Skip to content

Re-enable gpgchecks for dnf packages (where public keys are available) #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
bertiethorpe wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

Re-enable gpgchecks for dnf packages (where public keys are available) #873

bertiethorpe wants to merge 21 commits into from

Conversation

@bertiethorpe
Copy link
Contributor

@bertiethorpe bertiethorpe commented Dec 16, 2025

  • dnf_repo_timestamps.yml now makes it possible to toggle repo gpgchecks.
  • EESSI CVMFS config now pulled from Ark

bertiethorpe and others added 20 commits December 8, 2025 11:26
@bertiethorpe
add eessi cvmfs config and re-enable gpg checks everywhere
d60aadd
@bertiethorpe
disable fail2ban gpg check provisionally
7906cfb
@bertiethorpe
Install epel-release gpg for rocky 8
8c10edf
@bertiethorpe
gpg check option correction
934b605
@bertiethorpe
manual dl and install of epel-release key
32ec33e
@bertiethorpe
correct epel-release signing key
d6e0f26
@bertiethorpe
dnf install rocky-gpg-keys
0c1c9ce
@bertiethorpe
stop using rpm_key module for rockyofficial key
072fd9f
@bertiethorpe
test timestamps setting gpgkey
6d29a43
@bertiethorpe
hardcode ceph key in dnf_repos defaults
3eef4a4
@bertiethorpe
preserve ceph key newlines
3707dcb
@bertiethorpe
disable gpg checks for ceph repo packages
bf1b654
@bertiethorpe
rocky 8/9 compatibility chnages
7fb0d02
@bertiethorpe
correct epel gpg key in timestamps
b997ad2
@bertiethorpe
import EPEL key
0789ea5
@bertiethorpe
hardcode cernvm gpg key
00bc2db
@bertiethorpe
disable gpgcheck for cvmfs eessi config (not provided upstream)
66af4cc
@bertiethorpe
disable gpgchecks for some repos provisionally
0202da7
@bertiethorpe
Merge branch 'main' into feat/ark-eessi-cvmfs-config
535242f
@bertiethorpe
Bump CI images
89fdeac
@bertiethorpe bertiethorpe force-pushed the feat/ark-eessi-cvmfs-config branch from cc46ea3 to 89fdeac Compare December 16, 2025 11:21
@bertiethorpe bertiethorpe marked this pull request as ready for review December 16, 2025 11:29
@bertiethorpe bertiethorpe requested a review from a team as a code owner December 16, 2025 11:29
sjpb
sjpb requested changes Dec 16, 2025
View reviewed changes
ansible/roles/dnf_repos/tasks/set_repos.yml
password: "{{ dnf_repos_password }}"
gpgcheck: false
gpgcheck: "{{ repo_values.gpgcheck | default(true) }}"
gpgkey: "{{ repo_values.gpgkey | default('') }}"
Copy link
Collaborator

@sjpb sjpb Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If gpgkey isn't provided and gpgcheck is true, that should be an error I think to avoid hard-to-diagnose errors later?

ansible/roles/eessi/tasks/install.yml
dest: ./cvmfs-key.gpg
checksum: "{{ cvmfs_gpg_checksum }}"
mode: "0644"
- name: Install CVMFS GPG key
Copy link
Collaborator

@sjpb sjpb Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So what's different here vs e.g. openhpc where we install/import the key as part as of the dnf_repos role?

sjpb
sjpb reviewed Dec 16, 2025
View reviewed changes
Copy link
Collaborator

@sjpb sjpb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dnf_repos role can only really install/import keys and write repo files with keys. There are places which call ansible.builtin.dnf which actually determine if gpg keys are used.

So there's two things we need to do:

  1. Write repo file with keys
  2. Ensure ansible.builtin.dnf is not run with disable_gpg_check on that repo file

Its not really clear to me why we don't need to e.g. import the openhpc key (pre this PR) but we do seem to need to import the rocky ones.

environments/common/inventory/group_vars/all/dnf_repo_timestamps.yml
pulp_timestamp: 20250828T161842
repo_file: rocky-extras
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9
grafana:
Copy link
Collaborator

@sjpb sjpb Dec 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to check grafana. Might e.g. be disabled in the role which enables it.

sjpb

This comment was marked as outdated.

Sign in to view

@sjpb sjpb marked this pull request as draft December 16, 2025 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjpb sjpb sjpb requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bertiethorpe @sjpb