From fbf8836c880a7e4f806f09d89a67a4c75f1e0585 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Thu, 15 Aug 2024 16:52:13 +0200
Subject: [PATCH] Include GPG keys in katello-repos and check for non-nightly

Including the GPG keys is better because it gives a higher degree of
trust because the RPM is GPG signed. It also helps because dnf doesn't
refresh HTTPS URLs and purging old entries is tedious. While the repos
aren't typically installed that long, I've had it happen to me with one
of my personal COPR repositories.

The downside is that after branching you need to update the GPG key in
the repository.

It also makes GPG key checking correct by looking at the correct values.
This allows enabling GPG for candlepin (which is using a signed release)
while not enabling it for Pulp or Katello (which are nightly).
---
 .../katello/katello-repos/katello-repos.spec  | 23 ++++++++++++++++++-
 packages/katello/katello-repos/katello.repo   | 12 +++++-----
 packages/katello/katello-repos/pulpcore.gpg   |  0
 3 files changed, 28 insertions(+), 7 deletions(-)
 create mode 100644 packages/katello/katello-repos/pulpcore.gpg

diff --git a/packages/katello/katello-repos/katello-repos.spec b/packages/katello/katello-repos/katello-repos.spec
index 1f475af2f8..869a85abef 100644
--- a/packages/katello/katello-repos/katello-repos.spec
+++ b/packages/katello/katello-repos/katello-repos.spec
@@ -6,7 +6,7 @@
 
 %global prereleasesource nightly
 %global prerelease %{?prereleasesource:.}%{?prereleasesource}
-%global release 2
+%global release 3
 
 Name:           katello-repos
 Version:        4.14
@@ -18,6 +18,7 @@ License:        GPLv2
 URL:            https://theforeman.org/plugins/katello/
 Source0:        katello.repo
 Source1:        candlepin.gpg
+Source2:        pulpcore.gpg
 
 BuildArch:      noarch
 
@@ -41,6 +42,7 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
 
 install -m 644 %{SOURCE0} %{buildroot}%{repo_dir}/
 install -Dpm0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-candlepin
+install -Dpm0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 
 if [[ '%{release}' == *"nightly"* ]];then
     REPO_VERSION='nightly'
@@ -53,6 +55,18 @@ else
     REPO_GPGCHECK=1
 fi
 
+if [[ '%{pulpcore_version}' == nightly ]] ; then
+    PULPCORE_REPO_GPGCHECK=0
+else
+    PULPCORE_REPO_GPGCHECK=1
+fi
+
+if [[ '%{candlepin_version}' == nightly ]] ; then
+    CANDLEPIN_REPO_GPGCHECK=0
+else
+    CANDLEPIN_REPO_GPGCHECK=1
+fi
+
 for repofile in %{buildroot}%{repo_dir}/*.repo; do
     trimmed_dist=`echo %{repo_dist} | sed 's/^\.//'`
     sed -i "s/@DIST@/${trimmed_dist}/" $repofile
@@ -61,7 +75,9 @@ for repofile in %{buildroot}%{repo_dir}/*.repo; do
     sed -i "s/@REPO_NAME@/${REPO_NAME}/" $repofile
     sed -i "s/@REPO_GPGCHECK@/${REPO_GPGCHECK}/" $repofile
     sed -i "s/@PULPCORE_VERSION@/%pulpcore_version/" $repofile
+    sed -i "s/@PULPCORE_REPO_GPGCHECK@/${PULPCORE_REPO_GPGCHECK}/" $repofile
     sed -i "s/@CANDLEPIN_VERSION@/%candlepin_version/" $repofile
+    sed -i "s/@CANDLEPIN_REPO_GPGCHECK@/${CANDLEPIN_REPO_GPGCHECK}/" $repofile
 done
 
 %clean
@@ -71,8 +87,13 @@ rm -rf %{buildroot}
 %defattr(-, root, root)
 %config %{repo_dir}/*.repo
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-candlepin
+%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 
 %changelog
+* Thu Aug 15 2024 Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl> - 4.14-0.3.nightly
+- Include all GPG keys in the repo file itself
+- Consistently enable GPG checking only on non-nightly
+
 * Mon Jun 03 2024 Evgeni Golov - 4.14-0.2.nightly
 - Update Candlepin 4.4 key
 
diff --git a/packages/katello/katello-repos/katello.repo b/packages/katello/katello-repos/katello.repo
index ae7787235e..0747025974 100644
--- a/packages/katello/katello-repos/katello.repo
+++ b/packages/katello/katello-repos/katello.repo
@@ -15,14 +15,14 @@ name=Candlepin: an open source entitlement management system.
 baseurl=https://yum.theforeman.org/candlepin/@CANDLEPIN_VERSION@/@DIST@/$basearch/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-candlepin
 enabled=1
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@CANDLEPIN_REPO_GPGCHECK@
 
 [pulpcore]
 name=pulpcore: Fetch, Upload, Organize, and Distribute Software Packages.
 baseurl=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/@DIST@/$basearch/
-gpgkey=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/GPG-RPM-KEY-pulpcore
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 enabled=1
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@PULPCORE_REPO_GPGCHECK@
 
 # source repositories
 
@@ -38,11 +38,11 @@ name=Katello Candlepin source
 baseurl=https://yum.theforeman.org/candlepin/@REPO_VERSION@/@DIST@/source/
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-candlepin
 enabled=0
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@CANDLEPIN_REPO_GPGCHECK@
 
 [pulpcore-source]
 name=pulpcore source
 baseurl=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/@DIST@/source/
-gpgkey=https://yum.theforeman.org/pulpcore/@PULPCORE_VERSION@/GPG-RPM-KEY-pulpcore
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-pulpcore
 enabled=0
-gpgcheck=@REPO_GPGCHECK@
+gpgcheck=@PULPCORE_REPO_GPGCHECK@
diff --git a/packages/katello/katello-repos/pulpcore.gpg b/packages/katello/katello-repos/pulpcore.gpg
new file mode 100644
index 0000000000..e69de29bb2