From 86787a7347c2b4f2c3b92582489d851a1afbd3fb Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Wed, 29 May 2024 17:44:16 -0700 Subject: [PATCH] move gpg key to separate config item --- iso/empanadas/empanadas/configs/el10.yaml | 6 ++-- iso/empanadas/empanadas/configs/el10lh.yaml | 6 ++-- iso/empanadas/empanadas/configs/el8-beta.yaml | 6 ++-- iso/empanadas/empanadas/configs/el8.yaml | 6 ++-- iso/empanadas/empanadas/configs/el8lh.yaml | 6 ++-- iso/empanadas/empanadas/configs/el9-beta.yaml | 6 ++-- iso/empanadas/empanadas/configs/el9.yaml | 6 ++-- iso/empanadas/empanadas/configs/el9alt.yaml | 6 ++-- iso/empanadas/empanadas/configs/el9lh.yaml | 6 ++-- .../empanadas/templates/repoconfig.tmpl | 6 ++-- .../empanadas/templates/reposync-src.tmpl | 4 ++- .../empanadas/templates/reposync.tmpl | 4 ++- iso/empanadas/empanadas/util/dnf_utils.py | 28 +++++++++++-------- iso/empanadas/empanadas/util/shared.py | 2 +- 14 files changed, 54 insertions(+), 44 deletions(-) diff --git a/iso/empanadas/empanadas/configs/el10.yaml b/iso/empanadas/empanadas/configs/el10.yaml index cda983d..b2c3b64 100644 --- a/iso/empanadas/empanadas/configs/el10.yaml +++ b/iso/empanadas/empanadas/configs/el10.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10/SOURCES/RPM-GPG-KEY-Rocky-10' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10/SOURCES/RPM-GPG-KEY-Rocky-10-Testing' allowed_arches: - x86_64 - aarch64 @@ -207,9 +210,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10/' branch: 'r10' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-Rocky-10' - testing: 'SOURCES/RPM-GPG-KEY-Rocky-10-Testing' list: - 'SOURCES/Contributors' - 'SOURCES/COMMUNITY-CHARTER' diff --git a/iso/empanadas/empanadas/configs/el10lh.yaml b/iso/empanadas/empanadas/configs/el10lh.yaml index 85bb8db..7326071 100644 --- a/iso/empanadas/empanadas/configs/el10lh.yaml +++ b/iso/empanadas/empanadas/configs/el10lh.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10s/SOURCES/RPM-GPG-KEY-Rocky-10' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10s/SOURCES/RPM-GPG-KEY-Rocky-10-Testing' allowed_arches: - x86_64 - aarch64 @@ -207,9 +210,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r10s/' branch: 'r10s' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-Rocky-10' - testing: 'SOURCES/RPM-GPG-KEY-Rocky-10-Testing' list: - 'SOURCES/Contributors' - 'SOURCES/COMMUNITY-CHARTER' diff --git a/iso/empanadas/empanadas/configs/el8-beta.yaml b/iso/empanadas/empanadas/configs/el8-beta.yaml index 2f2ea4c..d76b15f 100644 --- a/iso/empanadas/empanadas/configs/el8-beta.yaml +++ b/iso/empanadas/empanadas/configs/el8-beta.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockyofficial' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockytesting' allowed_arches: - x86_64 - aarch64 @@ -137,9 +140,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/' branch: 'r8' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-rockyofficial' - testing: 'SOURCES/RPM-GPG-KEY-rockytesting' list: - 'SOURCES/COMMUNITY-CHARTER' - 'SOURCES/EULA' diff --git a/iso/empanadas/empanadas/configs/el8.yaml b/iso/empanadas/empanadas/configs/el8.yaml index 594ce72..a3035a3 100644 --- a/iso/empanadas/empanadas/configs/el8.yaml +++ b/iso/empanadas/empanadas/configs/el8.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockyofficial' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockytesting' allowed_arches: - x86_64 - aarch64 @@ -175,9 +178,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/' branch: 'r8' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-rockyofficial' - testing: 'SOURCES/RPM-GPG-KEY-rockytesting' list: - 'SOURCES/COMMUNITY-CHARTER' - 'SOURCES/EULA' diff --git a/iso/empanadas/empanadas/configs/el8lh.yaml b/iso/empanadas/empanadas/configs/el8lh.yaml index c811a64..2754a8d 100644 --- a/iso/empanadas/empanadas/configs/el8lh.yaml +++ b/iso/empanadas/empanadas/configs/el8lh.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockyofficial' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/SOURCES/RPM-GPG-KEY-rockytesting' allowed_arches: - x86_64 - aarch64 @@ -137,9 +140,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r8/' branch: 'r8' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-rockyofficial' - testing: 'SOURCES/RPM-GPG-KEY-rockytesting' list: - 'SOURCES/COMMUNITY-CHARTER' - 'SOURCES/EULA' diff --git a/iso/empanadas/empanadas/configs/el9-beta.yaml b/iso/empanadas/empanadas/configs/el9-beta.yaml index 1fd25b7..2f365bd 100644 --- a/iso/empanadas/empanadas/configs/el9-beta.yaml +++ b/iso/empanadas/empanadas/configs/el9-beta.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9-beta/SOURCES/RPM-GPG-KEY-Rocky-9' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9-beta/SOURCES/RPM-GPG-KEY-Rocky-9-Testing' allowed_arches: - x86_64 - aarch64 @@ -214,9 +217,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/' branch: 'r9-beta' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-Rocky-9' - testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing' list: - 'SOURCES/Contributors' - 'SOURCES/COMMUNITY-CHARTER' diff --git a/iso/empanadas/empanadas/configs/el9.yaml b/iso/empanadas/empanadas/configs/el9.yaml index fdbccde..70ee427 100644 --- a/iso/empanadas/empanadas/configs/el9.yaml +++ b/iso/empanadas/empanadas/configs/el9.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9-Testing' allowed_arches: - x86_64 - aarch64 @@ -214,9 +217,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/' branch: 'r9' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-Rocky-9' - testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing' list: - 'SOURCES/Contributors' - 'SOURCES/COMMUNITY-CHARTER' diff --git a/iso/empanadas/empanadas/configs/el9alt.yaml b/iso/empanadas/empanadas/configs/el9alt.yaml index d5d6d09..23a0027 100644 --- a/iso/empanadas/empanadas/configs/el9alt.yaml +++ b/iso/empanadas/empanadas/configs/el9alt.yaml @@ -12,6 +12,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/SOURCES/RPM-GPG-KEY-Rocky-9-Testing' allowed_arches: - armv7hl - riscv64 @@ -47,9 +50,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/' branch: 'r9' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-Rocky-9' - testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing' list: - 'SOURCES/Contributors' - 'SOURCES/COMMUNITY-CHARTER' diff --git a/iso/empanadas/empanadas/configs/el9lh.yaml b/iso/empanadas/empanadas/configs/el9lh.yaml index ff53553..f62f467 100644 --- a/iso/empanadas/empanadas/configs/el9lh.yaml +++ b/iso/empanadas/empanadas/configs/el9lh.yaml @@ -11,6 +11,9 @@ bugurl: 'https://bugs.rockylinux.org' checksum: 'sha256' fedora_major: '20' + gpg_key: + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9s/SOURCES/RPM-GPG-KEY-Rocky-9' + - 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9s/SOURCES/RPM-GPG-KEY-Rocky-9-Testing' allowed_arches: - x86_64 - aarch64 @@ -214,9 +217,6 @@ git_repo: 'https://git.rockylinux.org/staging/src/rocky-release.git' git_raw_path: 'https://git.rockylinux.org/staging/src/rocky-release/-/raw/r9/' branch: 'r9s' - gpg: - stable: 'SOURCES/RPM-GPG-KEY-Rocky-9' - testing: 'SOURCES/RPM-GPG-KEY-Rocky-9-Testing' list: - 'SOURCES/Contributors' - 'SOURCES/COMMUNITY-CHARTER' diff --git a/iso/empanadas/empanadas/templates/repoconfig.tmpl b/iso/empanadas/empanadas/templates/repoconfig.tmpl index 248ee48..12dbd7a 100644 --- a/iso/empanadas/empanadas/templates/repoconfig.tmpl +++ b/iso/empanadas/empanadas/templates/repoconfig.tmpl @@ -5,7 +5,7 @@ baseurl={{ repo.baseurl }} enabled=1 gpgcheck={{ gpg_check }} repo_gpgcheck={{ repo_gpg_check }} -gpgkey={{ repo.gpgkey }} +gpgkey={{ repo.gpgkey|join(' ') }} [{{ repo.name }}-debug] name={{repo.name}} @@ -13,7 +13,7 @@ baseurl={{ repo.baseurl }}-debug enabled=1 gpgcheck={{ gpg_check }} repo_gpgcheck={{ repo_gpg_check }} -gpgkey={{ repo.gpgkey }} +gpgkey={{ repo.gpgkey|join(' ') }} [{{ repo.name }}-source] name={{repo.name}} @@ -21,6 +21,6 @@ baseurl={{ repo.srcbaseurl }} enabled=1 gpgcheck={{ gpg_check }} repo_gpgcheck={{ repo_gpg_check }} -gpgkey={{ repo.gpgkey }} +gpgkey={{ repo.gpgkey|join(' ') }} {% endfor %} diff --git a/iso/empanadas/empanadas/templates/reposync-src.tmpl b/iso/empanadas/empanadas/templates/reposync-src.tmpl index 59779f0..3ab5870 100644 --- a/iso/empanadas/empanadas/templates/reposync-src.tmpl +++ b/iso/empanadas/empanadas/templates/reposync-src.tmpl @@ -1,6 +1,8 @@ #!/bin/bash set -o pipefail -{{ import_gpg_cmd }} | tee -a {{ sync_log }} +{% for key in gpg_key_list %} +{{ import_gpg_cmd }} {{ key }} | tee -a {{ sync_log }} +{% endfor %} {{ dnf_plugin_cmd }} | tee -a {{ sync_log }} sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/*.repo {{ metadata_cmd }} | tee -a {{ sync_log }} diff --git a/iso/empanadas/empanadas/templates/reposync.tmpl b/iso/empanadas/empanadas/templates/reposync.tmpl index 5f3af8f..b5bc49d 100644 --- a/iso/empanadas/empanadas/templates/reposync.tmpl +++ b/iso/empanadas/empanadas/templates/reposync.tmpl @@ -1,6 +1,8 @@ #!/bin/bash set -o pipefail -{{ import_gpg_cmd }} | tee -a {{ sync_log }} +{% for key in gpg_key_list %} +{{ import_gpg_cmd }} {{ key }} | tee -a {{ sync_log }} +{% endfor %} {{ arch_force_cp }} | tee -a {{ sync_log }} {{ dnf_plugin_cmd }} | tee -a {{ sync_log }} sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/*.repo diff --git a/iso/empanadas/empanadas/util/dnf_utils.py b/iso/empanadas/empanadas/util/dnf_utils.py index 64e4550..51ee4e5 100644 --- a/iso/empanadas/empanadas/util/dnf_utils.py +++ b/iso/empanadas/empanadas/util/dnf_utils.py @@ -53,7 +53,6 @@ class RepoSync: dryrun: bool = False, fullrun: bool = False, nofail: bool = False, - gpgkey: str = 'stable', gpg_check: bool = True, repo_gpg_check: bool = True, rlmode: str = 'stable', @@ -106,7 +105,9 @@ class RepoSync: self.multilib = rlvars['provide_multilib'] self.repo = repo self.extra_files = rlvars['extra_files'] - self.gpgkey = gpgkey + self.gpgkey = rlvars['gpg_key'] + if rlvars['repo_gpg_key']: + self.gpgkey = rlvars['gpg_key'] + rlvars['repo_gpg_key'] self.checksum = rlvars['checksum'] self.gpg_check = gpg_check self.repo_gpg_check = repo_gpg_check @@ -348,7 +349,6 @@ class RepoSync: reposync_delete = '--delete' if self.reposync_clean_old else '' self.log.info('Generating container entries') entries_dir = os.path.join(work_root, "entries") - gpg_key_url = self.extra_files['git_raw_path'] + self.extra_files['gpg'][self.gpgkey] if not os.path.exists(entries_dir): os.makedirs(entries_dir, exist_ok=True) @@ -412,7 +412,8 @@ class RepoSync: 'debug/tree' ) - import_gpg_cmd = f"/usr/bin/rpm --import {gpg_key_url}" + gpg_key_list = self.gpgkey + import_gpg_cmd = f"/usr/bin/rpm --import" arch_force_cp = f"/usr/bin/sed 's|$basearch|{a}|g' "\ f"{self.dnf_config} > {self.dnf_config}.{a}" @@ -437,6 +438,7 @@ class RepoSync: sync_template = self.tmplenv.get_template('reposync.tmpl') sync_output = sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, arch_force_cp=arch_force_cp, dnf_plugin_cmd=dnf_plugin_cmd, @@ -448,6 +450,7 @@ class RepoSync: debug_sync_template = self.tmplenv.get_template('reposync.tmpl') debug_sync_output = debug_sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, arch_force_cp=arch_force_cp, dnf_plugin_cmd=dnf_plugin_cmd, @@ -498,6 +501,7 @@ class RepoSync: ks_sync_template = self.tmplenv.get_template('reposync.tmpl') ks_sync_output = ks_sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, arch_force_cp=arch_force_cp, dnf_plugin_cmd=dnf_plugin_cmd, @@ -538,6 +542,7 @@ class RepoSync: source_sync_template = self.tmplenv.get_template('reposync-src.tmpl') source_sync_output = source_sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, dnf_plugin_cmd=dnf_plugin_cmd, sync_cmd=source_sync_cmd, @@ -1593,7 +1598,6 @@ class SigRepoSync: dryrun: bool = False, fullrun: bool = False, nofail: bool = False, - gpgkey: str = 'stable', gpg_check: bool = True, repo_gpg_check: bool = True, extra_dnf_args=None, @@ -1636,7 +1640,9 @@ class SigRepoSync: self.sigvars = sigvars self.sigrepos = sigvars['repo'].keys() self.extra_files = sigvars['extra_files'] - self.gpgkey = gpgkey + self.gpgkey = rlvars['gpg_key'] + if rlvars['repo_gpg_key']: + self.gpgkey = rlvars['gpg_key'] + rlvars['repo_gpg_key'] #self.arches = sigvars['allowed_arches'] self.project_id = sigvars['project_id'] if 'additional_dirs' in sigvars: @@ -1861,7 +1867,6 @@ class SigRepoSync: reposync_delete = '--delete' if self.reposync_clean_old else '' self.log.info('Generating container entries') entries_dir = os.path.join(work_root, "entries") - gpg_key_url = self.extra_files['git_raw_path'] + self.extra_files['gpg'][self.gpgkey] if not os.path.exists(entries_dir): os.makedirs(entries_dir, exist_ok=True) @@ -1921,7 +1926,8 @@ class SigRepoSync: r + '-debug' ) - import_gpg_cmd = f"/usr/bin/rpm --import {gpg_key_url}" + gpg_key_list = self.gpgkey + import_gpg_cmd = f"/usr/bin/rpm --import" arch_force_cp = f"/usr/bin/sed 's|$basearch|{a}|g' {self.dnf_config} > {self.dnf_config}.{a}" sync_log = f"{log_root}/{repo_name}-{a}.log" debug_sync_log = f"{log_root}/{repo_name}-{a}-debug.log" @@ -1945,6 +1951,7 @@ class SigRepoSync: sync_template = self.tmplenv.get_template('reposync.tmpl') sync_output = sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, arch_force_cp=arch_force_cp, dnf_plugin_cmd=dnf_plugin_cmd, @@ -1952,12 +1959,12 @@ class SigRepoSync: metadata_cmd=metadata_cmd, sync_log=sync_log, download_path=os_sync_path, - gpg_key_url=gpg_key_url, deploy_extra_files=True ) debug_sync_template = self.tmplenv.get_template('reposync.tmpl') debug_sync_output = debug_sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, arch_force_cp=arch_force_cp, dnf_plugin_cmd=dnf_plugin_cmd, @@ -1965,7 +1972,6 @@ class SigRepoSync: metadata_cmd=debug_metadata_cmd, sync_log=debug_sync_log, download_path=debug_sync_path, - gpg_key_url=gpg_key_url, deploy_extra_files=True ) @@ -2019,13 +2025,13 @@ class SigRepoSync: source_sync_template = self.tmplenv.get_template('reposync-src.tmpl') source_sync_output = source_sync_template.render( + gpg_key_list=gpg_key_list, import_gpg_cmd=import_gpg_cmd, dnf_plugin_cmd=dnf_plugin_cmd, sync_cmd=source_sync_cmd, metadata_cmd=source_metadata_cmd, sync_log=source_sync_log, download_path=debug_sync_path, - gpg_key_url=gpg_key_url, deploy_extra_files=True ) diff --git a/iso/empanadas/empanadas/util/shared.py b/iso/empanadas/empanadas/util/shared.py index a4bcfbe..f0520ea 100644 --- a/iso/empanadas/empanadas/util/shared.py +++ b/iso/empanadas/empanadas/util/shared.py @@ -496,7 +496,7 @@ class Shared: 'name': repo, 'baseurl': constructed_url, 'srcbaseurl': constructed_url_src, - 'gpgkey': extra_files['git_raw_path'] + extra_files['gpg'][gpgkey] + 'gpgkey': gpgkey } repolist.append(repodata)