rms/claude-desktop-debian
1
0
Fork 0
mirror of https://github.com/aaddrick/claude-desktop-debian.git synced 2026-05-17 08:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): force primary GPG key for repomd.xml signing (#566)

Browse Source 
* fix(ci): force primary GPG key for repomd.xml signing

PR #217 added --default-key for the gpg invocation that signs
repomd.xml, but gpg's --default-key only chooses an identity, not
which key under that identity actually signs. Without a trailing
'!' on the keyid, gpg silently picks the most recent signing
subkey. rpm 4.20+ and zypper verify repomd.xml only against the
primary key, so the published signature fails verification with
"Signature verification failed for repomd.xml" / "Signing key not
found" — the exact symptom reported in #213.

Append '!' to the keyid argument to force the primary key.

Verified locally against zypper 1.14.96 / rpm 4.20.1 / gpg 2.x by
re-signing the live repomd.xml with a test primary+subkey keypair:

  - Without '!': sig keyid = subkey, zypper refresh fails with
    "Signature verification failed for repomd.xml" (reproduces
    the production bug 1:1).
  - With '!':    sig keyid = primary, zypper refresh succeeds:
    "Die angegebenen Repositorys wurden aktualisiert."

Fixes #213 (regression of PR #217)

Co-Authored-By: Claude <claude@anthropic.com>

* docs(ci): tighten repomd.xml signing comment

Compress the rationale block from 8 to 6 lines while preserving
the load-bearing facts (gpg picks subkey by default, rpm 4.20+ /
zypper reject subkey-signed repomd.xml, '!' forces the primary
key, #213/#217 regression history). Adds an explicit "Do not
strip it" admonition to the future reader.

No functional change.

Co-Authored-By: Claude <claude@anthropic.com>

---------

Co-authored-by: Claude <claude@anthropic.com>
This commit is contained in:
Niklas
2026-05-03 13:43:30 +02:00
committed by GitHub
parent b367f8e5cc
commit 912c04ee1d
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/ci.yml vendored
View File

@@ -653,9 +653,14 @@ jobs:
echo "Generating repodata for $arch..."
createrepo_c --update "rpm/$arch/"
# Sign the repository metadata (--yes to overwrite existing signature)
# Sign repodata. Trailing '!' on keyid forces gpg to use
# the primary key; without it gpg picks the most recent
# signing subkey, and rpm 4.20+ / zypper reject repomd.xml
# signed by anything other than the primary key.
# Regression of #213 — PR #217 added --default-key but
# dropped the '!'. Do not strip it. --yes overwrites .asc.
echo "Signing repodata for $arch..."
gpg --batch --yes --default-key "${{ steps.import_gpg.outputs.keyid }}" --detach-sign --armor "rpm/$arch/repodata/repomd.xml"
gpg --batch --yes --default-key "${{ steps.import_gpg.outputs.keyid }}!" --detach-sign --armor "rpm/$arch/repodata/repomd.xml"
fi
done