fix: Phase 2 Linux repo prep — BE pkg naming, RPM signing, empty-pool guard

[bpamiri]

Summary

End-to-end smoke test of the Phase 2 bucket-repo templates against real
v4.0.0 artifacts surfaced five blockers. Fixed together because they all
prevent issue #2605 (apt.wheels.dev / yum.wheels.dev standup) from
shipping. Single PR to keep the dependency chain reviewable in one diff.

Bugs fixed

1. release.yml hardcoded CHANNEL: stable — every snapshot build
   produced wheels_<v>_amd64.deb, but the Phase 2 BE receiver fetches
   wheels-be_<v>_amd64.deb → guaranteed 404 on every snapshot
   dispatch. Derived from env.WHEELS_VERSION instead.
2. release.yml upload globs wheels_*_amd64.deb didn't match the
   wheels-be_* filenames a fixed-CHANNEL build would produce.
   Loosened to wheels*_amd64.deb.
3. apt regen crashed on empty channel pool (first publish for a
   brand-new dist). Added mkdir -p pool/<dist> guard so
   apt-ftparchive sees an empty scan dir instead of a missing one.
4. yum receiver shipped unsigned RPMs to gpgcheck=1 clients →
   dnf refused with "Package is not signed: GPG check FAILED".
   regenerate-yum-metadata.sh now signs each RPM with rpm --addsign
   before createrepo_c. Also pinned %__gpg since Ubuntu runners
   ship gpg (rpm's macro defaults to gpg2, not present on Ubuntu).
5. gpg --import-ownertrust got the 16-char key_id, not the
   40-char fingerprint → emitted \"gpg: error in '[stdin]': invalid fingerprint\" every run. Cosmetic but noisy in CI; fixed in both
   receiver workflows.

Docs side: README + placeholder files updated to point at
op://Wheels/wheels-linux-repo-signing/ (Wheels project vault on
my.1password.com) rather than op://Infrastructure/ (PAI tenant).

Test plan

Local end-to-end via Docker (no operational prereqs):

• Throwaway 1-day GPG key generated; apt-bucket + yum-bucket trees
  staged from the template dirs
• Ubuntu 24.04 receiver runs regenerate-apt-metadata.sh → produces
  Release / Release.gpg / InRelease / Packages.gz for both
  stable + bleeding-edge distributions (empty BE pool no longer
  crashes the apt regen)
• Ubuntu 24.04 receiver runs regenerate-yum-metadata.sh → signs
  each RPM, runs createrepo_c, signs repomd.xml.asc. rpm --checksig reports digests signatures OK
• Fresh Ubuntu 24.04 client: apt update && apt-cache policy wheels
  finds 4.0.0; apt-get download wheels returns the 56MB .deb,
  MD5 matches Packages.gz
• Fresh Fedora 40 client: dnf install -y --downloadonly wheels
  reports `Complete!` with all 18 deps including the signed
  wheels-4.0.0.x86_64.rpm

Production validation deferred to after operational standup (mint
signing key, create the two bucket repos, bind Cloudflare Pages,
set CI secrets — see #2605 + the updated
tools/distribution-drafts/linux-packages/README.md).

Risk

• The CHANNEL-from-version change means the next develop merge will
  start producing wheels-be_*.deb / wheels-be-*.rpm artifacts in
  the snapshot release. These are additive — no existing consumer
  references the old wheels_<...snapshot>... filename for snapshots
  (Phase 1 docs reference stable wheels_4.0.0_amd64.deb, not
  snapshot artifacts). Bleeding-edge users currently install via
  brew install wheels-be, which uses the .tar.gz path.
• The upload glob loosening is a no-op until CHANNEL=bleeding-edge
  produces wheels-be_* files, which only happens on develop pushes.

🤖 Generated with Claude Code

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: Five real bugs, well-diagnosed and well-explained. The CHANNEL derivation, fingerprint fix, empty-pool guard, and vault-path updates are all clean. One correctness issue blocks merge: rpm --addsign is called before the gpg-agent has the passphrase cached, so any passphrase-protected production key will cause silent or visible signing failure in CI. Two minor nits below that level.

---

Correctness

rpm --addsign receives no passphrase — will fail in production CI

tools/distribution-drafts/yum-repo/scripts/regenerate-yum-metadata.sh, lines 62–66:

for rpm_file in "${PKG_DIR}"/*.rpm; do
    [ -f "$rpm_file" ] || continue
    rpm --addsign "$rpm_file" >/dev/null
    echo "  ✓ signed $(basename "$rpm_file")"
done

The comment at line 39 says "Passphrase via env (rpm reads $GNUPGHOME/gpg.conf which sets pinentry-mode loopback)." That is incorrect: pinentry-mode loopback redirects the passphrase prompt from a TTY to the calling application, it does not source the passphrase from an env var. The agent only has a passphrase cached if a prior signing operation primed it.

The ordering in the script is: sign RPMs → createrepo_c → sign repomd.xml (line 91–97). The explicit --passphrase "${GPG_PASSPHRASE:-}" call that would prime the agent does not happen until after the RPM signing loop. On a fresh CI runner with a freshly imported key the agent cache is empty at RPM-sign time. Result: rpm --addsign either hangs waiting for a TTY prompt (no TTY → non-zero exit, caught by set -euo pipefail) or, on some rpm versions, exits 0 with a warning and produces unsigned RPMs.

The local Docker test likely used a key without a passphrase, which explains the green test checklist.

Recommended fix — add a single dummy sign before the channel loop to seed the agent:

# Seed the passphrase into the agent once so rpm --addsign can use it
# without a TTY. Must run before the per-channel RPM signing loop.
echo "probe" | gpg --batch --yes \
    --pinentry-mode loopback \
    --passphrase "${GPG_PASSPHRASE:-}" \
    -u "$GPG_KEY_ID" \
    --clearsign >/dev/null

for CHANNEL in $CHANNELS; do
  ...
done

This is consistent with how every other gpg operation in this script already supplies --passphrase "${GPG_PASSPHRASE:-}" — the RPM signing loop is the lone exception.

---

Conventions

--addsign adds a signature, it does not replace one

tools/distribution-drafts/yum-repo/scripts/regenerate-yum-metadata.sh, line 28:

# Re-runs are idempotent (rpm --addsign replaces any existing signature).

rpm --addsign appends a new signature header; rpm --resign is the replacing form. In the normal workflow path this does not cause problems (the slot step overwrites the RPM with a fresh unsigned file before this script runs), but the comment is factually wrong and will mislead anyone running the script manually against an already-signed pool. Suggest changing the comment to:

# Re-runs against a freshly slotted (unsigned) RPM are safe.
# If signing a pre-signed RPM, use --resign instead of --addsign to avoid
# accumulating duplicate signature headers.

---

RPM glob loosening is a no-op

.github/workflows/release.yml, lines 439 / 498 (original → new):

-  artifacts/wheels/${{ env.WHEELS_VERSION }}/wheels-*.x86_64.rpm
+  artifacts/wheels/${{ env.WHEELS_VERSION }}/wheels*.x86_64.rpm

The old glob wheels-*.x86_64.rpm already matched both wheels-4.0.0.x86_64.rpm (stable) and wheels-be-4.0.0-snapshot.N.x86_64.rpm (bleeding-edge), because * can expand to be-4.0.0-snapshot.N. The .deb fix (wheels_* → wheels*) was necessary; the RPM companion change was not. No functional impact, but worth removing to keep the diff minimal and avoid the implication that the old RPM glob was broken.

---

Commits

Single commit, DCO Signed-off-by present, subject under 100 chars, conventional type fix is correct. No issues.

---

Docs

No CHANGELOG.md entry under [Unreleased]. Given that every other recent CI/infrastructure fix in this repo (e.g. cfheader / cfcache attributeCollection fixes) has a changelog entry, a line under ### Fixed such as:

• Linux package CI: derive CHANNEL from version string so snapshot builds produce wheels-be_* artifacts; fix RPM signing, empty apt pool, and GPG ownertrust fingerprint (#2759)

…would be consistent and helps future backfillers understand when the apt/yum pipeline became operational.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is technically sound and appropriate. The passphrase-priming finding is a real correctness issue, no false positives were detected, and CHANGES_REQUESTED is the right verdict. One precision note on the passphrase concern below, but it does not change the recommendation.

Sycophancy

None detected. A requests changes and backs every finding with cited lines.

False positives

None detected.

• Passphrase / loopback claim: A says pinentry-mode loopback redirects the prompt but does not source the passphrase from an env var. Verified against the diff. The gpg.conf setup routes pinentry through loopback, but rpm --addsign spawns gpg without --passphrase; with an empty agent cache (fresh CI runner, key just imported via gpg --import which does not unlock/cache), the loopback request goes unanswered and signing fails or hangs. The comment at line 39 of regenerate-yum-metadata.sh (Passphrase via env (rpm reads $GNUPGHOME/gpg.conf which sets pinentry-mode loopback)) is indeed wrong. A's analysis is correct.

• RPM glob no-op: Verified. wheels-*.x86_64.rpm — the - is a literal prefix separator, and * matches be-4.0.0-snapshot.N. Old glob already covered bleeding-edge RPMs. The .deb change (underscore-vs-hyphen) was necessary; the RPM companion was not. A correctly distinguishes them.

• --addsign vs --resign comment: Confirmed. rpm --addsign appends; rpm --resign replaces. The comment at line 28 (rpm --addsign replaces any existing signature) is wrong as written. A's suggested replacement text is accurate.

Missed issues

One precision gap worth noting: the passphrase issue strictly affects the first channel only in the loop. After the first channel's repomd.xml signing (which presumably uses --passphrase "${GPG_PASSPHRASE:-}" and primes the agent cache), subsequent channels' RPM signing would succeed. This does not change the verdict — stable is the first channel and a failure there is a real blocker — but it narrows the blast radius description. Not an issue that overturns anything.

The rpm --addsign availability on Ubuntu 24.04 is not a missed issue; it was implicitly validated by the test checklist (rpm --checksig reports "digests signatures OK") and the workflow correctly installs the rpm package.

Verdict alignment

A's CHANGES_REQUESTED is fully consistent with the findings. The passphrase issue is a genuine blocker for any passphrase-protected production key, and the supporting nits (comment text, no-op glob, CHANGELOG) are correctly ranked below it.

Convergence

Aligned. A's diagnosis of the passphrase concern is correct, the two comment nits are valid, and the no-op RPM glob observation is accurate. Joint recommendation: fix the passphrase seeding (add a dummy clearsign before the channel loop as A suggests), correct the --addsign idempotency comment, and optionally revert the no-op RPM glob change. The CHANGELOG entry is a minor nice-to-have, not a blocker. No outstanding disputes.

[wheels-bot]

Wheels Bot — Address Review (round 1)

Applied consensus findings from Reviewer A and Reviewer B's
convergence (round 1):

• GPG passphrase priming — tools/distribution-drafts/yum-repo/scripts/regenerate-yum-metadata.sh now executes a throwaway gpg --clearsign with explicit --passphrase "${GPG_PASSPHRASE:-}" between the gpg-connect-agent reloadagent step and the for CHANNEL in $CHANNELS loop. This seeds the agent cache so each subsequent rpm --addsign invocation in the loop succeeds without a TTY. The inline comment on the rpm --addsign call inside the loop was updated to point at the priming step rather than incorrectly attributing the passphrase sourcing to pinentry-mode loopback.
• --addsign idempotency comment — regenerate-yum-metadata.sh lines 28–35 (formerly 26–29) now state that re-runs against a freshly slotted (unsigned) RPM are safe, and that rpm --resign (not --addsign) is the correct verb when re-signing a pre-signed RPM by hand, to avoid accumulating duplicate signature headers.
• No-op RPM glob revert — .github/workflows/release.yml lines 439 and 498 reverted from wheels*.x86_64.rpm to the original wheels-*.x86_64.rpm. The pre-PR glob already matched both stable and bleeding-edge RPMs (* already expanded to be-4.0.0-snapshot.N after the literal wheels- prefix); only the .deb companion (wheels_* → wheels*) actually needed loosening for the BE rename.
• CHANGELOG entry — added a ### Fixed bullet under [Unreleased] summarizing the Linux package CI fixes in this PR (CHANNEL derivation, RPM signing, empty pool guard, GPG fingerprint, vault path), and explicitly noting the reverted RPM glob to keep the diff minimal.

No skipped findings — every item in the converged-changes summary was addressed. Reviewer B's "first channel only" precision note on the passphrase issue was incorporated into the code comment but did not change the fix shape (the script signs stable first, and a failure there is a real blocker).

Test runner: the PR touches only the Linux distribution-prep shell scripts, a GitHub Actions workflow, and CHANGELOG.md — no vendor/wheels/, app/, or cli/lucli/ framework code. bash tools/test-local.sh exercises the framework spec suite and would not surface regressions in this layer, so it was not re-run. The yum-repo metadata regeneration is exercised end-to-end by the Phase 2 Docker smoke test referenced in the original PR description; that flow is unchanged in shape (only the gpg-agent priming was added before the existing signing loop).

The new commit will trigger a fresh Reviewer A run on the updated SHA. Convergence loop continues until reviewers align on `approve` or the outer-loop cap (5 rounds) is reached.