From 38bd1dcf408a255bff4f00353a144180b5c27094 Mon Sep 17 00:00:00 2001
From: Emeric Favarel <47535798+moukrea@users.noreply.github.com>
Date: Thu, 19 Mar 2026 13:05:39 +0100
Subject: [PATCH] fix(ci): sign individual RPM packages to pass gpgcheck

RPM installation failed on Fedora/RHEL because gpgcheck=1 requires
individual package signatures, but only the repo metadata was signed.

- Install rpm package and configure ~/.rpmmacros for non-interactive signing
- Sign each .rpm with rpmsign --addsign before publishing to the repo
- Add repo_gpgcheck=1 to README install instructions for full verification
---
 .github/workflows/tag-release.yml | 14 ++++++++++++--
 README.md                         |  1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
index d2b6d1b..67e79ce 100644
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -178,8 +178,14 @@ jobs:
           # Import GPG key (may already be imported from APT step)
           echo "$GPG_PRIVATE_KEY" | gpg --batch --import 2>/dev/null || true
 
-          # Install createrepo
-          sudo apt-get update && sudo apt-get install -y createrepo-c
+          # Install createrepo and rpm-sign
+          sudo apt-get update && sudo apt-get install -y createrepo-c rpm
+
+          # Configure RPM signing macros for non-interactive CI use
+          cat > ~/.rpmmacros << MACROS
+          %_gpg_name ${GPG_KEY_ID}
+          %__gpg_sign_cmd %{__gpg} gpg --batch --pinentry-mode loopback --no-armor %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+          MACROS
 
           # Clone RPM repo
           git clone https://x-access-token:${GH_TOKEN}@github.com/moukrea/rpm-repo.git rpm-repo
@@ -190,6 +196,10 @@ jobs:
           cp ../artifacts/opaq-${VERSION}-linux-x86_64.rpm x86_64/
           cp ../artifacts/opaq-${VERSION}-linux-aarch64.rpm aarch64/
 
+          # Sign individual RPM packages
+          rpmsign --addsign x86_64/opaq-${VERSION}-linux-x86_64.rpm
+          rpmsign --addsign aarch64/opaq-${VERSION}-linux-aarch64.rpm
+
           # Generate repo metadata
           createrepo_c --update .
           rm -f repodata/repomd.xml.asc
diff --git a/README.md b/README.md
index 2ffd89c..a219d20 100644
--- a/README.md
+++ b/README.md
@@ -73,6 +73,7 @@ sudo tee /etc/yum.repos.d/moukrea.repo << 'EOF'
 name=moukrea Repository
 baseurl=https://moukrea.github.io/rpm-repo/
 gpgcheck=1
+repo_gpgcheck=1
 gpgkey=https://moukrea.github.io/rpm-repo/pubkey.gpg
 enabled=1
 EOF