Fix GPG keyring location for systemd-sysupdate#155
Merged
Conversation
systemd-sysupdate only checks global keyrings for signature verification: - /usr/lib/systemd/import-pubring.gpg (system) - /etc/systemd/import-pubring.gpg (admin) The previous location (/etc/sysupdate.alloy.d/alloy.gpg) was not used by systemd-sysupdate. This change moves the key to the correct location so SHA256SUMS.gpg signature verification works. Implements: GHO-59
Instead of statically placing the GPG key at /etc/systemd/import-pubring.gpg (which would override the system keyring), implement a dynamic merge approach: - Store Alloy signing key at /etc/systemd/alloy-sysext.gpg.pub - Add merge script at /usr/local/bin/sysupdate-merge-keyring.sh that: - Checks for .pgp (newer systemd) before .gpg (legacy) - Copies system keyring from /usr/lib/systemd/ to /etc/systemd/ - Imports Alloy key using gpg to merge keyrings - Cleans up temporary GPG home directory - Add sysupdate-import-pubring.service that runs before systemd-sysupdate This ensures the Alloy signing key is always appended to whatever keys come with the base image (e.g., Fedora/Ubuntu legacy keys), even if the base image is updated with different keys.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/etc/systemd/alloy-sysext.gpg.pubContext
systemd-sysupdate checks global keyrings for GPG signature verification:
/usr/lib/systemd/import-pubring.gpg(system - read-only)/etc/systemd/import-pubring.gpg(admin override)The
/etc/systemd/path overrides (not merges with)/usr/lib/systemd/. The base image already has keys in/usr/lib/systemd/import-pubring.gpg(Fedora/Ubuntu legacy keys). Simply placing our key at/etc/systemd/import-pubring.gpgwould lose those system keys.Implementation
/etc/systemd/alloy-sysext.gpg.pub/usr/local/bin/sysupdate-merge-keyring.sh):.pgpfirst (newer systemd), falls back to.gpg(legacy)/usr/lib/systemd/to/etc/systemd/gpgto import both keyrings and export merged resulttrap ... EXITsysupdate-import-pubring.service):systemd-sysupdate.serviceThis ensures Alloy signing key is always appended to whatever keys come with the base image, even if the base image is updated with different keys.
Test plan
sysupdate-import-pubring.serviceruns successfully/etc/systemd/import-pubring.gpgcontains both system and Alloy keyssystemd-sysupdate -C alloy listshows available versionsRelated