Add rpm import in %post

[rocodes]

Add rpm key import in boostrap package post. There are 3 cases (clean install, upgrade package, uninstall); cover all of them.

• In a clean install scenario, import the key to the rpm database.
• In a package upgrade scenario (key bump), remove the old key and import the key again. (This will not be needed when rpm = 4.20 or rpm-sequoia >= 1.7.0 lands in dom0, but until then, maintain the logic).
• In uninstall case, remove the key from the rpm database after the package is uninstalled.

See https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/ for guidelines on scriptlet ordering in upgrade, uninstall, etc.

Fixes freedomofpress/securedrop-workstation#423

Test plan

• Visual review
• CI (in draft until CI Add github actions, license file, security.md #6 and rebase)
• Testing scenarios (see below)

Clean install (no SDW)
Build this package with make build-rpm and install it in dom0.

• Package installs successfully
• repo file is present in /etc/yum.repos.d
• rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep 'SecureDrop Release Signing Key' shows an entry corresponding to our release signing key in the rpm db (note: there's a 10 second delay because of trying to avoid rpm db transaction lock)
• When keyring package is uninstalled, /etc/pki/rpm-gpg no longer contains our release signing key, and the key is removed from the rpm database (check with above command).

Upgrade testing: existing installs (existing SDW/4.2 setup, release key imported into rpm database and yum.repos file present in dom0)

• Package installs successfully in dom0
• When package is uninstalled, SecureDrop Release key no longer present in rpm database

Upgrade testing: keyring package upgrade
This test plan is meant to 'test' a keyring upgrade, meaning that the key is removed then reimported from the rpm database.
Reinstall the keyring package on top of itself via sudo dnf reinstall. While installing, watch the journal in a separate terminal.

• Package installs successfully in dom0
• no systemd failures visible in journal (2 services will be dispatched each with a timer, the first one to remove the existing key and the second one to reimport the new key)
• After about 30 seconds, check RPM database and observe key (still) present.

Testing notes:
Removing files manually (manually deleting the key file or .repo file) then reinstalling the kerying package overtop of itself will not re-install the files or re-import the key. (This is standard rpm behaviour).

[legoktm]

I wasn't able to get the clean install plan to work; but also I didn't have a clean install so I manually deleted the key from the rpm database, could that have caused any issues?

I built the RPM, installed it, verified the repo file was created, but installing the GPG key didn't work. Looking at my journalctl logs, I see:

Jan 14 09:04:10 dom0 systemd[1]: Started run-rd9d802708a17494eb9d008fbc21b167b.timer - /bin/rpm --import /etc/pki/rpm-gpg/RPM-GPG-securedrop-workstation.
Jan 14 09:04:41 dom0 systemd[1]: Started run-rd9d802708a17494eb9d008fbc21b167b.service - /bin/rpm --import /etc/pki/rpm-gpg/RPM-GPG-securedrop-workstation.
Jan 14 09:04:41 dom0 kernel: audit: type=1130 audit(1736863481.538:365): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=run-rd9d802708a17494eb9d008fbc21b167b comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 14 09:04:41 dom0 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=run-rd9d802708a17494eb9d008fbc21b167b comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 14 09:04:41 dom0 rpm[4894]: error: /etc/pki/rpm-gpg/RPM-GPG-securedrop-workstation: import read failed(2).
Jan 14 09:04:41 dom0 systemd[1]: run-rd9d802708a17494eb9d008fbc21b167b.service: Main process exited, code=exited, status=1/FAILURE
Jan 14 09:04:41 dom0 systemd[1]: run-rd9d802708a17494eb9d008fbc21b167b.service: Failed with result 'exit-code'.
Jan 14 09:04:41 dom0 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=run-rd9d802708a17494eb9d008fbc21b167b comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jan 14 09:04:41 dom0 systemd[1]: run-rd9d802708a17494eb9d008fbc21b167b.timer: Deactivated successfully.

Haven't looked up what "import read failed(2)" means yet.

Then I tried doing it manually from a dom0 terminal (sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation), and it worked fine

[legoktm]

Also, when I uninstall the package (sudo dnf securedrop-workstation-keyring), I don't see it triggering any systemd-run unit and the key is still there.

[legoktm]

Haven't looked up what "import read failed(2)" means yet.

Based on rpm-software-management/rpm#2683 I think it's just masking the underlying error.

[rocodes]

hm, thanks / sorry about that - I'll take another look. I did step through all the test plans on my sdw machine last week.

[rocodes]

ok, I think we're ready for re-review :)

When doing the 'upgrade' test (reinstalling the package on top of itself), wait about a minute after the package was installed for the first time (basically, watch the journal to be sure that the previous transaction lock held by importing the key has cleanly expired). Similarly, in the uninstall case, wait about 15-30 seconds to see the key removed from the rpm db.

[legoktm]

Everything looks good so far, I'm just waiting on my SDW system to re-provision so I can test the last "Upgrade testing: existing installs" steps.

[legoktm]

Test plan checks out, nice work :)