RFE: automatically import key for F(N+1) when building for rawhide

[keszybz]

Every time we branch, there is a short period when local configuration thinks Rawhide==FN, but actually Rawhide==F(N+1), and gpg key verification fails. After branching, the packages in the F(N+1) compose are resigned using the F(N+1) key, so they do not pass verification with FN key.

It turns out that it's fairly easy to avoid this problem by importing the additional key.
I did such a change for mkosi and it solves the issue [1].

[1] systemd/mkosi@f221562

Running transaction
Importing PGP key 0xA15B79CC:
 Userid     : "Fedora (40) <[email protected]>"
 Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary
The key was successfully imported.
Importing PGP key 0xA15B79CC:
 Userid     : "Fedora (40) <[email protected]>"
 Fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-40-primary
The key was successfully imported.
Importing PGP key 0x18B8E74C:
 Userid     : "Fedora (39) <[email protected]>"
 Fingerprint: E8F23996F23218640CB44CBE75CF5AC418B8E74C
 From       : file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-39-primary
The key was successfully imported.

Transaction failed: Signature verification failed.
PGP check for package "curl-8.6.0-6.fc40.x86_64"
(/var/lib/mock/fedora-rawhide-x86_64/root/var/cache/dnf/fedora-2d95c80a1fa0a67d/packages/curl-8.6.0-6.fc40.x86_6
4.rpm) from repo "fedora" has failed: Import of the key didn't help, wrong key?

[xsuchy]

We already do that. For long time. https://github.com/rpm-software-management/mock/blob/main/mock-core-configs/etc/mock/templates/fedora-rawhide.tpl#L45

[keszybz]

IIUC, that is doing F(N-1), but we actually need F(N+1).
The proof is in the pudding, as they say: mock clearly fails, so I think the existing code must not be enough.

[praiskup]

Can we implement this as @keszybz proposes, and to not fail - always provide, in distribution-gpg-keys, the Fedora Rawhide +1 Key? I assume that there's a race and we don't always have the official Rawhide+1 key :-) but for the limited period when we do not have it, we can provide/fake it temporarily as a 1:1 copy of the Rawhide Key -> and replace, it once available.

[praiskup]

See #1342. But I think that next time we should also pay more attention to providing updated mock-core-configs
(with the new branched configs) earlier than this time (the guilty release was far from optimal and too late). If the updated configs are distributed in time, the problems with Rawhide shouldn't appear.

[praiskup]

Just trying my best to communicate the issue to the Fedora Releng team: https://pagure.io/releng/issue/12001