distro/rhel9: disable GPG check for Google repos in gce* images

Having the GPG check enabled for Google repos in `gce*` images will make DNF try to import the relevant keys when upgrading, downgrading or installing any packages from the repo. However due to Google still using SHA-1 for GPG keys used to sign their RPMs, importing it will make any transaction that includes such RPM to fail. Disabling the GPG check will ensure that DNF won't attempt to import Google GPG keys. Related to https://issuetracker.google.com/issues/223626963
2022-08-16 14:05:26 +02:00 · 2022-08-16 14:05:26 +02:00 · 0875c3491f
commit 0875c3491f
parent 55e78e195f
6 changed files with 12 additions and 10 deletions
--- a/internal/distro/rhel9/distro.go
+++ b/internal/distro/rhel9/distro.go
@ -1604,11 +1604,13 @@ func newDistro(distroName string) distro.Distro {
 				Filename: "google-cloud.repo",
 				Repos: []osbuild.YumRepository{
 					{
-						Id:           "google-compute-engine",
-						Name:         "Google Compute Engine",
-						BaseURL:      []string{"https://packages.cloud.google.com/yum/repos/google-compute-engine-el9-x86_64-stable"},
-						Enabled:      common.BoolToPtr(true),
-						GPGCheck:     common.BoolToPtr(true),
+						Id:      "google-compute-engine",
+						Name:    "Google Compute Engine",
+						BaseURL: []string{"https://packages.cloud.google.com/yum/repos/google-compute-engine-el9-x86_64-stable"},
+						Enabled: common.BoolToPtr(true),
+						// TODO: enable GPG check once Google stops using SHA-1 in their keys
+						// https://issuetracker.google.com/issues/223626963
+						GPGCheck:     common.BoolToPtr(false),
 						RepoGPGCheck: common.BoolToPtr(false),
 						GPGKey: []string{
 							"https://packages.cloud.google.com/yum/doc/yum-key.gpg",
--- a/test/data/manifests/centos_9-x86_64-gce-boot.json
+++ b/test/data/manifests/centos_9-x86_64-gce-boot.json
@ -5116,7 +5116,7 @@
                    "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                  ],
                  "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                  "repo_gpgcheck": false
                }
              ]
--- a/test/data/manifests/rhel_90-x86_64-gce-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-gce-boot.json
@ -2148,7 +2148,7 @@
                    "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                  ],
                  "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                  "repo_gpgcheck": false
                }
              ]
--- a/test/data/manifests/rhel_90-x86_64-gce_rhui-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-gce_rhui-boot.json
@ -2154,7 +2154,7 @@
                    "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                  ],
                  "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                  "repo_gpgcheck": false
                }
              ]
--- a/test/data/manifests/rhel_91-x86_64-gce-boot.json
+++ b/test/data/manifests/rhel_91-x86_64-gce-boot.json
@ -5310,7 +5310,7 @@
                    "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                  ],
                  "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                  "repo_gpgcheck": false
                }
              ]
--- a/test/data/manifests/rhel_91-x86_64-gce_rhui-boot.json
+++ b/test/data/manifests/rhel_91-x86_64-gce_rhui-boot.json
@ -5316,7 +5316,7 @@
                    "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                  ],
                  "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                  "repo_gpgcheck": false
                }
              ]