feat(rpm): enable gpgcheck=1 — packages are signed + verified

The signing rollout is confirmed end to end: the latest published RPM (0.2.0-0.ci1089) carries a header GPG signature (added by `rpm --addsign`) and passed the in-CI `rpmkeys --checksig` self-verify before publishing (a bad/unsigned build fails that gate and never reaches the registry). So flip every .repo snippet from gpgcheck=0 to gpgcheck=1 and add the package-signing public key (served from the generic registry, committed at packaging/rpm/RPM-GPG-KEY-punktfunk) to gpgkey= alongside the Gitea metadata key — dnf/rpm-ostree imports both. Covers rpm/README, packaging/README, the bootc Containerfile, and the docs-site bazzite/fedora-kde install pages; rpm/README's signing section reframed from "dormant/enabling" to active (+ key-rotation notes). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 15:23:57 +00:00
parent ecd7d4a7e3
commit 1f0dc87658
5 changed files with 34 additions and 35 deletions
@@ -17,18 +17,17 @@ paths — same spec (`punktfunk.spec`) — just self-hosted in Gitea instead of
 ## Install on a Bazzite host (one-time)

 ```sh
-# Add the repo. Our RPMs are unsigned, but Gitea GPG-signs the repo METADATA — so verify that
-# (repo_gpgcheck=1) and skip the per-package signature check (gpgcheck=0). The signed metadata
-# carries each package's SHA256, so authenticity still holds. (Don't just curl Gitea's served
-# bazzite.repo — it sets gpgcheck=1, which fails on unsigned packages.)
+# Add the repo. Packages are GPG-signed (gpgcheck=1, the packages@unom.io key) AND the repo
+# metadata is Gitea-signed (repo_gpgcheck=1); gpgkey lists both so dnf/rpm-ostree imports each.
 sudo tee /etc/yum.repos.d/punktfunk.repo >/dev/null <<'REPO'
 [gitea-unom-bazzite]
 name=punktfunk (unom, Bazzite)
 baseurl=https://git.unom.io/api/packages/unom/rpm/bazzite
 enabled=1
-gpgcheck=0
+gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://git.unom.io/api/packages/unom/rpm/repository.key
+       https://git.unom.io/api/packages/unom/generic/punktfunk-keys/1/RPM-GPG-KEY-punktfunk
 REPO

 # Layer the host + the web console (pairing/status), then reboot into the new deployment.
@@ -41,18 +40,19 @@ systemctl reboot
 > If `rpm-ostree` can't complete the metadata GPG check non-interactively, set `repo_gpgcheck=0`
 > (TLS-only trust to the self-hosted registry).

-## Enabling per-package signing (`gpgcheck=1`)
+## Per-package signing (`gpgcheck=1`, active)

-CI is wired to GPG-sign each RPM (`packaging/rpm/sign-rpms.sh`, run from `rpm.yml`), but it's
-**dormant** until you provide a signing key — until then packages publish unsigned and the repo
-above uses `gpgcheck=0`. This is a self-hosted registry served over HTTPS with GPG-signed metadata
-(`repo_gpgcheck=1`), so per-package signing is hardening, not a correctness fix. (Note: this is a
-GPG/OpenPGP key — a `step-ca`/X.509 cert can't sign RPMs; step-ca is for the registry/console TLS.)
+CI GPG-signs every RPM: `packaging/rpm/sign-rpms.sh` (run from `rpm.yml` between build and publish)
+signs with the dedicated EdDSA key **`packages@unom.io`** (`AF245C506F4E4763`) and self-verifies
+with `rpmkeys --checksig` before publishing, so an unsigned/bad build never reaches the registry.
+The public key is served from the registry (the `gpgkey=` URL above) and committed at
+`packaging/rpm/RPM-GPG-KEY-punktfunk`. (This is a GPG/OpenPGP key — a `step-ca`/X.509 cert can't
+sign RPMs; step-ca is only for registry/console TLS.)

-One-time setup:
+How it was set up (and how to rotate the key):

 ```sh
-# 1. Generate a DEDICATED, passphrase-less signing key (separate from the Gitea registry key).
+# 1. Generate a DEDICATED, passphrase-less signing key (separate from the Gitea metadata key).
 gpg --batch --gen-key <<EOF
 %no-protection
 Key-Type: eddsa
@@ -62,19 +62,17 @@ Name-Email: packages@unom.io
 Expire-Date: 0
 %commit
 EOF
-gpg --armor --export-secret-keys packages@unom.io   # -> paste into the CI secret below
-gpg --armor --export             packages@unom.io > RPM-GPG-KEY-punktfunk   # the PUBLIC key
+gpg --armor --export-secret-keys packages@unom.io   # -> the RPM_GPG_PRIVATE_KEY CI secret
+gpg --armor --export             packages@unom.io > packaging/rpm/RPM-GPG-KEY-punktfunk  # public half

-# 2. In the repo's Gitea Actions secrets, add RPM_GPG_PRIVATE_KEY = the armored PRIVATE key
-#    (and RPM_GPG_PASSPHRASE only if the key has one). The next CI run signs + self-verifies.
-
-# 3. Publish RPM-GPG-KEY-punktfunk where clients can fetch it, then on each host import it and
-#    flip the repo to gpgcheck=1:
-sudo rpm --import https://git.unom.io/.../RPM-GPG-KEY-punktfunk
-sudo sed -i 's/^gpgcheck=0/gpgcheck=1/' /etc/yum.repos.d/punktfunk.repo
+# 2. Add the armored PRIVATE key as the RPM_GPG_PRIVATE_KEY Gitea Actions secret. Commit the public
+#    half and publish it to the registry so the gpgkey= URL resolves:
+curl --user "<user>:<write:package-PAT>" --upload-file packaging/rpm/RPM-GPG-KEY-punktfunk \
+  https://git.unom.io/api/packages/unom/generic/punktfunk-keys/1/RPM-GPG-KEY-punktfunk
 ```

-Do **not** flip `gpgcheck=1` before a signed build has published, or installs will fail.
+Rotating the key means a new generic-registry version (bump `punktfunk-keys/1` → `/2` and the
+`gpgkey=` URL), since the registry rejects re-uploading an existing file.

 After reboot, as the desktop user: