Skip to content

feat: GPG update script to auto fetch new keys and emergency force update#9997

Open
GildedRoach wants to merge 9 commits intofrawhidefrom
gil/feat/gpg-update-script
Open

feat: GPG update script to auto fetch new keys and emergency force update#9997
GildedRoach wants to merge 9 commits intofrawhidefrom
gil/feat/gpg-update-script

Conversation

@GildedRoach
Copy link
Copy Markdown
Member

@GildedRoach GildedRoach commented Feb 20, 2026

"WTF is this?" you may rightfully ask.

The answer:

  • Update script that fetches new GPG keys only if manual ones do not exist for a given repo (for server ping, CI time, and security reasons).
  • Changed to rpm.version() function (though it's very hacky) to handle rpm.release() better for key changes.
  • Emergency "oh shit" button workflow in the event our keys are ever compromised that should force overwrite them. IT IS STILL PREFERABLE TO MANUALLY DO THIS but this is an emergency "oh God no one is at their computer" workflow.

All of this is automagic as long as we update other workflows.

hamachitan[bot]
hamachitan bot reviewed Feb 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hamachitan hamachitan bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🍣 The Packager: name <mail@example.com> preamble is missing in anda/terra/gpg-keys/terra-gpg-keys.spec. This is required in our policies.

@GildedRoach GildedRoach requested a review from lleyton February 20, 2026 14:20
@GildedRoach
fix(update-gpg-keys.yml): Formatting errors
9505fd8 
I am bad at YAML.

Signed-off-by: Gilver <roachy@fyralabs.com>
@madonuko
Copy link
Copy Markdown
Member

madonuko commented Feb 22, 2026

why not put all the curling into pre.rhai?

@GildedRoach
Copy link
Copy Markdown
Member Author

GildedRoach commented Feb 22, 2026
edited
Loading

why not put all the curling into pre.rhai?

Because 5,000 sh()s basically and I wasn't sure if I'd need to escape anything with how I checked if the files existed.

I didn't use get() because Rhai conditionals are way more massive than what I used.

@GildedRoach
Copy link
Copy Markdown
Member Author

GildedRoach commented Feb 22, 2026
edited
Loading

why not put all the curling into pre.rhai?

Because 5,000 sh()s basically and I wasn't sure if I'd need to escape anything with how I checked if the files existed.

why not put all the curling into pre.rhai?

Because 5,000 sh()s basically and I wasn't sure if I'd need to escape anything with how I checked if the files existed.

I didn't use get() because Rhai conditionals are way more massive than what I used.

Actually, correction, zero way to bump the release on the spec if a new key was added this way. I misread this as update.rhai at first.

@madonuko
Copy link
Copy Markdown
Member

madonuko commented Feb 22, 2026

well this is the kind of package you want to build in bootstrap.yml, so not relying on the update.rhai logic should be better

@GildedRoach
Copy link
Copy Markdown
Member Author

GildedRoach commented Feb 22, 2026

well this is the kind of package you want to build in bootstrap.yml, so not relying on the update.rhai logic should be better

I'm confused? This is just to fetch key files which don't already exist (to avoid the issue we just had where no one had added the 44 keys), it can still be built in bootstrap.yml and I also planned to add it to that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hamachitan hamachitan[bot] hamachitan[bot] left review comments

@madonuko madonuko madonuko approved these changes

@lleyton lleyton Awaiting requested review from lleyton

Assignees

No one assigned

Labels

sync-el10 sync-f42 sync-f43 sync-f44 sync-frawhide

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GildedRoach @madonuko