fix(ci): force primary GPG key for repomd.xml signing (#566)

ProfFlow · claude · web-flow · commit 912c04ee1d20 · 2026-05-03T07:43:30.000-04:00
* fix(ci): force primary GPG key for repomd.xml signing PR #217 added --default-key for the gpg invocation that signs repomd.xml, but gpg's --default-key only chooses an identity, not which key under that identity actually signs. Without a trailing '!' on the keyid, gpg silently picks the most recent signing subkey. rpm 4.20+ and zypper verify repomd.xml only against the primary key, so the published signature fails verification with "Signature verification failed for repomd.xml" / "Signing key not found" — the exact symptom reported in #213. Append '!' to the keyid argument to force the primary key. Verified locally against zypper 1.14.96 / rpm 4.20.1 / gpg 2.x by re-signing the live repomd.xml with a test primary+subkey keypair: - Without '!': sig keyid = subkey, zypper refresh fails with "Signature verification failed for repomd.xml" (reproduces the production bug 1:1). - With '!': sig keyid = primary, zypper refresh succeeds: "Die angegebenen Repositorys wurden aktualisiert." Fixes #213 (regression of PR #217) Co-Authored-By: Claude <claude@anthropic.com> * docs(ci): tighten repomd.xml signing comment Compress the rationale block from 8 to 6 lines while preserving the load-bearing facts (gpg picks subkey by default, rpm 4.20+ / zypper reject subkey-signed repomd.xml, '!' forces the primary key, #213/#217 regression history). Adds an explicit "Do not strip it" admonition to the future reader. No functional change. Co-Authored-By: Claude <claude@anthropic.com> --------- Co-authored-by: Claude <claude@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -653,9 +653,14 @@ jobs:
               echo "Generating repodata for $arch..."
               createrepo_c --update "rpm/$arch/"
 
-              # Sign the repository metadata (--yes to overwrite existing signature)
+              # Sign repodata. Trailing '!' on keyid forces gpg to use
+              # the primary key; without it gpg picks the most recent
+              # signing subkey, and rpm 4.20+ / zypper reject repomd.xml
+              # signed by anything other than the primary key.
+              # Regression of #213 — PR #217 added --default-key but
+              # dropped the '!'. Do not strip it. --yes overwrites .asc.
               echo "Signing repodata for $arch..."
-              gpg --batch --yes --default-key "${{ steps.import_gpg.outputs.keyid }}" --detach-sign --armor "rpm/$arch/repodata/repomd.xml"
+              gpg --batch --yes --default-key "${{ steps.import_gpg.outputs.keyid }}!" --detach-sign --armor "rpm/$arch/repodata/repomd.xml"
             fi
           done
 
