unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 3 Wiki Activity

docs(rpm): use repo_gpgcheck for the unsigned Gitea RPMs
ci / web (push) Failing after 40s
Details
ci / rust (push) Successful in 1m8s
Details
apple / swift (push) Successful in 1m17s
Details
ci / docs-site (push) Failing after 48s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 6s
Details
deb / build-publish (push) Failing after 2m21s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 2m25s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 2m24s
Details
docker / deploy-docs (push) Successful in 17s
Details
rpm / build-publish (push) Successful in 3m45s
Details

Browse Source 
Gitea GPG-signs the repo metadata but not the individual packages, while its
auto-served bazzite.repo sets gpgcheck=1 — so `rpm-ostree install` fails with
"could not be verified" on our unsigned RPMs. Document writing the repo
explicitly with gpgcheck=0 + repo_gpgcheck=1 (verify the signed metadata, which
carries each package checksum) instead of curling the served .repo. Note the
TLS-only fallback and that per-package signing is future hardening.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-12 22:07:42 +00:00
parent 58cb416abb
commit 06346e5037
2 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packaging/README.md
+10 -2
View File
@@ -40,8 +40,16 @@ push), mirroring the [Debian/apt](debian/README.md) setup. Add one repo file, in
updates with `rpm-ostree upgrade` — no COPR account needed. Full guide: [`rpm/README.md`](rpm/README.md).
```sh
curl -fsSL https://git.unom.io/api/packages/unom/rpm/bazzite.repo \
| sudo tee /etc/yum.repos.d/punktfunk.repo
# unsigned pkgs + Gitea-signed metadata → repo_gpgcheck=1, gpgcheck=0 (see rpm/README.md)
sudo tee /etc/yum.repos.d/punktfunk.repo >/dev/null <<'REPO'
[gitea-unom-bazzite]
name=punktfunk (unom, Bazzite)
baseurl=https://git.unom.io/api/packages/unom/rpm/bazzite
enabled=1
gpgcheck=0
repo_gpgcheck=1
gpgkey=https://git.unom.io/api/packages/unom/rpm/repository.key
REPO
rpm-ostree install punktfunk && systemctl reboot
# updates: rpm-ostree upgrade && systemctl reboot
```
packaging/rpm/README.md
+17 -3
View File
@@ -15,15 +15,29 @@ paths — same spec (`punktfunk.spec`) — just self-hosted in Gitea instead of
## Install on a Bazzite host (one-time)
```sh
# Trust + add the repo (rpm-ostree reads /etc/yum.repos.d). Public registry, no auth.
curl -fsSL https://git.unom.io/api/packages/unom/rpm/bazzite.repo \
| sudo tee /etc/yum.repos.d/punktfunk.repo
# Add the repo. Our RPMs are unsigned, but Gitea GPG-signs the repo METADATA — so verify that
# (repo_gpgcheck=1) and skip the per-package signature check (gpgcheck=0). The signed metadata
# carries each package's SHA256, so authenticity still holds. (Don't just curl Gitea's served
# bazzite.repo — it sets gpgcheck=1, which fails on unsigned packages.)
sudo tee /etc/yum.repos.d/punktfunk.repo >/dev/null <<'REPO'
[gitea-unom-bazzite]
name=punktfunk (unom, Bazzite)
baseurl=https://git.unom.io/api/packages/unom/rpm/bazzite
enabled=1
gpgcheck=0
repo_gpgcheck=1
gpgkey=https://git.unom.io/api/packages/unom/rpm/repository.key
REPO
# Layer the package, then reboot into the new deployment.
rpm-ostree install punktfunk
systemctl reboot
```
> If `rpm-ostree` can't complete the metadata GPG check non-interactively, set `repo_gpgcheck=0`
> (TLS-only trust to the self-hosted registry). Proper per-package signing (`gpgcheck=1`) would
> need a CI signing key + `rpm --addsign` — future hardening, not wired up.
After reboot, as the desktop user:
```sh