Fedora template: work to get metadata signing in place

[DemiMarie]

Qubes OS version (if applicable) Qubes release 4.0 (R4.0)

Affected component(s) or functionality (if applicable) Fedora templates

Brief summary We should work with Fedora to get them to sign their metadata. This is likely blocked on the stabilization of DNF 5, as DNF 4 has numerous bugs regarding metadata signing.

Additional context There was an RCE in librepo that this would have mitigated. As per https://github.com/rpm-software-management/librepo/issues/231#issuecomment-787918202 the issues in DNF are unlikely to be fixed in DNF 4.

Relevant documentation you've consulted

Related, non-duplicate issues

6177 tracked signing of metadata for QubesOS.

[adrelanos]

References I've found:

• https://github.com/rpm-software-management/librepo/issues/231
• https://pagure.io/robosignatory/issue/14
• https://pagure.io/robosignatory/pull-request/51
• https://pagure.io/fedora-infrastructure/issue/9436
• https://pagure.io/pungi/issue/506
• https://bugzilla.redhat.com/show_bug.cgi?id=1851242
• https://bugzilla.redhat.com/show_bug.cgi?id=1741442
• https://forum.qubes-os.org/t/why-is-repo-gpgcheck-not-used-when-updating-packages/2827
• https://fedoramagazine.org/fedora-secures-package-delivery/

What is the latest status of this?

[DemiMarie]

Robosignatory has full support now. I have a draft PR for pungi and koji support has not started.

It isn’t that difficult, but it is another thing on my to-do list. It’s all Python scripting, so it should not be too hard for someone else to help.