Two CI fixes:
- rpm signing (2nd bug): overriding %__gpg_sign_cmd via --define reached gpg with
%{__plaintext_filename}/%{__signature_filename} UNEXPANDED ("No such file or directory").
Stop overriding it — use rpm's default signer (which expands those correctly) and just set
_gpg_name; a passphrase-less key + loopback in gpg.conf makes gpg sign headless. (Requires a
passphrase-less signing key, as the runbook's %no-protection key is.)
- flatpak: the job runs in fedora:43 which has no node, so actions/checkout (a JS action) failed
with "node: not found". Install nodejs in a plain `run:` step (shell, no node needed) before
checkout. Also scope the heavy flatpak-builder run to client/core/manifest changes (+ tags) so
it stops rebuilding on every unrelated docs/host push (tag pushes still build — paths filters
only branch pushes).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The first signed CI run failed at the Sign step: `%{__gpg} gpg ...` expands to `<gpgpath> gpg ...`,
so gpg got a spurious `gpg` filename arg ("no command supplied", options "not considered"). Dropped
the literal `gpg` → `%{__gpg} --batch ...`. Validated locally: the corrected invocation parses as a
sign command (fails only with "No secret key", which is present in CI). The checksig gate did its
job — nothing published, installs stayed safe.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The audit's signing recommendation, scoped to RPM (apt's signed Release metadata already
covers .debs; bootc cosign deferred). packaging/rpm/sign-rpms.sh GPG-signs dist/*.rpm and
self-verifies (rpmkeys --checksig), run from rpm.yml between build + publish.
Safe to ship: the step is a NO-OP (exit 0, unsigned as today) until RPM_GPG_PRIVATE_KEY is
set as a CI secret — so it can't break current CI, and when enabled a bad macro fails loudly
via the in-step checksig rather than shipping bad signatures. rpm/README gains the one-time
enablement runbook (generate a dedicated passphrase-less key, add the secret, publish the
public key, flip gpgcheck=1 only after a signed build lands) and notes step-ca is for TLS,
not OpenPGP (it can't sign RPMs).
Also fixes the rpm/README version staleness the doc review caught: rolling is 0.2.0-0.ciN
(outranks the stray 0.1.1, no pin needed), host releases use host-v* not the client's v*.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>