dual gpgkey per repo support in rpm emt distro (#511)

* dual gpgkey per repo support in rpm emt distro

Author: samueltaripin

config/osv/edge-microvisor-toolkit/emt3/providerconfigs/x86_64_repo.yml

@@ -7,6 +7,8 @@ component: "emt3.0-base"  # Repository component/section identifier
 gpgCheck: true  # Enabled with Intel GPG key
 repoGPGCheck: true  # Enabled with Intel GPG key
 enabled: true
-gpgKey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+gpgKeys:
+  - "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+  - "https://raw.githubusercontent.com/cheeyanglee/edge-microvisor-toolkit/e2e05b402c056bbf4ba1a429490b3c37f4d659d7/SPECS/edge-repos/INTEL-RPM-GPG-KEY-26"
 # Repository configuration URL (for reference): https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/edge-base.repo
 buildPath: "./builds/emt3"  # Will be replaced with temp_dir/builds/emt3 at runtime

image-templates/azl3-x86_64-dlstreamer.yml

@@ -38,7 +38,9 @@ packageRepositories:
 
   - codename: "edge-base"
     url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base"
-    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY" # Uncomment and replace in real config
+    pkeys:
+      - "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+      - "https://raw.githubusercontent.com/cheeyanglee/edge-microvisor-toolkit/e2e05b402c056bbf4ba1a429490b3c37f4d659d7/SPECS/edge-repos/INTEL-RPM-GPG-KEY-26"
 
   - codename: "OpenVINO"
     url: "https://yum.repos.intel.com/openvino/"
@@ -95,6 +97,7 @@ systemConfig:
     - ffmpeg
     - gstreamer
     - opencv
+    - util-linux-devel-2.40.2-3.emt3
     - intel-dlstreamer-2025.2.0
     - openvino-2025.3.0
     - linux-firmware-i915

image-templates/emt3-x86_64-ptl-emf-raw.yml

@@ -29,7 +29,9 @@ packageRepositories:
   - codename: "emtNext"
     priority: 1001
     url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/next/base"
-    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+    pkeys:
+      - "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+      - "https://raw.githubusercontent.com/cheeyanglee/edge-microvisor-toolkit/e2e05b402c056bbf4ba1a429490b3c37f4d659d7/SPECS/edge-repos/INTEL-RPM-GPG-KEY-26"
     # list of allowed packages from this repository
     allowPackages:
       - kernel-6.17.11

image-templates/emt3-x86_64-ptl-emf-rt-raw.yml

@@ -30,7 +30,9 @@ target:
 packageRepositories:
   - codename: "emtNext"
     url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/next/base"
-    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+    pkeys:
+      - "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+      - "https://raw.githubusercontent.com/cheeyanglee/edge-microvisor-toolkit/e2e05b402c056bbf4ba1a429490b3c37f4d659d7/SPECS/edge-repos/INTEL-RPM-GPG-KEY-26"
     # list of allowed packages from this repository
     allowPackages:
       - kernel-rt-6.17.11

image-templates/rcd10-x86_64-dlstreamer.yml

@@ -15,7 +15,9 @@ packageRepositories:
 
   - codename: "edge-base"
     url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base"
-    pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY" # Uncomment and replace in real config
+    pkeys:
+      - "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY"
+      - "https://raw.githubusercontent.com/cheeyanglee/edge-microvisor-toolkit/e2e05b402c056bbf4ba1a429490b3c37f4d659d7/SPECS/edge-repos/INTEL-RPM-GPG-KEY-26"
     allowPackages:
       - kernel-drivers-gpu
       - kernel

internal/config/apt_sources_integration_test.go

@@ -7,6 +7,32 @@ import (
 	"testing"
 )
 
+func createLocalTestGPGKey(t *testing.T, pattern string) string {
+	t.Helper()
+
+	tempFile, err := os.CreateTemp("", pattern)
+	if err != nil {
+		t.Fatalf("Failed to create local test GPG key file: %v", err)
+	}
+
+	if _, err := tempFile.WriteString("dummy-gpg-key-content"); err != nil {
+		tempFile.Close()
+		os.Remove(tempFile.Name())
+		t.Fatalf("Failed to write local test GPG key file: %v", err)
+	}
+
+	if err := tempFile.Close(); err != nil {
+		os.Remove(tempFile.Name())
+		t.Fatalf("Failed to close local test GPG key file: %v", err)
+	}
+
+	t.Cleanup(func() {
+		_ = os.Remove(tempFile.Name())
+	})
+
+	return tempFile.Name()
+}
+
 // resolveAdditionalFilePath converts relative paths (like ../../../../../../tmp/file.gpg)
 // to absolute paths by joining with working directory or config root
 func resolveAdditionalFilePath(relativePath string) (string, error) {
@@ -38,6 +64,8 @@ func resolveAdditionalFilePath(relativePath string) (string, error) {
 
 // TestIntegrationAptSourcesGeneration tests the complete flow
 func TestIntegrationAptSourcesGeneration(t *testing.T) {
+	sedKeyPath := createLocalTestGPGKey(t, "sed-test-key-*.gpg")
+	openvinoKeyPath := createLocalTestGPGKey(t, "openvino-test-key-*.gpg")
 	// Create a realistic test template similar to the example
 	template := &ImageTemplate{
 		Image: ImageInfo{
@@ -54,14 +82,14 @@ func TestIntegrationAptSourcesGeneration(t *testing.T) {
 			{
 				Codename:  "sed",
 				URL:       "https://eci.intel.com/sed-repos/noble",
-				PKey:      "https://eci.intel.com/sed-repos/gpg-keys/GPG-PUB-KEY-INTEL-SED.gpg",
+				PKey:      sedKeyPath,
 				Priority:  1000,
 				Component: "",
 			},
 			{
 				Codename:  "ubuntu24",
 				URL:       "https://apt.repos.intel.com/openvino/2025",
-				PKey:      "https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB",
+				PKey:      openvinoKeyPath,
 				Component: "main contrib",
 			},
 		},
@@ -132,6 +160,8 @@ func TestIntegrationAptSourcesGeneration(t *testing.T) {
 
 // TestIntegrationAptPreferencesGeneration tests the complete flow including preferences
 func TestIntegrationAptPreferencesGeneration(t *testing.T) {
+	sedKeyPath := createLocalTestGPGKey(t, "sed-test-key-*.gpg")
+	openvinoKeyPath := createLocalTestGPGKey(t, "openvino-test-key-*.gpg")
 	// Create a realistic test template with priorities
 	template := &ImageTemplate{
 		Image: ImageInfo{
@@ -149,14 +179,14 @@ func TestIntegrationAptPreferencesGeneration(t *testing.T) {
 				ID:       "sed-repo",
 				Codename: "sed",
 				URL:      "https://eci.intel.com/sed-repos/noble",
-				PKey:     "https://eci.intel.com/sed-repos/gpg-keys/GPG-PUB-KEY-INTEL-SED.gpg",
+				PKey:     sedKeyPath,
 				Priority: 1000,
 			},
 			{
 				ID:        "openvino-repo",
 				Codename:  "ubuntu24",
 				URL:       "https://apt.repos.intel.com/openvino/2025",
-				PKey:      "https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB",
+				PKey:      openvinoKeyPath,
 				Component: "main contrib",
 				Priority:  500,
 			},

internal/config/config.go

@@ -47,26 +47,28 @@ type PackageRepository struct {
 	Codename      string   `yaml:"codename"`                // Repository identifier/codename
 	URL           string   `yaml:"url"`                     // Repository base URL
 	PKey          string   `yaml:"pkey"`                    // Public GPG key URL for verification
+	PKeys         []string `yaml:"pkeys,omitempty"`         // Multiple public GPG key URLs for verification
 	Component     string   `yaml:"component,omitempty"`     // Repository component (e.g., "main", "restricted")
 	Priority      int      `yaml:"priority,omitempty"`      // Repository priority (higher numbers = higher priority)
 	AllowPackages []string `yaml:"allowPackages,omitempty"` // Optional: specific packages to include from this repo (pinning)
 }
 
 // ProviderRepoConfig represents the repository configuration for a provider
 type ProviderRepoConfig struct {
-	Name         string `yaml:"name"`
-	Type         string `yaml:"type"` // Repository type: "rpm" or "deb"
-	BaseURL      string `yaml:"baseURL"`
-	PkgPrefix    string `yaml:"pkgPrefix"`
-	ReleaseFile  string `yaml:"releaseFile"`
-	ReleaseSign  string `yaml:"releaseSign"`
-	PbGPGKey     string `yaml:"pbGPGKey"` // For DEB repositories (eLxr)
-	GPGKey       string `yaml:"gpgKey"`   // For RPM repositories (azl, emt)
-	GPGCheck     bool   `yaml:"gpgCheck"`
-	RepoGPGCheck bool   `yaml:"repoGPGCheck"`
-	Enabled      bool   `yaml:"enabled"`
-	Component    string `yaml:"component"` // Repository component/section identifier
-	BuildPath    string `yaml:"buildPath"`
+	Name         string   `yaml:"name"`
+	Type         string   `yaml:"type"` // Repository type: "rpm" or "deb"
+	BaseURL      string   `yaml:"baseURL"`
+	PkgPrefix    string   `yaml:"pkgPrefix"`
+	ReleaseFile  string   `yaml:"releaseFile"`
+	ReleaseSign  string   `yaml:"releaseSign"`
+	PbGPGKey     string   `yaml:"pbGPGKey"` // For DEB repositories (eLxr)
+	GPGKey       string   `yaml:"gpgKey"`   // For RPM repositories (azl, emt)
+	GPGKeys      []string `yaml:"gpgKeys,omitempty"`
+	GPGCheck     bool     `yaml:"gpgCheck"`
+	RepoGPGCheck bool     `yaml:"repoGPGCheck"`
+	Enabled      bool     `yaml:"enabled"`
+	Component    string   `yaml:"component"` // Repository component/section identifier
+	BuildPath    string   `yaml:"buildPath"`
 }
 
 // ProviderRepoConfigs represents multiple repository configurations for a provider
@@ -864,13 +866,26 @@ func (prc *ProviderRepoConfig) ToRepoConfigData(arch string) (repoType, name, ur
 			url = prc.BaseURL
 		}
 
-		// Handle GPG key URL construction
-		gpgKey = prc.GPGKey
-		if !strings.HasPrefix(gpgKey, "http") && gpgKey != "" {
-			// For relative GPG key paths, use the constructed repository URL
-			gpgKey = fmt.Sprintf("%s/%s", url, gpgKey)
+		gpgKeyValues := make([]string, 0, len(prc.GPGKeys)+1)
+		if len(prc.GPGKeys) > 0 {
+			gpgKeyValues = append(gpgKeyValues, prc.GPGKeys...)
+		}
+		if prc.GPGKey != "" {
+			gpgKeyValues = append(gpgKeyValues, prc.GPGKey)
+		}
+
+		resolvedKeys := make([]string, 0, len(gpgKeyValues))
+		for _, keyURL := range gpgKeyValues {
+			keyURL = strings.TrimSpace(keyURL)
+			if keyURL == "" {
+				continue
+			}
+			if !strings.HasPrefix(keyURL, "http") {
+				keyURL = fmt.Sprintf("%s/%s", url, keyURL)
+			}
+			resolvedKeys = append(resolvedKeys, keyURL)
 		}
-		// If gpgKey starts with http, use it as-is
+		gpgKey = strings.Join(resolvedKeys, ",")
 
 		// DEB-specific fields are empty for RPM
 		pkgPrefix = ""

internal/config/config_test.go

@@ -3665,6 +3665,7 @@ func TestUnifiedRepoConfig(t *testing.T) {
 		arch         string
 		expectedType string
 		expectedURL  string
+		expectedGPG  string
 	}{
 		{
 			name: "RPM Repository (Azure Linux)",
@@ -3679,6 +3680,7 @@ func TestUnifiedRepoConfig(t *testing.T) {
 			arch:         "x86_64",
 			expectedType: "rpm",
 			expectedURL:  "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64",
+			expectedGPG:  "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key",
 		},
 		{
 			name: "DEB Repository (eLxr)",
@@ -3710,6 +3712,21 @@ func TestUnifiedRepoConfig(t *testing.T) {
 			expectedType: "rpm",
 			expectedURL:  "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpm/3.0",
 		},
+		{
+			name: "RPM Repository with multiple GPG keys",
+			repoConfig: ProviderRepoConfig{
+				Name:      "Edge Microvisor Toolkit 3.0",
+				Type:      "rpm",
+				BaseURL:   "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpm/3.0",
+				GPGKeys:   []string{"https://example.com/key-old.asc", "https://example.com/key-new.asc"},
+				Component: "emt3.0-base",
+				Enabled:   true,
+			},
+			arch:         "x86_64",
+			expectedType: "rpm",
+			expectedURL:  "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpm/3.0",
+			expectedGPG:  "https://example.com/key-old.asc,https://example.com/key-new.asc",
+		},
 	}
 
 	for _, tt := range tests {
@@ -3749,7 +3766,11 @@ func TestUnifiedRepoConfig(t *testing.T) {
 				}
 
 				// Verify arch substitution in GPG key if applicable
-				if tt.repoConfig.GPGKey != "" && gpgKey != "" {
+				if tt.expectedGPG != "" {
+					if gpgKey != tt.expectedGPG {
+						t.Errorf("Expected GPG key %s, got %s", tt.expectedGPG, gpgKey)
+					}
+				} else if tt.repoConfig.GPGKey != "" && gpgKey != "" {
 					expectedGPGKey := tt.repoConfig.GPGKey
 					if expectedGPGKey == "repodata/repomd.xml.key" {
 						expectedGPGKey = "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key"

internal/config/schema/os-image-template.schema.json

@@ -332,6 +332,24 @@
             }
           ]
         },
+        "pkeys": {
+          "type": "array",
+          "description": "Multiple public GPG key URLs for package verification (alternative to pkey)",
+          "items": {
+            "type": "string",
+            "oneOf": [
+              {
+                "pattern": "^(https?|file)://",
+                "description": "URL to GPG key file (must start with http://, https://, or file://)"
+              },
+              {
+                "pattern": "^/",
+                "description": "Absolute local file path to GPG key file"
+              }
+            ]
+          },
+          "minItems": 1
+        },
         "component": {
           "type": "string",
           "description": "Repository component (e.g., 'main', 'restricted')",
@@ -354,7 +372,11 @@
           }
         }
       },
-      "required": ["codename", "url", "pkey"],
+      "required": ["codename", "url"],
+      "anyOf": [
+        { "required": ["pkey"] },
+        { "required": ["pkeys"] }
+      ],
       "additionalProperties": false
     },