Install qemu-user-static from newer fedora release#1216
Install qemu-user-static from newer fedora release#1216cfergeau wants to merge 2 commits intocrc-org:release-4.21from
Conversation
Disabling it removes one important layer of security
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughThe changes enable GPG signature verification across multiple repository configurations and update the Fedora version from 41 to 44 in the guest updates repository. Three files are modified: createdisk.sh (Fedora version and gpgcheck), Containerfile.bootc-rhel9 (gpgcheck settings), and mirror-microshift.repo (gpgcheck setting). Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| baseurl=https://mirror.openshift.com/pub/openshift-v4/$basearch/microshift/ocp-dev-preview/latest-4.20/el9/os/ | ||
| enabled=1 | ||
| gpgcheck=0 | ||
| gpgcheck=1 |
There was a problem hiding this comment.
This might break for mirror repos and it is not tested becasue this repo is only used for non release microshift payload so might be for 4.22 release side.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@createdisk.sh`:
- Line 160: The repo stanza in createdisk.sh currently sets gpgcheck=1 but omits
the gpgkey entry; update the Fedora updates repo configuration block (the
section that contains the gpgcheck=1 line) to add a gpgkey pointing to the
Fedora public key URL (the standard Fedora GPG key location) so DNF can verify
signatures; modify the code that writes the repo file (the same block that emits
gpgcheck=1) to include a corresponding gpgkey=... line alongside gpgcheck=1.
In `@image-mode/microshift/config/Containerfile.bootc-rhel9`:
- Line 15: The repo config enables gpgcheck without specifying gpgkey, causing
"Signing key not found" failures; update the dnf config-manager call that sets
"${repoID}.gpgcheck=1" to also set the matching gpgkey via --setopt (e.g., for
mirror.openshift.com point to the preinstalled Red Hat release key like
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release and for the UNRELEASED_MIRROR_REPO
set its repository GPG URL or local key path), so replace the single
--setopt="${repoID}.gpgcheck=1" with two --setopt entries: one for
"${repoID}.gpgcheck=1" and one for "${repoID}.gpgkey=<appropriate-key-location>"
when invoking dnf config-manager; ensure the same pattern is applied for any
*-el9-beta entries.
In `@repos/mirror-microshift.repo`:
- Line 5: The repo stanza currently sets gpgcheck=1 but lacks a gpgkey entry;
update the repository definition that contains the gpgcheck property to add a
gpgkey pointing to the repository's public signing key (e.g.,
gpgkey=https://.../RPM-GPG-KEY) so package verification works in non-interactive
flows; modify the same repo block where gpgcheck is defined (the
mirror-microshift.repo stanza) to include the gpgkey line using the official URL
used by similar repos (see images/openshift-ci/google-cloud-sdk.repo for the
expected URL pattern).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c0da6e53-06da-469c-8a5a-477df134571b
📒 Files selected for processing (3)
createdisk.shimage-mode/microshift/config/Containerfile.bootc-rhel9repos/mirror-microshift.repo
| type=rpm | ||
| repo_gpgcheck=0 | ||
| gpgcheck=0 | ||
| gpgcheck=1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "createdisk.sh" -type fRepository: crc-org/snc
Length of output: 70
🏁 Script executed:
cat -n ./createdisk.sh | sed -n '145,180p'Repository: crc-org/snc
Length of output: 1994
🌐 Web query:
Fedora yum repo gpgcheck=1 without gpgkey configuration dnf
💡 Result:
In Fedora using DNF (which replaced YUM), configuring a repository with gpgcheck=1 without specifying a gpgkey in the .repo file will cause DNF to fail with a GPG key retrieval error. DNF requires the gpgkey option to be set to a valid URL or local file path pointing to the repository's public GPG key when gpgcheck=1 is enabled. Without it, DNF cannot fetch or verify the key needed for signature checking on packages. This applies to both gpgcheck (for package signatures) and repo_gpgcheck (for repository metadata signatures). Official Fedora repositories always include gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch (or similar), where the keys are pre-installed via the fedora-release package. To configure correctly: [example-repo] name=Example Repo baseurl=https://example.com/repo/ enabled=1 gpgcheck=1 gpgkey=https://example.com/RPM-GPG-KEY-example If the key is local: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-example Omitting gpgkey leads to errors like "GPG key retrieval failed" or "No key available to verify signature". Use gpgcheck=0 only if you fully trust the repo (not recommended for security). Workarounds like --nogpgcheck exist for one-off commands but disable verification entirely.
Citations:
- 1: https://dnf.readthedocs.io/en/stable/conf_ref.html
- 2: https://www.man7.org/linux/man-pages/man5/dnf.conf.5.html
- 3: https://jsmith.fedorapeople.org/drafts/SMG/html/Software_Management_Guide/ch04s08s02.html
- 4: https://oneuptime.com/blog/post/2026-03-04-fix-gpg-key-retrieval-failed-errors-adding-repositories-rhel/view
- 5: https://tecadmin.net/how-to-add-remove-repository-in-fedora-using-dnf/
- 6: https://unix.stackexchange.com/questions/207907/how-to-fix-gpg-key-retrieval-failed-errno-14
- 7: https://stackoverflow.com/questions/77461841/gpg-key-error-when-upgrading-from-fedora-34-to-39
- 8: https://fedorapeople.org/~lmacken/keys.html.en
- 9: https://stackoverflow.com/questions/31583653/rpm-gpg-key-error-while-doing-yum-update-yum-install
🌐 Web query:
Fedora 44 RPM GPG KEY file location /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
💡 Result:
Yes, the standard location for Fedora RPM GPG keys, including RPM-GPG-KEY-fedora and version-specific keys like RPM-GPG-KEY-fedora-44-primary in Fedora 44, is /etc/pki/rpm-gpg/. These keys are provided by packages such as fedora-gpg-keys (part of fedora-repos) or fedora-release, and official Fedora documentation confirms this path.
Citations:
- 1: https://fedorapeople.org/~lmacken/keys.html.en
- 2: https://packages.fedoraproject.org/pkgs/fedora-repos/fedora-gpg-keys/fedora-rawhide.html
- 3: https://packages.fedoraproject.org/pkgs/distribution-gpg-keys/distribution-gpg-keys/fedora-44.html
🏁 Script executed:
grep -n "gpgkey" ./createdisk.shRepository: crc-org/snc
Length of output: 37
🏁 Script executed:
grep -n "\.repo\|gpgcheck\|copr" ./createdisk.sh | head -20Repository: crc-org/snc
Length of output: 503
Add gpgkey entry to fedora-updates repo configuration.
gpgcheck=1 is enabled but the generated repo file lacks a gpgkey entry. DNF will fail to download packages (line 164) without it, as DNF requires the GPG key location when signature checking is enabled. Add the standard Fedora key location:
Suggested patch
[fedora-updates]
name=Fedora 44 - $basearch - Updates
metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f44&arch=$basearch
enabled=1
type=rpm
repo_gpgcheck=0
gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
EOF🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@createdisk.sh` at line 160, The repo stanza in createdisk.sh currently sets
gpgcheck=1 but omits the gpgkey entry; update the Fedora updates repo
configuration block (the section that contains the gpgcheck=1 line) to add a
gpgkey pointing to the Fedora public key URL (the standard Fedora GPG key
location) so DNF can verify signatures; modify the code that writes the repo
file (the same block that emits gpgcheck=1) to include a corresponding
gpgkey=... line alongside gpgcheck=1.
| --add-repo "https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/dependencies/rpms/${MICROSHIFT_VER}-el9-beta" \ | ||
| --set-enabled "fast-datapath-for-rhel-9-$(uname -m)-rpms"; \ | ||
| dnf config-manager --save --setopt="${repoID}".gpgcheck=0 --setopt=*-el9-beta.gpgcheck=0; \ | ||
| dnf config-manager --save --setopt="${repoID}".gpgcheck=1 --setopt=*-el9-beta.gpgcheck=1; \ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "Containerfile.bootc-rhel9" -type fRepository: crc-org/snc
Length of output: 111
🏁 Script executed:
cat -n ./image-mode/microshift/config/Containerfile.bootc-rhel9Repository: crc-org/snc
Length of output: 1829
🌐 Web query:
dnf config-manager --add-repo gpgcheck without explicit gpgkey
💡 Result:
The dnf config-manager --add-repo command does not support a direct gpgcheck option or parameter to set GPG checking without specifying an explicit gpgkey. There is no built-in flag like --gpgcheck=0 or similar for the --add-repo option itself. When adding a repo: - If the URL points to an existing .repo file, it downloads and installs it unchanged (gpgcheck depends on that file). - If the URL is a direct baseurl (e.g., http://example.com/repo/), it creates a minimal repo file with baseurl, enabled=1, name=created by dnf config-manager from , and typically gpgcheck=1 (default behavior inferred from docs and examples where GPG issues arise post-add), but no gpgkey set. Without an explicit gpgkey in the repo file: - gpgcheck=1 will fail on metadata/package verification because no key is available. - To have GPG checking (gpgcheck=1) work, you must either: 1. Import the GPG key manually (rpm --import ). 2. Edit the generated repo file to add gpgkey=. - To disable GPG checking entirely (gpgcheck without key), after adding: dnf config-manager --save --setopt=.gpgcheck=0 This overrides gpgcheck=0 in the repo config. Official docs (dnf-plugins-core, Red Hat) confirm --add-repo creates basic files without mentioning gpgkey/gpgcheck control, and examples show post-add editing for gpgcheck=0 (e.g., RHCSA labs). Sources consistently show users editing or using --setopt for GPG config after adding.
Citations:
- 1: https://dnf-plugins-core.readthedocs.io/en/latest/config_manager.html
- 2: https://manpages.ubuntu.com/manpages/lunar/man8/dnf-config-manager.8.html
- 3: https://learn.redhat.com/t5/General/RHCSA-Adding-repos-with-dnf-config-manager-vs-manually-creating/td-p/43326
- 4: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/managing_software_with_the_dnf_tool/managing-custom-software-repositories
- 5: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_software_with_the_dnf_tool/assembly_managing-custom-software-repositories_managing-software-with-the-dnf-tool
🌐 Web query:
mirror.openshift.com repository metadata gpgkey configuration
💡 Result:
The mirror.openshift.com repository hosts OpenShift release signatures at https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release. This is used for verifying the integrity of mirrored OpenShift release images in disconnected environments. The GPG public key for verification is the official Red Hat release key, embedded in the oc-mirror release-configmap.yaml as verifier-public-key-redhat: -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: Use "gpg --dearmor" for unpacking mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF 0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF 0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H 5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY AOFpgJCsNgKwU81LOPrkMN19G0+Yn/ZTCDD7cIQ7dhYuDyEX97xh4une/EhnnRuh mxTOGddhjfS8nmapg+26Ss2Zlxv93a7311YrF2l6dzNO7dzZQWtw7fDRSCmdAxUV 95dsvX2pwcOr73wfTbVDlVdAn+1VQMKb58gErow4RWqVwJ+SyZmuRDYonsSHp9Jt 5kJXwZP3UPudWeTAB9xaWaXHbcILraYnw1+wgr/W6oosJEi7SquiAVHaIyc8YX4L JRhScNA6Flg3CAc8WFyH4Y+ZhUTBAu4el7HaYpidE9bY0lR0wJsXFIm6+52+LXxYt QhyZAjgzMT6GUvoWrdNeNMCXo4pk+xUNQgVjSFuHGLkfxg40oh8S5R4= =GmdY -----END PGP PUBLIC KEY BLOCK----- This ConfigMap is generated by oc-mirror or oc adm release mirror for use in disconnected clusters. It configures the Cluster Version Operator (CVO) to verify release payloads against signatures from mirror.openshift.com using this key. To use: 1. Mirror releases with oc adm release mirror or oc-mirror, which generates the ConfigMap. 2. Apply the ConfigMap to the cluster: oc apply -f config/release-image-signature.yaml. 3. The CVO will fetch signatures from the mirror URL appended with the image digest (e.g., sha256=.../signature-1) and verify using the provided public key. For RPM-GPG verification of sha256sum.txt files from mirror.openshift.com (installer/clients), use the Red Hat RPM-GPG key at /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release on RHEL systems.
Citations:
- 1: https://github.com/openshift/oc-mirror/blob/be3d7693/pkg/cli/mirror/release-configmap.yaml
- 2: https://github.com/openshift/cluster-update-keys/blob/main/README.md
- 3: https://redhat.com/en/blog/securing-deployment-openshift-container-platform-4
🌐 Web query:
RHEL dnf gpgcheck=1 pre-configured Red Hat GPG keys /etc/pki/rpm-gpg
💡 Result:
In Red Hat Enterprise Linux (RHEL), DNF is pre-configured with gpgcheck=1 enabled by default for all official Red Hat repositories. This setting verifies GPG signatures on packages during installation and updates to ensure integrity and authenticity. The official Red Hat repositories are defined in /etc/yum.repos.d/redhat.repo (managed by subscription-manager after registration). Each repository section includes: gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release (and sometimes repo_gpgcheck=1 for metadata verification). The directory /etc/pki/rpm-gpg/ contains pre-installed Red Hat GPG public keys, primarily RPM-GPG-KEY-redhat-release (fingerprint: 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 for products after 2010, plus auxiliary and newer keys like ML-DSA for RHEL 9.7+ and 10.1). These keys are provided by the redhat-release package and automatically imported into RPM's keyring. To verify: ls /etc/pki/rpm-gpg/ # Lists RPM-GPG-KEY-redhat-release etc. rpm -qa gpg-pubkey* # Shows imported keys grep gpgcheck /etc/yum.repos.d/redhat.repo # Confirms gpgcheck=1 This setup ensures secure package management out-of-the-box on subscribed RHEL systems. Newer RHEL versions (9.7+, 10) include additional post-quantum keys.
Citations:
- 1: https://oneuptime.com/blog/post/2026-03-04-verify-package-integrity-gpg-signatures-rhel-9/view
- 2: https://oneuptime.com/blog/post/2026-03-04-verify-red-hat-product-signing-keys-rhel-9/view
- 3: https://access.redhat.com/solutions/7136991
- 4: http://www.redhat.com/security/keys.html
- 5: https://access.redhat.com/solutions/317083
- 6: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-setting_repository_options
🌐 Web query:
dnf --add-repo direct baseurl gpgkey fails without explicit reference
💡 Result:
The command dnf --add-repo (via dnf config-manager --add-repo ) does not support specifying a custom baseurl or gpgkey directly on the command line. It only accepts a single URL argument, which is treated as either a remote .repo file (downloaded and added as-is) or a direct base URL (in which case it auto-generates a minimal repo file with only name, baseurl=, and enabled=1; no gpgcheck or gpgkey options are set). When using a direct baseurl (e.g., dnf config-manager --add-repo https://example.com/repo/), the generated repo file lacks GPG configuration. If the repo metadata or packages are signed (common for secure repos), subsequent operations like dnf makecache or dnf install fail with GPG errors such as "Signing key not found", "GPG key retrieval failed", or "GPG check FAILED". This happens because: - gpgcheck=1 (package signature check) is often inherited from global config or defaults to on for security. - No gpgkey is specified, so DNF cannot fetch/import the key. - If repo_gpgcheck=1 (metadata signature check) is set or inherited, metadata verification fails first, preventing key import. This matches the "fails without explicit reference" description—gpgkey must be explicitly added to the repo config for verification to succeed. Workarounds (prioritize security): 1. Manually edit the generated /etc/yum.repos.d/.repo file to add: gpgcheck=1 gpgkey=<URL-to-key or file:///etc/pki/rpm-gpg/RPM-GPG-KEY-> Then sudo dnf clean all && sudo dnf makecache. 2. Pre-download the key: sudo rpm --import , then add gpgkey=file:///etc/pki/rpm-gpg/. 3. Create a custom .repo file with all options (baseurl, gpgcheck=1, gpgkey) and add via dnf config-manager --add-repo file:///path/to/custom.repo. 4. Temporarily use --nogpgcheck for testing (not recommended for production). Normal first-use behavior shows a "verification error" followed by key import prompt if gpgkey is specified (expected, not a failure). Without it, import cannot occur. Examples: # Incorrect (fails GPG later) sudo dnf config-manager --add-repo https://example.com/direct-baseurl/ # Correct: Custom repo file cat <<EOF | sudo tee /etc/yum.repos.d/custom.repo [custom] name=Custom Repo baseurl=https://example.com/repo/ enabled=1 gpgcheck=1 gpgkey=https://example.com/RPM-GPG-KEY-example EOF sudo dnf clean all && sudo dnf makecache On DNF5 (Fedora 41+), syntax changes to dnf config-manager addrepo --set=baseurl= [--set=gpgkey=] [--set=gpgcheck=1], allowing direct specification.
Citations:
- 1: https://oneuptime.com/blog/post/2026-03-04-fix-gpg-key-retrieval-failed-errors-adding-repositories-rhel/view
- 2: https://dnf.readthedocs.io/en/latest/conf_ref.html?highlight=baseurl
- 3: https://unix.stackexchange.com/questions/801980/how-to-add-a-fedora-repository-without-errors
- 4: https://access.redhat.com/solutions/7136991
- 5: [Bug]: Missing
gpgkeyin repository configuration IsmaelMartinez/teams-for-linux#1948 - 6: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_software_with_the_dnf_tool/assembly_managing-custom-software-repositories_managing-software-with-the-dnf-tool
- 7: https://tecadmin.net/how-to-add-remove-repository-in-fedora-using-dnf/
- 8: https://dnf-plugins-core.readthedocs.io/en/latest/config_manager.html
- 9: https://computingforgeeks.com/how-to-add-repository-using-dnf-config-manager-dnf5-in-fedora-41/
- 10: https://dnf5.readthedocs.io/en/stable/dnf5_plugins/config-manager.8.html
Line 15 enables GPG checks without specifying gpgkey locations, causing package installation to fail.
When dnf config-manager --add-repo is used with a direct baseurl (lines 12–13), it creates minimal repo files with no gpgkey configuration. Setting gpgcheck=1 without a corresponding gpgkey reference causes "Signing key not found" errors during the dnf install on line 17.
For mirror.openshift.com, use the pre-installed Red Hat release key. For UNRELEASED_MIRROR_REPO, add the appropriate gpgkey. Set both explicitly via --setopt:
🔧 Suggested patch
- dnf config-manager --save --setopt="${repoID}".gpgcheck=1 --setopt=*-el9-beta.gpgcheck=1; \
+ dnf config-manager --save \
+ --setopt="${repoID}".gpgcheck=1 \
+ --setopt="${repoID}".gpgkey='<url-or-filepath-to-signing-key>' \
+ --setopt=*-el9-beta.gpgcheck=1 \
+ --setopt=*-el9-beta.gpgkey='file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release'; \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@image-mode/microshift/config/Containerfile.bootc-rhel9` at line 15, The repo
config enables gpgcheck without specifying gpgkey, causing "Signing key not
found" failures; update the dnf config-manager call that sets
"${repoID}.gpgcheck=1" to also set the matching gpgkey via --setopt (e.g., for
mirror.openshift.com point to the preinstalled Red Hat release key like
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release and for the UNRELEASED_MIRROR_REPO
set its repository GPG URL or local key path), so replace the single
--setopt="${repoID}.gpgcheck=1" with two --setopt entries: one for
"${repoID}.gpgcheck=1" and one for "${repoID}.gpgkey=<appropriate-key-location>"
when invoking dnf config-manager; ensure the same pattern is applied for any
*-el9-beta entries.
| baseurl=https://mirror.openshift.com/pub/openshift-v4/$basearch/microshift/ocp-dev-preview/latest-4.20/el9/os/ | ||
| enabled=1 | ||
| gpgcheck=0 | ||
| gpgcheck=1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python - <<'PY'
import pathlib, re
def check_repo(path: pathlib.Path):
txt = path.read_text(errors="ignore")
section = None
kv = {}
for raw in txt.splitlines() + ["[__END__]"]:
line = raw.strip()
m = re.match(r'^\[(.+)\]$', line)
if m:
if section is not None:
if kv.get("gpgcheck") == "1" and "gpgkey" not in kv:
print(f"{path}:{section}: gpgcheck=1 without gpgkey")
section = m.group(1)
kv = {}
continue
if section and line and not line.startswith("#") and "=" in line:
k, v = line.split("=", 1)
kv[k.strip()] = v.strip()
for p in pathlib.Path(".").rglob("*.repo"):
check_repo(p)
PYRepository: crc-org/snc
Length of output: 128
🏁 Script executed:
cat -n repos/mirror-microshift.repoRepository: crc-org/snc
Length of output: 273
🏁 Script executed:
# Search for other .repo files to see how they handle gpgkey directives
find . -name "*.repo" -type f | head -20Repository: crc-org/snc
Length of output: 129
🏁 Script executed:
# Check if there are any other references to microshift or gpgkey in the repository
rg -i "gpgkey" --type confRepository: crc-org/snc
Length of output: 83
🏁 Script executed:
# Look for any documentation or comments that mention the GPG key for this repo
rg -i "microshift.*gpg|gpg.*microshift" -A 2 -B 2Repository: crc-org/snc
Length of output: 37
🏁 Script executed:
cat -n ./images/openshift-ci/google-cloud-sdk.repoRepository: crc-org/snc
Length of output: 323
🏁 Script executed:
# Search for gpgkey in all .repo files without type restriction
rg "gpgkey" -A 1 -B 1Repository: crc-org/snc
Length of output: 223
🏁 Script executed:
# Check if there are any README, docs, or config files that mention OpenShift GPG keys
find . -type f \( -name "*.md" -o -name "README*" -o -name "*.txt" \) | xargs rg -l "gpg|signature" 2>/dev/null | head -10Repository: crc-org/snc
Length of output: 37
🏁 Script executed:
# Look for any environment variables or scripts that might configure repo GPG keys
rg "RPM.*GPG|GPG.*RPM|gpgkey.*https" -iRepository: crc-org/snc
Length of output: 165
Add a gpgkey source for gpgcheck=1 on Line 5.
gpgcheck=1 is enabled, but this repo stanza does not define how the signing key is obtained. This can fail in non-interactive flows when the key is not pre-imported. See images/openshift-ci/google-cloud-sdk.repo for the correct pattern: gpgkey=<https-url-to-gpg-key>.
🔧 Suggested patch
[mirror-microshift]
name=microshift repo for mirror
baseurl=https://mirror.openshift.com/pub/openshift-v4/$basearch/microshift/ocp-dev-preview/latest-4.20/el9/os/
enabled=1
gpgcheck=1
+gpgkey=<trusted-rpm-gpg-key-url-or-file:// path>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| gpgcheck=1 | |
| gpgcheck=1 | |
| gpgkey=<trusted-rpm-gpg-key-url-or-file:// path> |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@repos/mirror-microshift.repo` at line 5, The repo stanza currently sets
gpgcheck=1 but lacks a gpgkey entry; update the repository definition that
contains the gpgcheck property to add a gpgkey pointing to the repository's
public signing key (e.g., gpgkey=https://.../RPM-GPG-KEY) so package
verification works in non-interactive flows; modify the same repo block where
gpgcheck is defined (the mirror-microshift.repo stanza) to include the gpgkey
line using the official URL used by similar repos (see
images/openshift-ci/google-cloud-sdk.repo for the expected URL pattern).
|
@cfergeau: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
2 participants
This PR gets qemu-user-static from fedora 44 instead of using the out of support f41.
Maybe we should consider getting qemu-user-static from centos if it’s built there.
This PR also attempts to enable gpgcheck on yum repos, but I expect it will take a few tries to get it to work (if at all).
Summary by CodeRabbit
Bug Fixes
Chores