fix: exclude legacy RPM targets from GPG signing with recent key (#143)

Signed-off-by: Patrick Stephens <pat@fluent.do>

Author: patrick-stephens

install.sh

@@ -49,6 +49,9 @@ if [ -n "${DISABLE_CONTROL_CHARS:-}" ]; then
 	NC=''
 fi
 
+# Any additional options to pass to the package manager
+INSTALL_ADDITIONAL_PARAMETERS=${INSTALL_ADDITIONAL_PARAMETERS:-}
+
 # ============================================================================
 # Prerequisites Check
 # ============================================================================
@@ -674,24 +677,27 @@ install_package() {
 				log_warning "Unable to update repositories"
 				log_debug "$SUDO $PKG_MANAGER update failed"
 			fi
-            log_debug "Running: $SUDO $PKG_MANAGER install -y $package_file"
-            if ! $SUDO "$PKG_MANAGER" install -y "$package_file"; then
+            log_debug "Running: $SUDO $PKG_MANAGER install -y $INSTALL_ADDITIONAL_PARAMETERS $package_file"
+            # shellcheck disable=SC2086
+            if ! $SUDO "$PKG_MANAGER" install -y $INSTALL_ADDITIONAL_PARAMETERS "$package_file"; then
                 log_error "Failed to install .deb package"
                 return 1
             fi
             ;;
         rpm)
             log_debug "Installing .rpm package"
-            log_debug "Running: $SUDO $PKG_MANAGER install -y $package_file"
-            if ! $SUDO "$PKG_MANAGER" install -y "$package_file"; then
+            log_debug "Running: $SUDO $PKG_MANAGER install -y $INSTALL_ADDITIONAL_PARAMETERS $package_file"
+            # shellcheck disable=SC2086
+            if ! $SUDO "$PKG_MANAGER" install -y $INSTALL_ADDITIONAL_PARAMETERS "$package_file"; then
                 log_error "Failed to install .rpm package"
                 return 1
             fi
             ;;
         apk)
             log_debug "Installing .apk package"
-            log_debug "Running: $SUDO $PKG_MANAGER add --allow-untrusted $package_file"
-            if ! $SUDO "$PKG_MANAGER" add --allow-untrusted "$package_file"; then
+            log_debug "Running: $SUDO $PKG_MANAGER add --allow-untrusted $INSTALL_ADDITIONAL_PARAMETERS $package_file"
+            # shellcheck disable=SC2086
+            if ! $SUDO "$PKG_MANAGER" add --allow-untrusted $INSTALL_ADDITIONAL_PARAMETERS "$package_file"; then
                 log_error "Failed to install .apk package"
                 return 1
             fi

scripts/sign-packages.sh

@@ -31,8 +31,18 @@ fi
 if [[ -n "$GPG_KEY" ]]; then
 	if command -v rpm &>/dev/null; then
 		echo "INFO: RPM signing"
-		# Sign all RPMs
+
+		# Now sign everything
 		find "$BASE_DIR" -type f -name "*.rpm" -print -exec rpm --define "_gpg_name $GPG_KEY" --addsign {} \;
+
+		# Legacy targets have some issues with more recent GPG keys: https://superuser.com/a/977804
+		excludePackages=("package-centos-6" "package-centos-7" "package-centos-8" "package-almalinux-8" "package-rockylinux-8")
+		for i in "${excludePackages[@]}"; do
+		  if [[ -d "$BASE_DIR"/"$i" ]]; then
+			echo "Removing GPG key from legacy package: $i"
+			find "$BASE_DIR"/"$i" -type f -name "*.rpm" -print -exec rpm --delsign {} \;
+		  fi
+		done
 	else
 		echo "WARNING: skipping RPM signing"
 	fi