From 40c682ecfcbdf781e59b6ce89103396d93f681ed Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Oct 25 2024 13:53:10 +0000 Subject: Revert Sequoia signing support for now, breaks CI Running a build through the RHEL OSCI reveals some possible shortcomings of the original design: - Custom macros using %__gpg may now easily break if the Sequoia backend is installed, such as those overriding %__gpg_sign_cmd where %__gpg is typically the first argument, followed by CLI options only known to GnuPG. This is exactly the case with some of our Beaker tests. - Some tests attempt to install both subpackages directly with dnf which obviously fails as they conflict with each other. This is just a test issue, though. Therefore, the boolean dependency in rpm-sign-libs declaring that both implementations are equally compatible is just wrong, until we can prove otherwise, by making the CI tests pass, for starters. Drop the Sequoia subpackage for now. This is less drastic than a full revert since the actual GnuPG split-off is still reasonable on its own. We can always add Sequoia support back later, once we figure out the above issues. Related: RHEL-56363 --- diff --git a/macros.rpmsign-sequoia b/macros.rpmsign-sequoia deleted file mode 100644 index dcb9d55..0000000 --- a/macros.rpmsign-sequoia +++ /dev/null @@ -1,23 +0,0 @@ -#============================================================================== -# ---- Sequoia signature macros. -# The signature to use and the location of configuration files for -# signing packages with Sequoia. -# -# Unlike GnuPG, Sequoia doesn't support specifying the signer key by -# email or name match, you need to supply the hex fingerprint (or keyid) -#%_gpg_name -#%_gpg_path - -%__gpg /usr/bin/sq - -# Macro(s) to hold the arguments passed to Sequoia for package -# signing. Expansion result is parsed by popt, so be sure to use -# %{shescape} where needed. -# - -%__gpg_sign_cmd %{__gpg} %{__gpg} sign \ - %{?_gpg_sign_cmd_extra_args} \ - %{?_gpg_name:--signer-key %{_gpg_name}} \ - --detached --output %{shescape:%{?__signature_filename}} \ - %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} - diff --git a/rpm.spec b/rpm.spec index 2547c95..22f7f04 100644 --- a/rpm.spec +++ b/rpm.spec @@ -27,7 +27,7 @@ %global rpmver 4.19.1.1 #global snapver rc1 -%global baserelease 5 +%global baserelease 6 %global sover 10 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -46,7 +46,6 @@ Source10: rpmdb-rebuild.service Source20: rpmdb-migrate.service Source21: rpmdb_migrate -Source30: macros.rpmsign-sequoia Source31: macros.rpmsign-gnupg Requires: coreutils @@ -138,7 +137,7 @@ rpm-4.9.90-no-man-dirs.patch rpm-4.18.92-disable-sysusers.patch rpm-4.18.90-weak-user-group.patch -# We supply gpg/sq config separately, remove gpg stuff from main macros +# We supply gpg config separately, remove gpg stuff from main macros rpm-4.19.1.1-nogpg.patch # Patches already upstream: @@ -184,7 +183,7 @@ This package contains the RPM shared libraries for building packages. %package sign-libs Summary: Libraries for signing RPM packages Requires: rpm-libs%{_isa} = %{version}-%{release} -Requires(meta): (rpm-sign-gnupg or rpm-sign-sequoia) +Requires(meta): rpm-sign-gnupg %description sign-libs This package contains the RPM shared libraries for signing packages. @@ -193,20 +192,10 @@ This package contains the RPM shared libraries for signing packages. Summary: Support for signing RPM packages using GnuPG Requires: gnupg2 Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} -Conflicts: rpm-sign-sequoia %description sign-gnupg This package provides configuration for signing RPM packages using GnuPG. -%package sign-sequoia -Summary: Support for signing RPM packages using Sequoia -Requires: sequoia-sq -Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} -Conflicts: rpm-sign-gnupg - -%description sign-sequoia -This package provides configuration for signing RPM packages using Sequoia. - %package devel Summary: Development files for manipulating RPM packages License: GPL-2.0-or-later OR LGPL-2.1-or-later @@ -451,8 +440,8 @@ rm -rf $RPM_BUILD_ROOT/var/tmp # workaround for https://github.com/rpm-software-management/rpm/issues/2811 rm $RPM_BUILD_ROOT/%{_defaultdocdir}/rpm/README.md -# Signing macros for Sequoia and GnuPG -install -m 644 %{SOURCE30} %{SOURCE31} $RPM_BUILD_ROOT/%{rpmhome}/macros.d +# Signing macros for GnuPG +install -m 644 %{SOURCE31} $RPM_BUILD_ROOT/%{rpmhome}/macros.d %pre # Symlink all rpmdb files to the new location if we're still using /var/lib/rpm @@ -591,9 +580,6 @@ fi %{_libdir}/librpmsign.so.%{sover} %{_libdir}/librpmsign.so.%{sover}.* -%files sign-sequoia -%{rpmhome}/macros.d/macros.rpmsign-sequoia - %files sign-gnupg %{rpmhome}/macros.d/macros.rpmsign-gnupg @@ -653,6 +639,9 @@ fi %doc %{_defaultdocdir}/rpm/API/ %changelog +* Fri Oct 25 2024 Michal Domonkos - 4.19.1.1-6 +- Revert Sequoia signing support for now, breaks CI + * Fri Oct 25 2024 Michal Domonkos - 4.19.1.1-5 - Fix Conflicts in new rpm-sign backends