From 35893cf46a6a99588a2e77d4503944ed14f19ffa Mon Sep 17 00:00:00 2001
From: Emeric Favarel <47535798+moukrea@users.noreply.github.com>
Date: Thu, 19 Mar 2026 15:20:37 +0100
Subject: [PATCH] fix(ci): drop rpmsign, use repo_gpgcheck for RPM signature
 verification

rpmsign on Ubuntu produces signatures incompatible with Fedora's rpm,
causing "digests SIGNATURES NOT OK". Switch to repo-level verification:
signed repomd.xml metadata contains package checksums, providing
integrity through the checksum chain. This is the standard model used
by Chrome, Docker, and VS Code repos.

- Remove rpmsign, gpg-agent config, and rpm -K verification steps
- Change README to gpgcheck=0 + repo_gpgcheck=1
- Keep repomd.xml GPG detached signature (already working)
---
 .github/workflows/tag-release.yml | 21 +++------------------
 README.md                         |  5 +++--
 2 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
index b511857..9476a22 100644
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -178,15 +178,8 @@ jobs:
           # Import GPG key (may already be imported from APT step)
           echo "$GPG_PRIVATE_KEY" | gpg --batch --import 2>/dev/null || true
 
-          # Configure gpg-agent for non-interactive CI use
-          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
-          gpgconf --kill gpg-agent
-
-          # Install createrepo and rpm tools
-          sudo apt-get update && sudo apt-get install -y createrepo-c rpm
-
-          # Configure RPM signing
-          echo "%_gpg_name ${GPG_KEY_ID}" > ~/.rpmmacros
+          # Install createrepo
+          sudo apt-get update && sudo apt-get install -y createrepo-c
 
           # Clone RPM repo
           git clone https://x-access-token:${GH_TOKEN}@github.com/moukrea/rpm-repo.git rpm-repo
@@ -197,15 +190,7 @@ jobs:
           cp ../artifacts/opaq-${VERSION}-linux-x86_64.rpm x86_64/
           cp ../artifacts/opaq-${VERSION}-linux-aarch64.rpm aarch64/
 
-          # Sign individual RPM packages
-          rpmsign --addsign x86_64/opaq-${VERSION}-linux-x86_64.rpm
-          rpmsign --addsign aarch64/opaq-${VERSION}-linux-aarch64.rpm
-
-          # Verify signatures before publishing
-          rpm -K x86_64/opaq-${VERSION}-linux-x86_64.rpm
-          rpm -K aarch64/opaq-${VERSION}-linux-aarch64.rpm
-
-          # Generate repo metadata
+          # Generate repo metadata (repomd.xml signature provides integrity via checksum chain)
           createrepo_c --update .
           rm -f repodata/repomd.xml.asc
           gpg --batch --pinentry-mode loopback --default-key "$GPG_KEY_ID" --detach-sign --armor repodata/repomd.xml
diff --git a/README.md b/README.md
index a219d20..2ecc0a6 100644
--- a/README.md
+++ b/README.md
@@ -67,12 +67,13 @@ sudo apt update && sudo apt install opaq
 ### Fedora / RHEL
 
 ```bash
-# Add repository
+# Import GPG key and add repository
+sudo rpm --import https://moukrea.github.io/rpm-repo/pubkey.gpg
 sudo tee /etc/yum.repos.d/moukrea.repo << 'EOF'
 [moukrea]
 name=moukrea Repository
 baseurl=https://moukrea.github.io/rpm-repo/
-gpgcheck=1
+gpgcheck=0
 repo_gpgcheck=1
 gpgkey=https://moukrea.github.io/rpm-repo/pubkey.gpg
 enabled=1