Add PGP key rotation PoC for RPM repositories#12276
Conversation
babakks
requested review from
BagToad and
Copilot
and removed request for
Copilot
babakks
temporarily deployed
to
cli-automation
GitHub Actions
Inactive
babakks
changed the title
This comment was marked as spam.
This comment was marked as spam.
Signed-off-by: Babak K. Shandiz <babakks@github.com>
Signed-off-by: Babak K. Shandiz <babakks@github.com>
babakks
force-pushed
the
babakks/rpm-pgp-key-poc
branch
from
71a532c to
8180ced
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds a proof-of-concept (PoC) script for demonstrating PGP key rotation in RPM repositories. It also includes a minor fix to the existing Debian development script.
Changes:
- Introduces a new comprehensive bash script
rpm-develto simulate the RPM repository PGP key rotation workflow - Adds
sudotopkillcommands in thedebian-develscript for consistency with other privileged operations
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| script/rpm-devel | New 582-line bash script that provides a Docker-based development environment for testing RPM repository PGP key rotation, including setup, key generation, signing, and deprecation workflows |
| script/debian-devel | Fixed teardown function to use sudo for pkill commands, ensuring consistency with other privileged operations in the function |
Comments suppressed due to low confidence (6)
script/rpm-devel:340
- Missing quotes around variable in conditional. For consistency and safety, change to
if [ "$CLIENT" == "dnf4" ].
if [ $CLIENT == "dnf4" ]; then
script/rpm-devel:433
- Missing quotes around variable in conditional. For consistency and safety, change to
if [ "$CLIENT" == "dnf4" ].
if [ $CLIENT == "dnf4" ]; then
script/rpm-devel:389
- Spelling error: "PRMs" should be "RPMs".
header "Step 3: Releasing new version of PRMs, signed with single key (the new key)."
script/rpm-devel:93
- The condition check is incorrect. This checks if CLIENT equals the string "dnf4", but on line 89 the comparison uses
==without quotes around the variable. This should use quotes for consistency and to handle empty values properly. Change toif [ "$CLIENT" == "dnf4" ].
if [ $CLIENT == "dnf4" ]; then
script/rpm-devel:89
- The condition check is missing quotes around the variable. This should use quotes for consistency and to handle empty values properly. Change to
if [ "$CLIENT" == "dnf4" ].
if [ $CLIENT == "dnf4" ] && ! command -v dnf4 &> /dev/null; then
script/rpm-devel:203
- Missing quotes around variable in conditional. For consistency and safety, change to
if [ "$CLIENT" == "dnf4" ].
if [ $CLIENT == "dnf4" ]; then
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "! Note that the hosted PGP keyring is now updated (includes both keys): http://127.0.0.1:8000/pgp-key.gpg" | ||
|
|
||
| prompt_continue | ||
| header "Step 3: Releasing new version of PRMs, signed with single key (old key is still valid)." |
There was a problem hiding this comment.
Spelling error: "PRMs" should be "RPMs".
This issue also appears in the following locations of the same file:
- line 389
| header "Step 7: installing the packages via dnf" | ||
|
|
||
| echo "! Note that you're going to confirm the PGP key import prompt (fingerprint: $KEY1_FINGERPRINT)" | ||
| if [ $CLIENT == "dnf4" ]; then |
There was a problem hiding this comment.
Missing quotes around variable in conditional. For consistency and safety, change to if [ "$CLIENT" == "dnf4" ].
This issue also appears in the following locations of the same file:
- line 340
- line 433
- line 93
- line 89
- line 203
| docker exec rpm-gpg-playground bash -c "cat >> /root/.bashrc << EOF | ||
|
|
||
| # Display MOTD | ||
| cat << "MOTD" | ||
| ================================================================================ | ||
| RPM Repository PGP Key Rotation Development Environment | ||
| ================================================================================ | ||
|
|
||
| Welcome to the rpm-gpg-playground container! | ||
|
|
||
| Available commands: | ||
| $SCRIPT setup - Create initial RPM repository and packages | ||
| $SCRIPT newkey - Generate new signing key | ||
| $SCRIPT deprecate - Deprecate old signing key | ||
| $SCRIPT teardown - Clean up repository and configuration | ||
|
|
||
| Run $SCRIPT without arguments for full help. | ||
|
|
||
| ================================================================================ | ||
| MOTD | ||
| EOF" |
There was a problem hiding this comment.
The variable SCRIPT is used in the MOTD at lines 65-70 but won't be expanded within the heredoc that's being written to .bashrc because it's quoted with "EOF". This will result in the literal string "$SCRIPT" being displayed instead of the actual script name. Either use unquoted EOF to allow variable expansion, or replace $SCRIPT with the literal script name "rpm-devel".
| License: MIT | ||
| Packager: Example Team | ||
| Requires: bash | ||
| BuildRoot: "$PACKAGE_DIR" |
There was a problem hiding this comment.
The BuildRoot directive value should be quoted to avoid potential issues with spaces in paths. Change to BuildRoot: "%{_tmppath}/%{name}-%{version}-%{release}-root" or similar standard format, instead of using a custom path.
| BuildRoot: "$PACKAGE_DIR" | |
| BuildRoot: \"%{_tmppath}/%{name}-%{version}-%{release}-root\" |
2 participants
This PR adds the PGP key rotations spike for RPM repositories.