chroots: drop opensuse-tumbleweed (broken base-repo GPG signature)#4
Open
matthaigh27 wants to merge 1 commit into
Open
chroots: drop opensuse-tumbleweed (broken base-repo GPG signature)#4matthaigh27 wants to merge 1 commit into
matthaigh27 wants to merge 1 commit into
Conversation
openSUSE Tumbleweed builds began failing across every package on 2026-06-13 (gogcli, wacli, codex, opencode, ollama, claude-code all went red after succeeding through 06-12). All failures are identical and occur during mock chroot bootstrap, before rpmbuild runs: openSUSE Tumbleweed - x86_64 - OSS >>> repomd.xml GPG signature verification error: Bad GPG signature This is an upstream/Copr-infrastructure issue: Tumbleweed (rolling) rotated its RPM repo signing key as part of the SUSE Linux 16 key transition, and Copr's mock chroot config still pins the stale key, so the base OSS repo's repomd.xml fails verification at bootstrap. A fresh opensuse/tumbleweed container refreshes fine only via --gpg-auto-import-keys (it fetches the live key); there is no spec-level lever to fix the chroot's pinned key. Exclude opensuse-tumbleweed globally via chroot_exclude_distros, matching the existing precedent (nodejs25-caged already excludes it). This is reversible: drop the entry once Copr refreshes the Tumbleweed signing key. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01We1Yi5uEBikfHSvcTP2FEf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Every package's latest Copr build is failing on
opensuse-tumbleweed(x86_64 on all, plus aarch64 on the native ones). This PR excludesopensuse-tumbleweedfrom the build matrix to get the projects back to green.(
nodejs25-cagedalready excludes Tumbleweed and is unaffected.)Root cause
This is one chroot-specific failure, not six package bugs. All six fail identically, during mock chroot bootstrap (
dnf5 install dnf5 dnf5-plugins) — beforerpmbuildever runs — with:The other 34/36 chroots succeed for every package, confirming the packaging is sound.
It's a regression with a clear onset: Tumbleweed built fine through 2026-06-12, then went red on 2026-06-13 and has stayed red across multiple build batches since. openSUSE Tumbleweed (a rolling release) rotated its RPM repo signing key as part of the SUSE Linux 16 key transition, and Copr's mock chroot config still pins the stale key — so the base OSS repo's
repomd.xmlfails GPG verification at bootstrap. Thecopr_baserepomd.xml.asc404 in the logs is a secondary symptom.This is upstream/Copr infrastructure — there is no spec-level lever to fix the chroot's pinned key.
Verification (docker, no long compile)
A fresh
opensuse/tumbleweedcontainer carries the new "SUSE 16" signing keys and refreshes the OSS repo cleanly — but only viazypper --gpg-auto-import-keys, which fetches the live key. That's exactly the key Copr's mock config hasn't picked up. This reproduces the diagnosis without rebuilding any package.Fix
Add
opensuse-tumbleweedto the globalchroot_exclude_distrosinpackages.json, matching the existing precedent (nodejs25-cagedalready lists it). Applies to all per-package projects and the umbrellaaiproject.Reversible: drop the entry once Copr refreshes the Tumbleweed signing key and a manual build succeeds again.
🤖 Generated with Claude Code
Generated by Claude Code