From 06346e503757ffa5a0a06180cee220a0336f668d Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Fri, 12 Jun 2026 22:07:42 +0000 Subject: [PATCH] docs(rpm): use repo_gpgcheck for the unsigned Gitea RPMs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Gitea GPG-signs the repo metadata but not the individual packages, while its auto-served bazzite.repo sets gpgcheck=1 — so `rpm-ostree install` fails with "could not be verified" on our unsigned RPMs. Document writing the repo explicitly with gpgcheck=0 + repo_gpgcheck=1 (verify the signed metadata, which carries each package checksum) instead of curling the served .repo. Note the TLS-only fallback and that per-package signing is future hardening. Co-Authored-By: Claude Opus 4.8 (1M context) --- packaging/README.md | 12 ++++++++++-- packaging/rpm/README.md | 20 +++++++++++++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/packaging/README.md b/packaging/README.md index f89b881..7169249 100644 --- a/packaging/README.md +++ b/packaging/README.md @@ -40,8 +40,16 @@ push), mirroring the [Debian/apt](debian/README.md) setup. Add one repo file, in updates with `rpm-ostree upgrade` — no COPR account needed. Full guide: [`rpm/README.md`](rpm/README.md). ```sh -curl -fsSL https://git.unom.io/api/packages/unom/rpm/bazzite.repo \ - | sudo tee /etc/yum.repos.d/punktfunk.repo +# unsigned pkgs + Gitea-signed metadata → repo_gpgcheck=1, gpgcheck=0 (see rpm/README.md) +sudo tee /etc/yum.repos.d/punktfunk.repo >/dev/null <<'REPO' +[gitea-unom-bazzite] +name=punktfunk (unom, Bazzite) +baseurl=https://git.unom.io/api/packages/unom/rpm/bazzite +enabled=1 +gpgcheck=0 +repo_gpgcheck=1 +gpgkey=https://git.unom.io/api/packages/unom/rpm/repository.key +REPO rpm-ostree install punktfunk && systemctl reboot # updates: rpm-ostree upgrade && systemctl reboot ``` diff --git a/packaging/rpm/README.md b/packaging/rpm/README.md index 2909593..8826ad8 100644 --- a/packaging/rpm/README.md +++ b/packaging/rpm/README.md @@ -15,15 +15,29 @@ paths — same spec (`punktfunk.spec`) — just self-hosted in Gitea instead of ## Install on a Bazzite host (one-time) ```sh -# Trust + add the repo (rpm-ostree reads /etc/yum.repos.d). Public registry, no auth. -curl -fsSL https://git.unom.io/api/packages/unom/rpm/bazzite.repo \ - | sudo tee /etc/yum.repos.d/punktfunk.repo +# Add the repo. Our RPMs are unsigned, but Gitea GPG-signs the repo METADATA — so verify that +# (repo_gpgcheck=1) and skip the per-package signature check (gpgcheck=0). The signed metadata +# carries each package's SHA256, so authenticity still holds. (Don't just curl Gitea's served +# bazzite.repo — it sets gpgcheck=1, which fails on unsigned packages.) +sudo tee /etc/yum.repos.d/punktfunk.repo >/dev/null <<'REPO' +[gitea-unom-bazzite] +name=punktfunk (unom, Bazzite) +baseurl=https://git.unom.io/api/packages/unom/rpm/bazzite +enabled=1 +gpgcheck=0 +repo_gpgcheck=1 +gpgkey=https://git.unom.io/api/packages/unom/rpm/repository.key +REPO # Layer the package, then reboot into the new deployment. rpm-ostree install punktfunk systemctl reboot ``` +> If `rpm-ostree` can't complete the metadata GPG check non-interactively, set `repo_gpgcheck=0` +> (TLS-only trust to the self-hosted registry). Proper per-package signing (`gpgcheck=1`) would +> need a CI signing key + `rpm --addsign` — future hardening, not wired up. + After reboot, as the desktop user: ```sh