fix(ci): resolve DNF Worker chain blockers (#500, #501) (#502)

Fix #500: rpmsign --addsign mutates RPMs in place, so the Release asset uploaded by the release job (unsigned) diverged from the signed copy in gh-pages. The Worker redirects to the Release asset, so dnf saw a sha256 that didn't match repodata. Re-upload the signed RPMs to the Release via gh release upload --clobber after signing. Fix #501: The imported GPG keyring contains two keys; reprepro signs InRelease with one and rpmsign signs repomd.xml.asc with the other, but the published KEY.gpg only contained one of them. Strict clients like rockylinux:9 rejected repo metadata with "Bad GPG signature". Export the full keyring (all public keys) to KEY.gpg so both signatures verify. Validation (per issue reproduction steps): - Re-run update-dnf-repo on a test tag - sha256 of gh-pages RPM must match the Release asset download - fedora:latest dnf install should succeed (was "All mirrors tried") - rockylinux:9 dnf makecache should succeed (was "Bad GPG signature") Co-authored-by: Claude <claude@anthropic.com>
2026-05-17 00:26:21 +03:00 · 2026-04-23 08:52:41 -04:00
parent 4fb076ec12
commit 0bcf7a473f
1 changed files with 28 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -435,6 +435,16 @@ jobs:
        with:
          gpg_private_key: ${{ secrets.APT_GPG_PRIVATE_KEY }}

+      - name: Publish KEY.gpg with all public keys from keyring
+        # Fix #501: APT InRelease and DNF repomd.xml are signed with
+        # different keys from the same keyring. Export every public key
+        # so strict clients (e.g. rockylinux:9) can verify both.
+        working-directory: apt-repo
+        run: |
+          gpg --armor --export > KEY.gpg
+          echo "Keys published in KEY.gpg:"
+          gpg --show-keys < KEY.gpg
+
      - name: Add packages to repository
        working-directory: apt-repo
        run: |
@@ -652,6 +662,24 @@ jobs:
            'gpgkey=https://aaddrick.github.io/claude-desktop-debian/KEY.gpg' \
            > rpm/claude-desktop.repo

+      - name: Re-upload signed RPMs to GitHub Release
+        # Fix #500: rpmsign --addsign mutates the RPM in place. The release
+        # job (needs: release) already uploaded the unsigned build artifact.
+        # Clobber it with the signed copy so the sha256 in repodata matches
+        # the binary the Worker redirects to.
+        env:
+          GH_TOKEN: ${{ github.token }}
+        working-directory: dnf-repo
+        run: |
+          for arch in x86_64 aarch64; do
+            if ls "rpm/$arch/"*.rpm 1> /dev/null 2>&1; then
+              gh release upload "${{ github.ref_name }}" \
+                "rpm/$arch/"*.rpm \
+                --repo aaddrick/claude-desktop-debian \
+                --clobber
+            fi
+          done
+
      - name: Strip RPMs from pool (gated on Worker liveness)
        working-directory: dnf-repo
        run: |