Don't pass GPG keys for GCP repos and don't verify signatures on el9/c9s

Browse source

Google repositories use RSA/SHA1 for signing packages. However the SHA1
has been disabled by default on el9/c9s. Since osbuild-composer imports
GPG keys specified in the repository definition unconditionally, this
creates issues when installing rpms signed with the key by osbuild [1].

Remove GPG keys in all el9/c9s GCP repo definitions and disable GPG
signature verification until [2] is resolved.

[1] https://github.com/osbuild/osbuild/issues/991
[2] https://issuetracker.google.com/issues/223626963

Signed-off-by: Tomas Hozza <thozza@redhat.com>

...

This commit is contained in:

Tomas Hozza 2022-03-16 10:00:52 +01:00 • committed by Tom Gundersen

parent ee285e5e8a

commit f45bdf3fb3

7 changed files with 44 additions and 138 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

6

repositories/centos-stream-9.json

View file

File diff suppressed because one or more lines are too long