Switch to sequoia for codecov signature check

marmarek · marmarek · commit b31851663865 · 2024-03-28T21:26:27.000+01:00
GnuPG in F39 seems to use keyboxd and as a consequence, keyring choice on import seems to be ignored: + gpg --no-default-keyring --keyring trustedkeys.gpg --import ci/codecov-keys.asc gpg: directory '/home/gitlab-runner/.gnupg' created gpg: /home/gitlab-runner/.gnupg/trustdb.gpg: trustdb created gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported gpg: Total number processed: 1 gpg: imported: 1 + curl -Os https://uploader.codecov.io/latest/linux/codecov + curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM + curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig + gpgv codecov.SHA256SUM.sig codecov.SHA256SUM gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/home/gitlab-runner/.gnupg/trustedkeys.kbx': General error gpgv: Signature made Thu Oct 19 19:59:46 2023 UTC gpgv: using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869 gpgv: Can't check signature: No public key The actual key got imported into default keyring, disregarding "--no-default-keyring --keyring trustedkeys.gpg". Instead of fighting with GnuPG bug, switch to Sequoia, which is a good idea anyway.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -15,7 +15,7 @@ include:
     - "PATH=$PATH:$HOME/.local/bin"
     - sudo dnf install -y python3-pip python3-gobject gtk3 python3-pytest
         python3-coverage python3-devel pam-devel pandoc gcc git make findutils clang
-        xorg-x11-server-Xvfb python3-pytest-asyncio python3-inotify
+        xorg-x11-server-Xvfb python3-pytest-asyncio python3-inotify sequoia-sqv
     - git config --global --add safe.directory "${CI_PROJECT_DIR}"
     - git clone https://github.com/QubesOS/qubes-core-vchan-socket ~/qubes-core-vchan-socket
     - make -C ~/qubes-core-vchan-socket all
diff --git a/ci/codecov-wrapper b/ci/codecov-wrapper
@@ -2,13 +2,11 @@
 
 set -xe
 
-gpg --no-default-keyring --keyring trustedkeys.gpg --import ci/codecov-keys.asc
-
 curl -Os https://uploader.codecov.io/latest/linux/codecov
 curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM
 curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig
 
-gpgv codecov.SHA256SUM.sig codecov.SHA256SUM
+sqv --keyring ci/codecov-keys.asc codecov.SHA256SUM.sig codecov.SHA256SUM
 shasum -a 256 -c codecov.SHA256SUM
 
 chmod +x codecov
