Skip to content

fix(operations.zypper): fix gpg validation, auto-import keys, and permissions#1833

Merged
wowi42 merged 3 commits into
pyinfra-dev:3.xfrom
doraem-on:fix/zypper-gpg-key-validation-and-auto-import
Jul 9, 2026
Merged

fix(operations.zypper): fix gpg validation, auto-import keys, and permissions#1833
wowi42 merged 3 commits into
pyinfra-dev:3.xfrom
doraem-on:fix/zypper-gpg-key-validation-and-auto-import

Conversation

@doraem-on

@doraem-on doraem-on commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Description:

Fixes #1830
Fixes #1831
Fixes #1832

Description

This PR addresses three related issues with zypper and repository management to ensure repositories and packages deploy correctly out-of-the-box.

  1. GPG Key URL Validation (zypper.repo() doesn´t check if gpgkey is a valid URL #1830): ensure_yum_repo now parses the gpgkey argument to ensure it's a valid URL (or an absolute local path). If someone passes invalid text (like "INVALID TEXT"), it throws an OperationValueError early during the generation phase rather than failing silently during deployment.
  2. Key Auto-Import for Non-Interactive Installs (zypper.repo() doesn't authorize new GPG keys #1831): zypper --non-interactive automatically rejects unrecognized GPG keys by default. To fix failed package installations from new repositories, I added the --gpg-auto-import-keys flag to install_command and upgrade_command in zypper.packages(). Zypper will now correctly import valid keys instead of failing.
  3. World-Readable .repo Files (zypper.repo() creates REPO file with the wrong permissions #1832): files.put was inheriting strict permissions from the internal string buffer, causing repo files to be created with restricted permissions (e.g., 0600). I added mode="0644" to the files.put call so that non-root users can correctly query and search repositories, matching native package manager defaults.

Testing

I updated the JSON test fixtures in accordance with Pyinfra's testing guidelines to verify all the changes:

  • Key Auto-Import Tests: Updated the expected command output in tests/operations/zypper.packages/add_packages.json, install_with_args.json, install_with_global_args.json, and update_clean.json to explicitly ensure the --gpg-auto-import-keys flag is present during installs and updates.

  • Validation Tests: Updated tests/operations/dnf.repo/add.json, yum.repo/add.json, and zypper.repo/add.json to use a valid dummy URL (https://test/key) so they pass the new URL validation checks.

  • Permissions Tests: Added the expected chmod 644 /etc/.../somerepo.repo command to the expected outputs of the dnf.repo, yum.repo, and zypper.repo test fixtures to mathematically verify the mode="0644" implementation.

  • Pull request is based on the default branch (3.x at this time)

  • Pull request includes tests for any new/updated operations/facts

  • Pull request includes documentation for any new/updated operations/facts

  • Tests pass (see scripts/dev-test.sh)

  • Type checking & code style passes (see scripts/dev-lint.sh)

  • Pull request title follows the conventional commits format

@doraem-on doraem-on changed the title fix(zypper): fixed GPG validation, auto-import keys, and correct repo permissions fix(zypper): fix gpg validation, auto-import keys, and permissions Jun 12, 2026
@wowi42 wowi42 added bug Label for all kind of bugs. operations Issues with operations. labels Jun 12, 2026
@doraem-on doraem-on changed the title fix(zypper): fix gpg validation, auto-import keys, and permissions fix(operations.zypper): fix gpg validation, auto-import keys, and permissions Jun 12, 2026

@wowi42 wowi42 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One issue needs fixing.

for key_url in gpgkey.split():
parsed_key = urlparse(key_url)
if not parsed_key.scheme and not key_url.startswith("/"):
raise OperationValueError(

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing fixture for this new error path. This raise OperationValueError has no test coverage — add a fixture under dnf.repo/, yum.repo/, or zypper.repo/ with an invalid gpgkey (e.g. "INVALID TEXT") and an "exception" block so the validation code path is exercised.

@doraem-on doraem-on Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hello @wowi42 Thanks for catching this , added the missing test fixtures .Kindly let me know if anything else has to be fixed

@wowi42 wowi42 merged commit d1d8b43 into pyinfra-dev:3.x Jul 9, 2026
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Label for all kind of bugs. operations Issues with operations.

Projects

None yet

2 participants