From: Daan De Meyer <daan@amutable.com>
Date: Thu, 5 Feb 2026 09:29:38 +0000 (+0100)
Subject: fedora: Use N-1 key as well when querying rawhide GPG key
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=215a9497ccc089ba030da39e15e9e2371efad3cb;p=thirdparty%2Fmkosi.git

fedora: Use N-1 key as well when querying rawhide GPG key

We now run into the opposite problem where distribution-gpg-keys is
updated before rawhide is updated, so query the N-1 key as well to
avoid issues in the other direction.
---

diff --git a/mkosi/distribution/fedora.py b/mkosi/distribution/fedora.py
index 8a8cc4fac..140ae92da 100644
--- a/mkosi/distribution/fedora.py
+++ b/mkosi/distribution/fedora.py
@@ -57,6 +57,10 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
         version = int(rawhide_will_be.group(1))
         yield f"{DISTRIBUTION_GPG_KEYS_UPSTREAM}/RPM-GPG-KEY-fedora-{version}-primary"
 
+        # Also use the N-1 key if it exists to avoid issues when distribution-gpg-keys has been moved to the
+        # next key but rawhide still uses the previous one.
+        yield f"{DISTRIBUTION_GPG_KEYS_UPSTREAM}/RPM-GPG-KEY-fedora-{version - 1}-primary"
+
         # Also use the N+1 key if it exists to avoid issues when rawhide has been moved to the next key but
         # the rawhide symlink in distribution-gpg-keys hasn't been updated yet.
         try:
@@ -83,13 +87,17 @@ def find_fedora_rpm_gpgkeys(context: Context) -> Iterable[str]:
     yield key
 
     if release == "rawhide" and (rawhide_will_be := versionre.match(Path(key).name)):
+        version = int(rawhide_will_be.group(1))
+
+        # To handle the scenario where distribution-gpg-keys adopts the new rawhide key before rawhide is
+        # rebuilt, we have to also add the N-1 key.
+        yield find_rpm_gpgkey(context, key=f"RPM-GPG-KEY-fedora-{version - 1}-primary")
+
         # When querying the rawhide version remotely, we add the N+1 key as the symlink might not have been
         # updated yet. We do expect the symlink update to happen in reasonable time so we only add the N+1
         # key. When using a locally installed distribution-gpg-keys package on older Fedora versions, there's
         # a non-zero chance that rawhide might already be using the N+2 key. So let's play it safe and add
         # all newer keys in this case.
-        version = int(rawhide_will_be.group(1))
-
         i = 1
         while newerkey := find_rpm_gpgkey(
             context,