Manage rpm keyring in %post

freedomofpress · Dec 6, 2024 · 149e29f · 149e29f
1 parent 8ddda26
commit 149e29f
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/rpm-build/SPECS/securedrop-workstation-keyring.spec b/rpm-build/SPECS/securedrop-workstation-keyring.spec
@@ -57,10 +57,21 @@ install -m 644 %{_builddir}/files/securedrop-release-signing-pubkey-2021.asc %{b
 /etc/yum.repos.d/securedrop-workstation-dom0.repo
 
 %post
-# TODO
-# If installing: import key
-# If upgrading: remove key from rpm and reimport key
-# If removing: remove key from rpm
+# New install
+if [ $1 -eq 1 ] ; then
+    systemd-run --on-active=2min rpm --import /etc/pki/rpm-gpg/RPM-GPG-securedrop-workstation ||:
+fi
+# Upgrade. Uninstall old key then install new key
+if [ $1 -gt 1 ] ; then
+    systemd-run --on-active=2min rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep 'SecureDrop Release Signing Key' | cut -f1 | xargs sudo rpm -e ||:
+    systemd-run --on-active=2min rpm --import /etc/pki/rpm-gpg/RPM-GPG-securedrop-workstation ||:
+fi
+
+%posttrans
+# Uninstall
+if [ $1 -eq 0 ] ; then
+    systemd-run --on-active=2min rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep 'SecureDrop Release Signing Key' | cut -f1 | xargs sudo rpm -e ||:
+fi
 
 %changelog
 * Mon Dec 2 2024 13:12:00 SecureDrop Team <[email protected]> - 0.1.0