kparal/fedora-release.diff Secret

## fedora-release.diff
commit 77a0f46ca6bcd322b62a43fdcac4a97fe5ff7887
Author: Kamil Páral <kparal@redhat.com>
Date:   Thu Apr 19 16:20:56 2018 +0200

    make $releasever return "rawhide" on Rawhide

    This is a fairly significant change which will make $releasever (as understood
    by dnf) return "rawhide" instead of a number (e.g. 35) for Rawhide users. The
    purpose is to have a constant identifier, that developers and repo owners can
    rely on. This will make Rawhide a true rolling release which won't need careful
    adjustments every time we branch - once on Rawhide, you'll always stay on
    Rawhide. This should also significantly simplify repo management, because repos
    will no longer need a separate config for Rawhide which is different from stable
    releases. The same config file containing "$releasever" can be used (instead of
    hardcoding "rawhide" in URL), and it will resolve correctly to a "rawhide/"
    directory on the repo server.

    The overall hope is that this change should help users (system maintenance),
    developers (simplifying automation) and repo owners (release differentiation no
    longer needed). Please read the included link for a longer discussion.

    This change introduces a new variable `is_rawhide`, which should be set to `1`
    or `0`, depending on whether this release is Rawhide or not. It will then set
    some additional variables automatically, to simplify specfile maintenance.

    This change is made possible by dnf looking at package provides, when
    determining $releasever, and `system-release(releasever)` is the first provides
    it looks at. We don't use it in stable releases, but we can set the value on
    Rawhide and it will have precedence.

    This change will also need an accompanying change in fedora-repos, to be
    committed and built together.

    Related: https://pagure.io/releng/issue/7445

diff --git a/fedora-release.spec b/fedora-release.spec
index 9b02cb4..51a234f 100644
--- a/fedora-release.spec
+++ b/fedora-release.spec
@@ -1,10 +1,18 @@
 %define release_name Rawhide
+%define is_rawhide 1
+
 %define dist_version 35
 %define rhel_dist_version 9
-%define bug_version rawhide

-# Change this when branching to fNN
+%if %{is_rawhide}
+%define bug_version rawhide
+%define releasever rawhide
 %define doc_version rawhide
+%else
+%define bug_version %{dist_version}
+%define releasever %{dist_version}
+%define doc_version f%{dist_version}
+%endif

 %if 0%{?eln}
 %bcond_with basic
@@ -50,7 +58,7 @@
 Summary:        Fedora release files
 Name:           fedora-release
 Version:        35
-Release:        0.1%{?eln:.eln%{eln}}
+Release:        0.10%{?eln:.eln%{eln}}
 License:        MIT
 URL:            https://fedoraproject.org/

@@ -107,6 +115,12 @@ Suggests:   fedora-release
 Requires:   fedora-repos(%{version})
 Requires:   fedora-release-identity = %{version}-%{release}

+%if %{is_rawhide}
+# Make $releasever return "rawhide" on Rawhide
+# https://pagure.io/releng/issue/7445
+Provides:       system-release(releasever) = %{releasever}
+%endif
+
 # Fedora ships a generic-release package to make the creation of Remixes
 # easier, but it cannot coexist with the fedora-release[-*] packages, so we
 # will explicitly conflict with it.

## fedora-repos.diff
commit f0e2d5a9c513a3b9246e56165de3e444e9eaf754
Author: Kamil Páral <kparal@redhat.com>
Date:   Fri Feb 12 12:43:21 2021 +0100

    make archmap entries mandatory, except symlinks

    All GPG keys except symlinks must now have an entry in archmap. This is to
    increase reliability and avoid frequent errors when updating this spec file.

diff --git a/archmap b/archmap
index e4793c4..63d86ce 100644
--- a/archmap
+++ b/archmap
@@ -1,8 +1,10 @@
 fedora-7-primary: i386 x86_64 ppc ppc64

 fedora-8-primary: i386 x86_64 ppc ppc64
+fedora-8-primary-original:

 fedora-9-primary: i386 x86_64 ppc ppc64
+fedora-9-primary-original:
 fedora-9-secondary: ia64

 fedora-10-primary: i386 x86_64 ppc ppc64
@@ -19,7 +21,7 @@ fedora-13-secondary: arm mips
 fedora-14-primary: i386 x86_64
 fedora-14-secondary: arm

-fedora-15-primary: i386 x86_64
+fedora-15-primary: i386 x86_64
 fedora-15-secondary: arm armhfp ppc ppc64 s390 s390x

 fedora-16-primary: i386 x86_64
@@ -60,6 +62,7 @@ fedora-27-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
 fedora-28-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x

 fedora-29-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
+fedora-modularity:

 fedora-30-primary: i386 x86_64 armhfp aarch64 ppc64le s390x

@@ -76,7 +79,3 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x
 fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x

 fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x
-
-fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x
-
-fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x
diff --git a/fedora-repos.spec b/fedora-repos.spec
index 12f2597..2a89673 100644
--- a/fedora-repos.spec
+++ b/fedora-repos.spec
@@ -3,7 +3,7 @@
 Summary:        Fedora package repositories
 Name:           fedora-repos
 Version:        35
-Release:        0.10%{?eln:.eln%{eln}}
+Release:        0.11%{?eln:.eln%{eln}}
 License:        MIT
 URL:            https://fedoraproject.org/

@@ -170,9 +170,14 @@ pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
 ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary
 ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary
 for keyfile in RPM-GPG-KEY*; do
-    key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
-    arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) \
-        || echo "WARNING: no archmap entry for $key"
+    # resolve symlinks, so that we don't need to keep duplicate entries in archmap
+    real_keyfile=$(basename $(readlink -f $keyfile))
+    key=${real_keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
+    if ! grep -q "^${key}:" %{_sourcedir}/archmap; then
+        echo "ERROR: no archmap entry for $key"
+        exit 1
+    fi
+    arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap)
     for arch in $arches; do
         # replace last part with $arch (fedora-20-primary -> fedora-20-$arch)
         ln -s $keyfile ${keyfile%%-*}-$arch # NOTE: RPM replaces %% with %

commit f0eb0bbf27553efc15b354502b0aefffc55452bb
Author: Kamil Páral <kparal@redhat.com>
Date:   Fri Feb 12 12:35:11 2021 +0100

    support $releasever=rawhide on Rawhide

    This commit is necessary to support a fedora-release change which makes
    $releasever return "rawhide" on Rawhide (please read that commit first).

    The most important change here is the introduction of the
    `RPM-GPG-KEY-fedora-rawhide-primary` symlink to the current (numbered) Rawhide
    key. This is necessary because $releasever resolves to "rawhide" now and
    therefore the file must be present under the "rawhide" name.

    There's an additional change present, which seemed related enough to include it
    in the same commit - the Fedora 36 GPG key is added and it is referenced in
    Rawhide repo files. The purpose is to have a reliable update process which
    doesn't break just because users didn't update their system in a month (and
    therefore missed the window during which gpg keys are changed). This problem
    might be even more pronounced after this patch and therefore should be addressed
    together. The fix also paves way for future simplification of fedora-repos (no
    need for separate rawhide repo files, perhaps).

    Additional checks have been added to reduce the likelihood of human errors when
    Rawhide number is bumped.

    Related: https://pagure.io/releng/issue/7445

diff --git a/RPM-GPG-KEY-fedora-36-primary b/RPM-GPG-KEY-fedora-36-primary
new file mode 100644
index 0000000..899affa
--- /dev/null
+++ b/RPM-GPG-KEY-fedora-36-primary
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e
+LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2
+zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R
+KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS
+wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl
+yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/
+0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj
+6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee
+860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1
+0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK
+i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB
+tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
+cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ20Y5cZhnxY+NYA/7BYpglySAZYHhjyKh
+/+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED
+1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV
+m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50
+gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH
+jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y
+MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO
+hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM
+ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d
+k2gQiYSQAaaJ0JJAzHvRkRJLLgK2YQYiHNVy2t3JyFfsram5wSCWOfhPeIyLBTZJ
+vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/
+hPIXZrKocK3KLS9/izJQTRltjMA=
+=PfT7
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/archmap b/archmap
index e80ecbd..e4793c4 100644
--- a/archmap
+++ b/archmap
@@ -75,4 +75,8 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x

 fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x

+fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x
+
+fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x
+
 fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x
diff --git a/fedora-repos.spec b/fedora-repos.spec
index c1c7f4e..12f2597 100644
--- a/fedora-repos.spec
+++ b/fedora-repos.spec
@@ -3,7 +3,7 @@
 Summary:        Fedora package repositories
 Name:           fedora-repos
 Version:        35
-Release:        0.1%{?eln:.eln%{eln}}
+Release:        0.10%{?eln:.eln%{eln}}
 License:        MIT
 URL:            https://fedoraproject.org/

@@ -72,6 +72,10 @@ Source52:       RPM-GPG-KEY-fedora-32-primary
 Source53:       RPM-GPG-KEY-fedora-33-primary
 Source54:       RPM-GPG-KEY-fedora-34-primary
 Source55:       RPM-GPG-KEY-fedora-35-primary
+Source56:       RPM-GPG-KEY-fedora-36-primary
+# When bumping Rawhide to fN, create N+1 key (and update archmap). (This
+# ensures users have the next future key installed and referenced, even if they
+# don't update very often. This will smooth out Rawhide N->N+1 transition for them).

 Source100:      fedora-modular.repo
 Source101:      fedora-updates-modular.repo
@@ -162,7 +166,8 @@ install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
 #     says "fedora-19-primary: i386 x86_64",
 #     RPM-GPG-KEY-fedora-19-{i386,x86_64} will be symlinked to that key.
 pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
-# Also add a symlink for ELN keys
+# Also add a symlink for Rawhide and ELN keys
+ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary
 ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary
 for keyfile in RPM-GPG-KEY*; do
     key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
@@ -177,6 +182,17 @@ done
 ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora
 popd

+# Adjust Rawhide repo files to include Rawhide+1 GPG key.
+# This is necessary for the period when Rawhide gets bumped to N+1 and packages
+# start to be signed with a newer key. Without having the key specified in the
+# repo file, the system would consider the new packages as untrusted.
+rawhide_next=$((%{rawhide_release}+1))
+for repo in %{_sourcedir}/fedora-rawhide*.repo; do
+    sed -ir "s@^gpgkey=.*@& file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-\$basearch@" \
+        $repo || exit 1
+done
+
+# Install repo files
 install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d
 for file in %{_sourcedir}/fedora*repo ; do
   install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.d
@@ -198,6 +214,28 @@ for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-{rawhide,eln}*.repo; do
   %endif
 done

+# make sure the Rawhide+1 key wasn't forgotten to be created
+rawhide_next=$((%{rawhide_release}+1))
+if ! test -f $RPM_BUILD_ROOT/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-primary; then
+    echo "ERROR: GPG key for Fedora ${rawhide_next} is not present"
+    exit 1
+fi
+
+# make sure the Rawhide+1 key is present in Rawhide repo files
+for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-rawhide*.repo; do
+    gpg_lines=$(grep '^gpgkey=' $repo)
+    if test -z "$gpg_lines"; then
+        echo "ERROR: No gpgkey= lines in $repo"
+        exit 1
+    fi
+    while IFS= read -r line; do
+        if ! echo "$line" | grep -q "RPM-GPG-KEY-fedora-${rawhide_next}"; then
+            echo "ERROR: Fedora ${rawhide_next} GPG key missing in $repo"
+            exit 1
+        fi
+    done <<< "$gpg_lines"
+done
+

 %files
 %dir /etc/yum.repos.d
	commit 77a0f46ca6bcd322b62a43fdcac4a97fe5ff7887
	Author: Kamil Páral <kparal@redhat.com>
	Date: Thu Apr 19 16:20:56 2018 +0200

	make $releasever return "rawhide" on Rawhide

	This is a fairly significant change which will make $releasever (as understood
	by dnf) return "rawhide" instead of a number (e.g. 35) for Rawhide users. The
	purpose is to have a constant identifier, that developers and repo owners can
	rely on. This will make Rawhide a true rolling release which won't need careful
	adjustments every time we branch - once on Rawhide, you'll always stay on
	Rawhide. This should also significantly simplify repo management, because repos
	will no longer need a separate config for Rawhide which is different from stable
	releases. The same config file containing "$releasever" can be used (instead of
	hardcoding "rawhide" in URL), and it will resolve correctly to a "rawhide/"
	directory on the repo server.

	The overall hope is that this change should help users (system maintenance),
	developers (simplifying automation) and repo owners (release differentiation no
	longer needed). Please read the included link for a longer discussion.

	This change introduces a new variable `is_rawhide`, which should be set to `1`
	or `0`, depending on whether this release is Rawhide or not. It will then set
	some additional variables automatically, to simplify specfile maintenance.

	This change is made possible by dnf looking at package provides, when
	determining $releasever, and `system-release(releasever)` is the first provides
	it looks at. We don't use it in stable releases, but we can set the value on
	Rawhide and it will have precedence.

	This change will also need an accompanying change in fedora-repos, to be
	committed and built together.

	Related: https://pagure.io/releng/issue/7445

	diff --git a/fedora-release.spec b/fedora-release.spec
	index 9b02cb4..51a234f 100644
	--- a/fedora-release.spec
	+++ b/fedora-release.spec
	@@ -1,10 +1,18 @@
	%define release_name Rawhide
	+%define is_rawhide 1
	+
	%define dist_version 35
	%define rhel_dist_version 9
	-%define bug_version rawhide

	-# Change this when branching to fNN
	+%if %{is_rawhide}
	+%define bug_version rawhide
	+%define releasever rawhide
	%define doc_version rawhide
	+%else
	+%define bug_version %{dist_version}
	+%define releasever %{dist_version}
	+%define doc_version f%{dist_version}
	+%endif

	%if 0%{?eln}
	%bcond_with basic
	@@ -50,7 +58,7 @@
	Summary: Fedora release files
	Name: fedora-release
	Version: 35
	-Release: 0.1%{?eln:.eln%{eln}}
	+Release: 0.10%{?eln:.eln%{eln}}
	License: MIT
	URL: https://fedoraproject.org/

	@@ -107,6 +115,12 @@ Suggests: fedora-release
	Requires: fedora-repos(%{version})
	Requires: fedora-release-identity = %{version}-%{release}

	+%if %{is_rawhide}
	+# Make $releasever return "rawhide" on Rawhide
	+# https://pagure.io/releng/issue/7445
	+Provides: system-release(releasever) = %{releasever}
	+%endif
	+
	# Fedora ships a generic-release package to make the creation of Remixes
	# easier, but it cannot coexist with the fedora-release[-*] packages, so we
	# will explicitly conflict with it.
	commit f0e2d5a9c513a3b9246e56165de3e444e9eaf754
	Author: Kamil Páral <kparal@redhat.com>
	Date: Fri Feb 12 12:43:21 2021 +0100

	make archmap entries mandatory, except symlinks

	All GPG keys except symlinks must now have an entry in archmap. This is to
	increase reliability and avoid frequent errors when updating this spec file.

	diff --git a/archmap b/archmap
	index e4793c4..63d86ce 100644
	--- a/archmap
	+++ b/archmap
	@@ -1,8 +1,10 @@
	fedora-7-primary: i386 x86_64 ppc ppc64

	fedora-8-primary: i386 x86_64 ppc ppc64
	+fedora-8-primary-original:

	fedora-9-primary: i386 x86_64 ppc ppc64
	+fedora-9-primary-original:
	fedora-9-secondary: ia64

	fedora-10-primary: i386 x86_64 ppc ppc64
	@@ -19,7 +21,7 @@ fedora-13-secondary: arm mips
	fedora-14-primary: i386 x86_64
	fedora-14-secondary: arm

	-fedora-15-primary: i386 x86_64
	+fedora-15-primary: i386 x86_64
	fedora-15-secondary: arm armhfp ppc ppc64 s390 s390x

	fedora-16-primary: i386 x86_64
	@@ -60,6 +62,7 @@ fedora-27-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
	fedora-28-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x

	fedora-29-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
	+fedora-modularity:

	fedora-30-primary: i386 x86_64 armhfp aarch64 ppc64le s390x

	@@ -76,7 +79,3 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x
	fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x

	fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x
	-
	-fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x
	-
	-fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x
	diff --git a/fedora-repos.spec b/fedora-repos.spec
	index 12f2597..2a89673 100644
	--- a/fedora-repos.spec
	+++ b/fedora-repos.spec
	@@ -3,7 +3,7 @@
	Summary: Fedora package repositories
	Name: fedora-repos
	Version: 35
	-Release: 0.10%{?eln:.eln%{eln}}
	+Release: 0.11%{?eln:.eln%{eln}}
	License: MIT
	URL: https://fedoraproject.org/

	@@ -170,9 +170,14 @@ pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
	ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary
	ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary
	for keyfile in RPM-GPG-KEY*; do
	- key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
	- arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) \
	- \|\| echo "WARNING: no archmap entry for $key"
	+ # resolve symlinks, so that we don't need to keep duplicate entries in archmap
	+ real_keyfile=$(basename $(readlink -f $keyfile))
	+ key=${real_keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
	+ if ! grep -q "^${key}:" %{_sourcedir}/archmap; then
	+ echo "ERROR: no archmap entry for $key"
	+ exit 1
	+ fi
	+ arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap)
	for arch in $arches; do
	# replace last part with $arch (fedora-20-primary -> fedora-20-$arch)
	ln -s $keyfile ${keyfile%%-*}-$arch # NOTE: RPM replaces %% with %

	commit f0eb0bbf27553efc15b354502b0aefffc55452bb
	Author: Kamil Páral <kparal@redhat.com>
	Date: Fri Feb 12 12:35:11 2021 +0100

	support $releasever=rawhide on Rawhide

	This commit is necessary to support a fedora-release change which makes
	$releasever return "rawhide" on Rawhide (please read that commit first).

	The most important change here is the introduction of the
	`RPM-GPG-KEY-fedora-rawhide-primary` symlink to the current (numbered) Rawhide
	key. This is necessary because $releasever resolves to "rawhide" now and
	therefore the file must be present under the "rawhide" name.

	There's an additional change present, which seemed related enough to include it
	in the same commit - the Fedora 36 GPG key is added and it is referenced in
	Rawhide repo files. The purpose is to have a reliable update process which
	doesn't break just because users didn't update their system in a month (and
	therefore missed the window during which gpg keys are changed). This problem
	might be even more pronounced after this patch and therefore should be addressed
	together. The fix also paves way for future simplification of fedora-repos (no
	need for separate rawhide repo files, perhaps).

	Additional checks have been added to reduce the likelihood of human errors when
	Rawhide number is bumped.

	Related: https://pagure.io/releng/issue/7445

	diff --git a/RPM-GPG-KEY-fedora-36-primary b/RPM-GPG-KEY-fedora-36-primary
	new file mode 100644
	index 0000000..899affa
	--- /dev/null
	+++ b/RPM-GPG-KEY-fedora-36-primary
	@@ -0,0 +1,29 @@
	+-----BEGIN PGP PUBLIC KEY BLOCK-----
	+
	+mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e
	+LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2
	+zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R
	+KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS
	+wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl
	+yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/
	+0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj
	+6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee
	+860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1
	+0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK
	+i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB
	+tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
	+cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI
	+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ20Y5cZhnxY+NYA/7BYpglySAZYHhjyKh
	+/+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED
	+1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV
	+m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50
	+gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH
	+jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y
	+MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO
	+hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM
	+ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d
	+k2gQiYSQAaaJ0JJAzHvRkRJLLgK2YQYiHNVy2t3JyFfsram5wSCWOfhPeIyLBTZJ
	+vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/
	+hPIXZrKocK3KLS9/izJQTRltjMA=
	+=PfT7
	+-----END PGP PUBLIC KEY BLOCK-----
	diff --git a/archmap b/archmap
	index e80ecbd..e4793c4 100644
	--- a/archmap
	+++ b/archmap
	@@ -75,4 +75,8 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x

	fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x

	+fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x
	+
	+fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x
	+
	fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x
	diff --git a/fedora-repos.spec b/fedora-repos.spec
	index c1c7f4e..12f2597 100644
	--- a/fedora-repos.spec
	+++ b/fedora-repos.spec
	@@ -3,7 +3,7 @@
	Summary: Fedora package repositories
	Name: fedora-repos
	Version: 35
	-Release: 0.1%{?eln:.eln%{eln}}
	+Release: 0.10%{?eln:.eln%{eln}}
	License: MIT
	URL: https://fedoraproject.org/

	@@ -72,6 +72,10 @@ Source52: RPM-GPG-KEY-fedora-32-primary
	Source53: RPM-GPG-KEY-fedora-33-primary
	Source54: RPM-GPG-KEY-fedora-34-primary
	Source55: RPM-GPG-KEY-fedora-35-primary
	+Source56: RPM-GPG-KEY-fedora-36-primary
	+# When bumping Rawhide to fN, create N+1 key (and update archmap). (This
	+# ensures users have the next future key installed and referenced, even if they
	+# don't update very often. This will smooth out Rawhide N->N+1 transition for them).

	Source100: fedora-modular.repo
	Source101: fedora-updates-modular.repo
	@@ -162,7 +166,8 @@ install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
	# says "fedora-19-primary: i386 x86_64",
	# RPM-GPG-KEY-fedora-19-{i386,x86_64} will be symlinked to that key.
	pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
	-# Also add a symlink for ELN keys
	+# Also add a symlink for Rawhide and ELN keys
	+ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary
	ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary
	for keyfile in RPM-GPG-KEY*; do
	key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
	@@ -177,6 +182,17 @@ done
	ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora
	popd

	+# Adjust Rawhide repo files to include Rawhide+1 GPG key.
	+# This is necessary for the period when Rawhide gets bumped to N+1 and packages
	+# start to be signed with a newer key. Without having the key specified in the
	+# repo file, the system would consider the new packages as untrusted.
	+rawhide_next=$((%{rawhide_release}+1))
	+for repo in %{_sourcedir}/fedora-rawhide*.repo; do
	+ sed -ir "s@^gpgkey=.*@& file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-\$basearch@" \
	+ $repo \|\| exit 1
	+done
	+
	+# Install repo files
	install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d
	for file in %{_sourcedir}/fedora*repo ; do
	install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.d
	@@ -198,6 +214,28 @@ for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-{rawhide,eln}*.repo; do
	%endif
	done

	+# make sure the Rawhide+1 key wasn't forgotten to be created
	+rawhide_next=$((%{rawhide_release}+1))
	+if ! test -f $RPM_BUILD_ROOT/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-primary; then
	+ echo "ERROR: GPG key for Fedora ${rawhide_next} is not present"
	+ exit 1
	+fi
	+
	+# make sure the Rawhide+1 key is present in Rawhide repo files
	+for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-rawhide*.repo; do
	+ gpg_lines=$(grep '^gpgkey=' $repo)
	+ if test -z "$gpg_lines"; then
	+ echo "ERROR: No gpgkey= lines in $repo"
	+ exit 1
	+ fi
	+ while IFS= read -r line; do
	+ if ! echo "$line" \| grep -q "RPM-GPG-KEY-fedora-${rawhide_next}"; then
	+ echo "ERROR: Fedora ${rawhide_next} GPG key missing in $repo"
	+ exit 1
	+ fi
	+ done <<< "$gpg_lines"
	+done
	+

	%files
	%dir /etc/yum.repos.d