From 6ba1513978ee776040107a342ad8694074feea4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 4 Jan 2024 16:57:45 +0100
Subject: [PATCH] Switch to sequoia for codecov signature check

GnuPG in F39 seems to use keyboxd and as a consequence, keyring choice
on import seems to be ignored:

    + gpg --no-default-keyring --keyring trustedkeys.gpg --import ci/codecov-keys.asc
    gpg: directory '/home/gitlab-runner/.gnupg' created
    gpg: /home/gitlab-runner/.gnupg/trustdb.gpg: trustdb created
    gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    + curl -Os https://uploader.codecov.io/latest/linux/codecov
    + curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM
    + curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig
    + gpgv codecov.SHA256SUM.sig codecov.SHA256SUM
    gpgv: unknown type of key resource 'trustedkeys.kbx'
    gpgv: keyblock resource '/home/gitlab-runner/.gnupg/trustedkeys.kbx': General error
    gpgv: Signature made Thu Oct 19 19:59:46 2023 UTC
    gpgv:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
    gpgv: Can't check signature: No public key

The actual key got imported into default keyring, disregarding
"--no-default-keyring --keyring trustedkeys.gpg".

Instead of fighting with GnuPG bug, switch to Sequoia, which is a good
idea anyway.

(cherry picked from commit 5bf2b113d9d37fedafb39e88cf3ce02efc639dca)
---
 .gitlab-ci.yml     | 2 +-
 ci/codecov-wrapper | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 4f00e7fdd..eae277e45 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ checks:tests:
   after_script:
   - ci/codecov-wrapper -F unittests
   before_script:
-  - sudo dnf install -y lvm2 vim-common python3-lxml python3-docutils
+  - sudo dnf install -y lvm2 vim-common python3-lxml python3-docutils sequoia-sqv
   - git clone -b release4.1 https://github.com/QubesOS/qubes-core-qrexec ~/qubes-core-qrexec
   - pip3 install --user --quiet -r ci/requirements.txt
   script:
diff --git a/ci/codecov-wrapper b/ci/codecov-wrapper
index 8c0549df6..c955f73a1 100755
--- a/ci/codecov-wrapper
+++ b/ci/codecov-wrapper
@@ -2,13 +2,11 @@
 
 set -xe
 
-gpg --no-default-keyring --keyring trustedkeys.gpg --import ci/codecov-keys.asc
-
 curl -Os https://uploader.codecov.io/latest/linux/codecov
 curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM
 curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig
 
-gpgv codecov.SHA256SUM.sig codecov.SHA256SUM
+sqv --keyring ci/codecov-keys.asc codecov.SHA256SUM.sig codecov.SHA256SUM
 shasum -a 256 -c codecov.SHA256SUM
 
 chmod +x codecov