From 0875c3491f8823d93bc8b7292b87335cfb8626fa Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Tue, 16 Aug 2022 14:05:26 +0200
Subject: [PATCH] distro/rhel9: disable GPG check for Google repos in `gce*`
 images

Having the GPG check enabled for Google repos in `gce*` images will make
DNF try to import the relevant keys when upgrading, downgrading or
installing any packages from the repo. However due to Google still using
SHA-1 for GPG keys used to sign their RPMs, importing it will make any
transaction that includes such RPM to fail.

Disabling the GPG check will ensure that DNF won't attempt to import
Google GPG keys.

Related to https://issuetracker.google.com/issues/223626963
---
 internal/distro/rhel9/distro.go                      | 12 +++++++-----
 test/data/manifests/centos_9-x86_64-gce-boot.json    |  2 +-
 test/data/manifests/rhel_90-x86_64-gce-boot.json     |  2 +-
 .../data/manifests/rhel_90-x86_64-gce_rhui-boot.json |  2 +-
 test/data/manifests/rhel_91-x86_64-gce-boot.json     |  2 +-
 .../data/manifests/rhel_91-x86_64-gce_rhui-boot.json |  2 +-
 6 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/internal/distro/rhel9/distro.go b/internal/distro/rhel9/distro.go
index 72deb521e..ba5d1b2c9 100644
--- a/internal/distro/rhel9/distro.go
+++ b/internal/distro/rhel9/distro.go
@@ -1604,11 +1604,13 @@ func newDistro(distroName string) distro.Distro {
 				Filename: "google-cloud.repo",
 				Repos: []osbuild.YumRepository{
 					{
-						Id:           "google-compute-engine",
-						Name:         "Google Compute Engine",
-						BaseURL:      []string{"https://packages.cloud.google.com/yum/repos/google-compute-engine-el9-x86_64-stable"},
-						Enabled:      common.BoolToPtr(true),
-						GPGCheck:     common.BoolToPtr(true),
+						Id:      "google-compute-engine",
+						Name:    "Google Compute Engine",
+						BaseURL: []string{"https://packages.cloud.google.com/yum/repos/google-compute-engine-el9-x86_64-stable"},
+						Enabled: common.BoolToPtr(true),
+						// TODO: enable GPG check once Google stops using SHA-1 in their keys
+						// https://issuetracker.google.com/issues/223626963
+						GPGCheck:     common.BoolToPtr(false),
 						RepoGPGCheck: common.BoolToPtr(false),
 						GPGKey: []string{
 							"https://packages.cloud.google.com/yum/doc/yum-key.gpg",
diff --git a/test/data/manifests/centos_9-x86_64-gce-boot.json b/test/data/manifests/centos_9-x86_64-gce-boot.json
index 0d3758cda..ff9ec59fe 100644
--- a/test/data/manifests/centos_9-x86_64-gce-boot.json
+++ b/test/data/manifests/centos_9-x86_64-gce-boot.json
@@ -5116,7 +5116,7 @@
                     "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                   ],
                   "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                   "repo_gpgcheck": false
                 }
               ]
diff --git a/test/data/manifests/rhel_90-x86_64-gce-boot.json b/test/data/manifests/rhel_90-x86_64-gce-boot.json
index 2c9d04fe2..c119af364 100644
--- a/test/data/manifests/rhel_90-x86_64-gce-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-gce-boot.json
@@ -2148,7 +2148,7 @@
                     "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                   ],
                   "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                   "repo_gpgcheck": false
                 }
               ]
diff --git a/test/data/manifests/rhel_90-x86_64-gce_rhui-boot.json b/test/data/manifests/rhel_90-x86_64-gce_rhui-boot.json
index 6cb2e375a..76b6be3e0 100644
--- a/test/data/manifests/rhel_90-x86_64-gce_rhui-boot.json
+++ b/test/data/manifests/rhel_90-x86_64-gce_rhui-boot.json
@@ -2154,7 +2154,7 @@
                     "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                   ],
                   "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                   "repo_gpgcheck": false
                 }
               ]
diff --git a/test/data/manifests/rhel_91-x86_64-gce-boot.json b/test/data/manifests/rhel_91-x86_64-gce-boot.json
index a92b63c23..9da731311 100644
--- a/test/data/manifests/rhel_91-x86_64-gce-boot.json
+++ b/test/data/manifests/rhel_91-x86_64-gce-boot.json
@@ -5310,7 +5310,7 @@
                     "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                   ],
                   "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                   "repo_gpgcheck": false
                 }
               ]
diff --git a/test/data/manifests/rhel_91-x86_64-gce_rhui-boot.json b/test/data/manifests/rhel_91-x86_64-gce_rhui-boot.json
index 1b8f0239e..ab1509d92 100644
--- a/test/data/manifests/rhel_91-x86_64-gce_rhui-boot.json
+++ b/test/data/manifests/rhel_91-x86_64-gce_rhui-boot.json
@@ -5316,7 +5316,7 @@
                     "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"
                   ],
                   "name": "Google Compute Engine",
-                  "gpgcheck": true,
+                  "gpgcheck": false,
                   "repo_gpgcheck": false
                 }
               ]