test: Set up local RPM signing key for package tests

[martinpitt]

Rawhide now enforces rpm signatures by default [1]. To be able to install our test RPMs, set up a local signing key. This happens lazily the first time an RPM is built.

[1] https://fedoraproject.org/wiki/Changes/Enforcing_signature_checking_by_default

---

This fixes the recent package test failures on rawhide.

[martinpitt]

Lol -- now COPR/packit/testing farm fall into the same trap when installing the built packages:

package cockpit-bridge-356.dev12+g82712a10e-1.fc45.noarch does not verify: Header OpenPGP V4 RSA/SHA256 signature, key ID 30b78419cd03bde4: NOKEY

This is outside of our domain. In the meantime you can trust me that I validated that on our fedora-rawhide image and the tests pass now, or you try yourself, or we just stall that. Hmm..

[martinpitt]

I triggered a fedora-rawhide/expensive run. Not sure to what degree that even works, as we don't routinely do this, but let's see 🤞

[jelly]

I triggered a fedora-rawhide/expensive run. Not sure to what degree that even works, as we don't routinely do this, but let's see 🤞

Oh this is a sea of red, applying updates PackageKit crashed.. Testing farm's rawhide run also ran into issues but that is infra related.

[jelly]

I re-triggered testing farm's rawhide.

[jelly]

Its really hard to judge for me if this works or not, one interesting snippet is:

Generating key rpmbuild-root@fedora-rawhide-127-0-0-2-2201
Exporting public key (certificate) to /root/.config/rpm/rpmbuild-root@fedora-rawhide-127-0-0-2-2201.asc
Setting up gpg autosigning in /root/.config/rpm/macros
To import this public key (certificate), run:
	sudo rpmkeys --import /root/.config/rpm/rpmbuild-root@fedora-rawhide-127-0-0-2-2201.asc

[mvollmer]

Our own fedora-rawhide images don't seem to enforce signatures yet. Getting testing-farm:fedora-rawhide-x86_64:self green here should be enough proof.

[mvollmer]

Getting testing-farm:fedora-rawhide-x86_64:self green here should be enough proof.

Ah right, that doesn't work bc of the signatures.

[mvollmer]

cockpit-project/bots#8740 has been merged so our fedora-rawhide image should now have a signature enforcing rpm.

[mvollmer]

With the signature enforcing fedora-rawhide image (fedora-rawhide-0baabca0fd69e8653e215af089d49f89ace751068d81eea215a53b6224ef0c4b) but with this PR:

$  test/verify/check-apps TestApps.testBasic
# ----------------------------------------------------------------------
# testBasic (__main__.TestApps.testBasic)
Starting ChromeDriver 144.0.7559.132 (8990ccf77859863f68a0d18957786bd7cb29ff76-refs/branch-heads/7559@{#4252}) on port 32973
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully on port 32973.
Failed to kill unit packagekit.service: Unit packagekit.service not loaded.
Failed to reset failed state of unit packagekit.service: Unit packagekit.service not loaded.
warning: %source_date_epoch_from_changelog is set, but %changelog has no entries to take a date from
	package already-1.0-1.noarch does not verify: no signature
Traceback (most recent call last):
[...]

The test succeeds with this PR. Approved!