qubes-repo-contrib: Fails to install contrib package immediately after installing qubes-repo-contrib

[deeplow]

Qubes OS release

Qubes 4.2

Brief summary

Following the docs to install a qubes-contrib package fails when the repo is installed just before installing a contrib package (see in OpenQA).

Steps to reproduce

In dom0

sudo qubes-dom0-update -y qubes-repo-contrib
# wait 10 seconds to simulate user typing
sudo qubes-dom0-update -y --clean securedrop-workstation-keyring

Expected behavior

Last command succeeds.

Actual behavior

Command fails:

Additional information

The 5 minute delay introduced here seems to be the cause of the issue. Dom0 only imports the signature 5 minutes after the install. Therefore, when sys-firewall sends the newly fetched contrib package, dom0 doesn't yet have the signature imported and will promptly fail without a clear message.

It could either have a shorter delay, or it could guard against longer RPM transactions with a loop:

%posttrans -n qubes-repo-contrib
-systemd-run --on-active=5min rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-contrib-fedora
+systemd-run --on-active=5sec sh -c "while ! rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-4-contrib-fedora; do sleep 5; done"

[marmarek]

It could either have a shorter delay, or it could guard against longer RPM transactions with a loop:

Shorter delay may not work, as there may be more post-trans scripts that would still be running. Especially, kernel update rebuilds initramfs in post-trans and it takes few minutes. But a loop should be okay, just make it fail eventually if enough times it didn't manage to import (idk, 15min?).