Conversation
There is a new produce signing key (v4) that recently added [0]. This commit adds it to our repositories. [0] https://access.redhat.com/security/team/key
| #!/usr/bin/env python3 | ||
|
|
||
| # Reads GPG key from STDIN and updates all "gpgkey" fields in "distributions/*.json" files | ||
| # for RHEL distributions, repositories named "baseos" and "appstream". |
There was a problem hiding this comment.
Originally, I had this to read from STDIN but since our keys rarely change, I have decided to hardcode them in the script. I will update the comment if this is deemed useful.
|
Fwiw, I used a simialr script (less sophisticated) in osbuild/images#2096 - I wonder if the script could be shared (longer term) and/or the repo data from images could also be shared? If we want control here it could maybe be just a reference, i.e. somthing like |
You ask me to share your script? Not sure I understand, or is it available already somewhere in osbuild/images? Anyways, I really hate how we embed GPG keys for every single repo, these keys are mostly the same for all distros. I plan to create a PR to create an alternative (backward compatible) way of adding keys and clean that up a little: {
"name": "baseos",
"baseurl": "https://vault.almalinux.org/9.2/BaseOS/x86_64/os/",
"gpgkey": "xxxxxxxxx",
"gpgkeys": [ // these are merged with the "gpgkey"
"redhat-release-v2",
"redhat-release-v3",
"redhat-release-v4",
],
"check_gpg": true,
"rhsm": false
},My idea is to create a new field (array) of references to known keys predefined in the codebase (as constants or in another JSON/YAML) and during JSON load these would be newline-concatenated with "gpgkey". |
Sorry for being not clear - I just mean it would be nice to not have this script duplicated in images in slightly different way, i.e. have one shared way of doing it (or even better avoid the duplication of repo information between images/image-builder-crc. |
|
[...]
Or just |
Right, where can I find it in osbuild/images tho? I had an impression you used some oneshot script, is it committed in the repo? Anyway, I am going to do a followup and deduplicate those GPG keys in both repos, I do not like this. |
There are also some in the content sources service which should be updated in this case I think :/ |
|
This was added in: 46e5046 I will do a followup for the key sharing. |
3 participants
There is a new produce signing key (v4) that recently added [0].
This commit adds it to our repositories.
[0] https://access.redhat.com/security/team/key
The same thing that we do in images: osbuild/images#2096
I take slightly different approach, I vibe-coded a short script that updates all files. I was worried I would messed up something during edits, the new v4 key is very long. One problem/advantage is that as a side effect, JSON files were reformatted. Generally, important bugfixes should be as small as possible but as an argument I will say automated change is safer when doing many small changes by hand.
This takes the distributions/ folder up to 22 MiB. Going forward, we should probably share those keys separately and have a reference instead.