From ab3bed73fded915d22769ac16c8cde8bb6a8722d Mon Sep 17 00:00:00 2001
From: Lindley Vieira <lindley.vieira@windriver.com>
Date: Wed, 17 Sep 2025 14:30:07 -0400
Subject: [PATCH] Disable GPG in inactive load import

The major releases loads are creating a remote without the
no-gpg-verify flag, this causes the pull from this repo to fail.

This commit adds this flag when creating an Ostree remote.
Also, it check and add gpg key after load_import script, to fix the
issue in N-1 loads missing this config.

Test-Plan:
PASS: Import a N+1 major release load and see the remote
      was created with gpg disabled in the config file
PASS: Import an N-1 major release load and see the remote
      was created with gpg disabled in the config file

Closes-Bug: 2124981

Change-Id: I6bb4fc6a535d0c8f954d778ec08f18f70a676254
Signed-off-by: Lindley Vieira <lindley.vieira@windriver.com>
---
 software/scripts/major-release-upload    |  5 +++--
 software/software/constants.py           |  2 ++
 software/software/ostree_utils.py        | 28 ++++++++++++------------
 software/software/software_controller.py |  7 ++++++
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/software/scripts/major-release-upload b/software/scripts/major-release-upload
index 5abfd156..51bbc1b5 100644
--- a/software/scripts/major-release-upload
+++ b/software/scripts/major-release-upload
@@ -142,8 +142,9 @@ def load_import(from_release, to_major_rel, iso_mount_dir):
                 config.write(file, space_around_delimiters=False)
 
         # Create 'starlingx' remote on the feed ostree_repo
-        cmd = ["ostree", "remote", "add", "--repo=%s/ostree_repo/" % to_feed_dir,
-               FEED_REMOTE, "http://controller:8080/feed/rel-%s/ostree_repo/" % to_major_rel,
+        cmd = ["ostree", "remote", "add", "--no-gpg-verify",
+               "--repo=%s/ostree_repo/" % to_feed_dir, FEED_REMOTE,
+               "http://controller:8080/feed/rel-%s/ostree_repo/" % to_major_rel,
                FEED_BRANCH]
         try:
             subprocess.check_call(cmd)
diff --git a/software/software/constants.py b/software/software/constants.py
index add681a3..51ab9d7b 100644
--- a/software/software/constants.py
+++ b/software/software/constants.py
@@ -105,6 +105,8 @@ OSTREE_AUX_REMOTE_PATH = "/ostree/repo"
 OSTREE_HISTORY_NOT_FETCHED = "<< History beyond this commit not fetched >>"
 OSTREE_REPO = 'ostree_repo'
 SYSROOT_OSTREE_REF = "debian:starlingx"
+OSTREE_CONFIG = "config"
+OSTREE_GPG_VERIFY = "gpg-verify"
 
 # Sysroot
 SYSROOT_OSTREE = "/sysroot/ostree/repo"
diff --git a/software/software/ostree_utils.py b/software/software/ostree_utils.py
index 8a3c05ea..2ba6551e 100644
--- a/software/software/ostree_utils.py
+++ b/software/software/ostree_utils.py
@@ -75,23 +75,23 @@ def get_ostree_latest_commit(ostree_ref, repo_path):
     return latest_commit
 
 
-def add_gpg_verify_false():
+def add_gpg_verify_false(repo_path=constants.SYSROOT_OSTREE):
     # TODO(mmachado): remove once gpg is enabled
     # Modify the ostree configuration to disable gpg-verify
-    try:
-        command = """
-        # Check if gpg-verify=false is at the end of the file and adds it if not
-        if ! tail -n 1 /sysroot/ostree/repo/config | grep -q '^gpg-verify=false$'; then
-            echo "gpg-verify=false" >> /sysroot/ostree/repo/config
-        fi
-        """
-        subprocess.run(command, shell=True, check=True)
+    config_path = os.path.join(repo_path, constants.OSTREE_CONFIG)
+    if os.path.exists(config_path):
+        config = configparser.ConfigParser()
+        config.read(config_path)
 
-    except subprocess.CalledProcessError as e:
-        msg = "Failed to modify ostree config to disable GPG verification"
-        err_msg = "Command Error: return code: %s, Output: %s" \
-            % (e.returncode, e.stderr.decode("utf-8") if e.stderr else "No error message")
-        LOG.exception(err_msg)
+        for section in config.sections():
+            if section.startswith("remote ") and \
+               constants.OSTREE_GPG_VERIFY not in config[section]:
+                config[section][constants.OSTREE_GPG_VERIFY] = "false"
+
+        with open(config_path, 'w') as file:
+            config.write(file, space_around_delimiters=False)
+    else:
+        msg = f"Ostree config file: {config_path} does not exist"
         raise OSTreeCommandFail(msg)
 
 
diff --git a/software/software/software_controller.py b/software/software/software_controller.py
index d69a6620..1e95b06b 100644
--- a/software/software/software_controller.py
+++ b/software/software/software_controller.py
@@ -1529,6 +1529,13 @@ class PatchController(PatchService):
             local_info += load_import_info or ""
             local_error += load_import_error or ""
 
+            # TODO(lvieira): fix when 24.09 is the N-1 load. Remove it in 26.09
+            ostree_feed_repo_path = os.path.join(
+                constants.FEED_OSTREE_BASE_DIR,
+                ("rel-%s" % utils.get_major_release_version(to_release)),
+                constants.OSTREE_REPO)
+            ostree_utils.add_gpg_verify_false(ostree_feed_repo_path)
+
             # Copy metadata.xml to /opt/software/rel-<rel>/
             to_file = os.path.join(constants.SOFTWARE_STORAGE_DIR,
                                    ("rel-%s" % to_release), "metadata.xml")