bool = False,
nofail: bool = False,
gpgkey: str = 'stable',
gpg_check: bool = True,
repo_gpg_check: bool = True,
extra_dnf_args=None,
@ -1636,7 +1640,9 @@ class SigRepoSync:
self.sigvars = sigvars
self.sigrepos = sigvars['repo'].keys()
self.extra_files = sigvars['extra_files']
self.gpgkey = gpgkey
self.gpgkey = rlvars['gpg_key']
if rlvars['repo_gpg_key']:
self.gpgkey = rlvars['gpg_key'] + rlvars['repo_gpg_key']
#self.arches = sigvars['allowed_arches']
self.project_id = sigvars['project_id']
if 'additional_dirs' in sigvars:
@ -1861,7 +1867,6 @@ class SigRepoSync:
reposync_delete = '--delete' if self.reposync_clean_old else ''
self.log.info('Generating container entries')
entries_dir = os.path.join(work_root, "entries")
gpg_key_url = self.extra_files['git_raw_path'] + self.extra_files['gpg'][self.gpgkey]
if not os.path.exists(entries_dir):
os.makedirs(entries_dir, exist_ok=True)
@ -1921,7 +1926,8 @@ class SigRepoSync:
r + '-debug'
)
import_gpg_cmd = f"/usr/bin/rpm --import {gpg_key_url}"
gpg_key_list = self.gpgkey
import_gpg_cmd = f"/usr/bin/rpm --import"
arch_force_cp = f"/usr/bin/sed 's|$basearch|{a}|g' {self.dnf_config} > {self.dnf_config}.{a}"
sync_log = f"{log_root}/{repo_name}-{a}.log"
debug_sync_log = f"{log_root}/{repo_name}-{a}-debug.log"
@ -1945,6 +1951,7 @@ class SigRepoSync:
sync_template = self.tmplenv.get_template('reposync.tmpl')
sync_output = sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
arch_force_cp=arch_force_cp,
dnf_plugin_cmd=dnf_plugin_cmd,
@ -1952,12 +1959,12 @@ class SigRepoSync:
metadata_cmd=metadata_cmd,
sync_log=sync_log,
download_path=os_sync_path,
gpg_key_url=gpg_key_url,
deploy_extra_files=True
)
debug_sync_template = self.tmplenv.get_template('reposync.tmpl')
debug_sync_output = debug_sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
arch_force_cp=arch_force_cp,
dnf_plugin_cmd=dnf_plugin_cmd,
@ -1965,7 +1972,6 @@ class SigRepoSync:
metadata_cmd=debug_metadata_cmd,
sync_log=debug_sync_log,
download_path=debug_sync_path,
gpg_key_url=gpg_key_url,
deploy_extra_files=True
)
@ -2019,13 +2025,13 @@ class SigRepoSync:
source_sync_template = self.tmplenv.get_template('reposync-src.tmpl')
source_sync_output = source_sync_template.render(
gpg_key_list=gpg_key_list,
import_gpg_cmd=import_gpg_cmd,
dnf_plugin_cmd=dnf_plugin_cmd,
sync_cmd=source_sync_cmd,
metadata_cmd=source_metadata_cmd,
sync_log=source_sync_log,
download_path=debug_sync_path,
gpg_key_url=gpg_key_url,
deploy_extra_files=True
)

View File

@ -496,7 +496,7 @@ class Shared:
'name': repo,
'baseurl': constructed_url,
'srcbaseurl': constructed_url_src,
'gpgkey': extra_files['git_raw_path'] + extra_files['gpg'][gpgkey]
'gpgkey': gpgkey
}
repolist.append(repodata)