Skip to content

many: add GPG key resolving and source#2206

Open
lzap wants to merge 7 commits into
osbuild:mainfrom
lzap:gpgresolv1
Open

many: add GPG key resolving and source#2206
lzap wants to merge 7 commits into
osbuild:mainfrom
lzap:gpgresolv1

Conversation

@lzap
Copy link
Copy Markdown
Contributor

@lzap lzap commented Feb 17, 2026

This uses the recently refactored remotefile package and adds a bit of code that can be used to resolve and add any URLs to the sources. Then, it uses this for custom repo GPG keys which are URLs to resolve them.

This by itself does not do anything but adds a new curl source and stops actually trying to import URLs in the RPM stage which fixes the bugreport. I added NVidia GPG key to validate the functionality, here is the diff:

diff -uNr /tmp/tmpdck0irw4/ref/fedora_42-x86_64-generic_ami-f42_x86_cuda_drivers.json /tmp/tmpdck0irw4/new/fedora_42-x86_64-generic_ami-f42_x86_cuda_drivers.json
--- /tmp/tmpdck0irw4/ref/fedora_42-x86_64-generic_ami-f42_x86_cuda_drivers.json 2026-02-17 16:17:10.863873257 +0100
+++ /tmp/tmpdck0irw4/new/fedora_42-x86_64-generic_ami-f42_x86_cuda_drivers.json 2026-02-17 16:17:16.722920871 +0100
@@ -571,6 +571,7 @@
         "sha256:16ea7e9de7369174eaa9fef63e90b9e8d57f495eb5006277505d5d0c0bf89c47": {
           "url": "https://rpmrepo.osbuild.org/v2/mirror/public/f42/f42-x86_64-updates-released-20260125/packages/grub2-pc-0:4-0.pkgset~os^trans~0.x86_64.rpm"
         },
+        "sha256:27e46a2d43e125859fb8a62c3b75bf798aeb95fa6f7d9bf790c1167ed9a0b39c": "https://developer.download.nvidia.com/compute/cuda/repos/fedora42/x86_64/D42D0685.pub",
         "sha256:3e5a5ce99777696ff5b30f79a2ce9edb40b021468675e8cece7a5a8184db77b5": {
           "url": "https://rpmrepo.osbuild.org/v2/mirror/public/f42/f42-x86_64-fedora-20250512/packages/exclude:geolite2-country-0:6-2.pkgset~os^trans~0.x86_64.rpm"
         },

I will continue on integrating this with osbuild/osbuild#2326 which adds ability to pull GPG key from sources. This could be merged as well as a standalone patch if we want but I think I will add the functionality on top.

Fixes: https://issues.redhat.com/browse/HMS-10216

lzap added 7 commits February 17, 2026 13:05
@lzap
osbuild: simplify GPGKeysForPackages
70cf035 
Simplify GPGKeysForPackages by using slices.Compact to remove duplicates.
@lzap
osbuild: ignore URL keys in GPGKeysForPackages
02a9811 
Ignore key strings which are not valid ASCII armored GPG keys. When
a custom repository contains an URL with a key, this gets passed to
the RPM stage to import which ultimately fails.
@lzap
remotefile: Add multiple URLs to the resolver
bee955b 
Refactor the Add method to accept multiple URLs instead of a single URL.
This allows a bit cleaner code.
@lzap
osbuild: use the remotefile to resolve URL GPG keys
e04f1c9 
Use the remotefile package to resolve URL shasums in the CurlSource.
@lzap
test: separate test helpers with import cycles
6adc040 
Separate test helpers with import cycles by moving the helpers to the
internal/testarch and internal/testdistro packages. This now allows using
the helpers in other packages, specifically in the osbuild package.
@lzap
osbuild: add GPG key URLs to the sources
e70f91a 
Add GPG key URLs to the sources. Invalid URLs are ignored therefore all
the keys can be passed in.
@lzap
configs: add GPG key URL to the Fedora 42 CUDA drivers
3cece19
@lzap lzap requested a review from a team as a code owner February 17, 2026 15:38
@lzap lzap requested review from bcl, supakeen and thozza February 17, 2026 15:38
@thozza
Copy link
Copy Markdown
Member

thozza commented Feb 18, 2026

Adding an unused source to a manifest is IMHO a bug, so maybe let's hold off with this PR until the source is actually used in the manifest by a stage?

@lzap lzap mentioned this pull request Feb 18, 2026
Open
supakeen
supakeen reviewed Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@supakeen supakeen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs rebase.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 28, 2026

This PR is stale because it had no activity for the past 30 days. Remove the "Stale" label or add a comment, otherwise this PR will be closed in 7 days.

@github-actions github-actions Bot added the Stale label Mar 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 4, 2026

This PR was closed because it has been stalled for 30+7 days with no activity.

@github-actions github-actions Bot closed this Apr 4, 2026
@lzap lzap reopened this May 13, 2026
@schutzbot
Copy link
Copy Markdown
Contributor

schutzbot commented May 13, 2026

This PR changes the images API or behaviour causing integration failures with osbuild-composer. The next update of the images dependency in osbuild-composer will need work to adapt to these changes.

This is simply a notice. It will not block this PR from being merged.

@github-actions github-actions Bot removed the Stale label May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@supakeen supakeen supakeen left review comments

@bcl bcl Awaiting requested review from bcl bcl is a code owner automatically assigned from osbuild/osbuild-reviewers

@thozza thozza Awaiting requested review from thozza thozza is a code owner automatically assigned from osbuild/osbuild-reviewers

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lzap @thozza @schutzbot @supakeen