Skip to content

9to10: Handle multisig/PQC RPM GPG keys during the upgrade#1531

Draft
matejmatuska wants to merge 7 commits into
oamg:mainfrom
matejmatuska:rhel-10-pqc-cont
Draft

9to10: Handle multisig/PQC RPM GPG keys during the upgrade#1531
matejmatuska wants to merge 7 commits into
oamg:mainfrom
matejmatuska:rhel-10-pqc-cont

Conversation

@matejmatuska

@matejmatuska matejmatuska commented May 5, 2026
edited
Loading

Copy link
Copy Markdown
Member

Includes #1508.

I think the commit messages are details enough for now

TODO

  • other distros
  • unit tests
  • 8to9 test
  • test without pqc
  • custom pqc keys
  • update the gpg library to work with pqc keys, if possible

@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the leapp-repository contribution and development guidelines and must pass all tests in order to be mergeable.
If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

  • review please @oamg/developers to notify leapp developers of the review request
  • /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build.
However, here are additional useful commands for packit:

  • /packit test to re-run manually the default tests
  • /packit retest-failed to re-run failed tests manually
  • /packit test oamg/leapp#42 to run tests with leapp builds for the leapp PR#42 (default is latest upstream - main - build)

Note that first time contributors cannot run tests automatically - they need to be started by a reviewer.

It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported, beaker-minimal and kernel-rt, both can be used to be run on all upgrade paths or just a couple of specific ones.
To launch on-demand tests with packit:

  • /packit test --labels kernel-rt to schedule kernel-rt tests set for all upgrade paths
  • /packit test --labels beaker-minimal-8.10to9.4,kernel-rt-8.10to9.4 to schedule kernel-rt and beaker-minimal test sets for 8.10->9.4 upgrade path

See other labels for particular jobs defined in the .packit.yaml file.

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

Jakuje and others added 4 commits May 5, 2026 20:23
@Jakuje @matejmatuska
add ML-DSA-87+Ed448/SHA512 OpenPGP certificate used for signging RHEL…
d278edd 
… 10 packages

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@matejmatuska
Split the PQC key out to a separate file
4932c08 
This way it can be independently when it's sure it can - only using the
target RPM stack (on RHEL 10).

Jira: RHEL-155375
@matejmatuska
Put pqc keys into dedicated subdirectory
1516293 
Create a new subdirectory within the gpg key directories.

Opted for a subdirectory instead of sibling dir as there could be pqc
keys for betas in the future and betas are already a sibling dir.

TODO: Other distros

Jira: RHEL-155375
@matejmatuska
lib/gpg: Expand get_path_to_gpg_certs to allow subdirs
cc0c014 
Jira: RHEL-155375
@matejmatuska matejmatuska added the enhancement New feature or request label May 5, 2026
@matejmatuska matejmatuska added this to the 8.10/9.9 milestone May 5, 2026
@matejmatuska
9to10: Try importing pqc keys before creating target userspace
64f1724 
On RHEL 9 the system rpm stack doesn't work with PQC RPM GPG keys. There
is a separate PQC RPM stack at /usr/lib/pqrpm which does and the dnf
multisig plugin delegates package signature verification to it before
falling back to the system stack.
Therefore the PQC keys need to be imported into the separate pqrpmdb in
/usr/lib/pqrpm/lib/sysimage/rpm/ using /usr/lib/pqrpm/bin/rpmkeys.

This is currently attempted unconditionally on 9to10 - even if the pqrpm
package isn't installed, if the import fails with ENOENT then it's
logged and does not attempt to import any more pqc keys.

Jira: RHEL-155375
@matejmatuska
9to10: Import gpg keys inside target userspace after initial install
60f1bb4 
On RHEL 9 there is no way to import PQC RPM GPG keys (gpg v6 keys) to
the system rpmdb. The current solution only imports keys before the
installation of the target dnf/rpm using the host rpm binary.

This patch implements import of RPM GPG keys using the target system rpm
stack which is capable of importing to the system rpmdb.
Currently, both "traditional" (v4) keys and PQC (v6) keys are imported.
The keys are copied to the target userspace to /leapp-trusted-gpg-keys
which should not clash with anything.

Jira: RHEL-155375
@matejmatuska
9to10: Import RPM GPG keys inside userspace before dnfplugin transact…
a3cba48 
…ions

Currently keys are imported before the dnfplugin transactions via
executing the importrpmgpgkeys script passed in via DNFWorkaround
message. This script runs in the overlay therefore it's using the source
system rpm binary to do the importing.
However, the RHEL 9 system rpm stack doesn't work with PQC RPM GPG keys
and need to be imported using the RHEL 10 rpm stack.

To import PQC keys a new importrpmgpgkeysintarget script is registered
using DNFWorkaround alongside the original one. The script starts
another container using nspawn with the target userspace as the root,
meaning it uses the target system rpm binary.
The keys are copied to the target userspace during it's creation
already.

Jira: RHEL-155375
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

8.10/9.9

Development

Successfully merging this pull request may close these issues.

2 participants

@matejmatuska @Jakuje