Skip to content

pr.yaml: use signed-by for focal-security instead of [trusted=yes]#70

Merged
Chris-Wolfgang merged 1 commit into
mainfrom
chore/libssl1-signed-by
May 5, 2026
Merged

pr.yaml: use signed-by for focal-security instead of [trusted=yes]#70
Chris-Wolfgang merged 1 commit into
mainfrom
chore/libssl1-signed-by

Conversation

@Chris-Wolfgang

@Chris-Wolfgang Chris-Wolfgang commented May 5, 2026

Copy link
Copy Markdown
Owner

Summary

Replaces [trusted=yes] (added in #69) with [signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg] so apt still verifies the libssl1.1 package signature.

Why

Copilot flagged [trusted=yes] on repo-template#336:

Using deb [trusted=yes] ... disables APT signature verification for the focal-security repo, which reintroduces a supply-chain risk (MITM/malicious mirror) during apt-get update/install. Prefer keeping verification by installing/importing the Ubuntu archive signing key into a dedicated keyring and referencing it via signed-by=....

Valid concern. signed-by= pins the focal-security source to the Ubuntu archive keyring that already ships in the base runner image (/usr/share/keyrings/ubuntu-archive-keyring.gpg) — keeping verification on while still working around the default-trusted-set issue that caused the original failure.

Validation

This PR is the validation step. If CI goes green, the same change rolls forward to repo-template#336 and the 18 downstream PRs that already merged-in or are queuing the [trusted=yes] version.

@Chris-Wolfgang @claude
pr.yaml: switch focal-security source from [trusted=yes] to signed-by
856f10a 
Addresses Copilot's review comment on repo-template#336: [trusted=yes]
disables GPG verification entirely, which is a supply-chain risk.

signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg pins the
focal-security source to the Ubuntu archive keyring that ships in
the base runner image, so apt still verifies the libssl1.1 package
signature.

Validates the new approach before promoting to repo-template and the
18 downstream PRs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 5, 2026 02:18
@Chris-Wolfgang Chris-Wolfgang merged commit 805ffb9 into main May 5, 2026
8 of 9 checks passed
@Chris-Wolfgang Chris-Wolfgang deleted the chore/libssl1-signed-by branch May 5, 2026 02:19
Copilot AI reviewed May 5, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the CI workflow to keep APT signature verification enabled while still allowing installation of libssl1.1 (needed for .NET 5.0) from Ubuntu focal-security on newer GitHub-hosted runners.

Changes:

  • Replaces deb [trusted=yes] ... focal-security with deb [signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg] ... focal-security to avoid disabling signature verification.
  • Updates the inline workflow comments to reflect the new verification approach and rationale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Chris-Wolfgang