fix(operations.zypper): fix gpg validation, auto-import keys, and permissions#1833
Merged
wowi42 merged 3 commits intoJul 9, 2026
Conversation
wowi42
requested changes
Jul 8, 2026
| for key_url in gpgkey.split(): | ||
| parsed_key = urlparse(key_url) | ||
| if not parsed_key.scheme and not key_url.startswith("/"): | ||
| raise OperationValueError( |
Collaborator
There was a problem hiding this comment.
Missing fixture for this new error path. This raise OperationValueError has no test coverage — add a fixture under dnf.repo/, yum.repo/, or zypper.repo/ with an invalid gpgkey (e.g. "INVALID TEXT") and an "exception" block so the validation code path is exercised.
Contributor
Author
There was a problem hiding this comment.
hello @wowi42 Thanks for catching this , added the missing test fixtures .Kindly let me know if anything else has to be fixed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Fixes #1830
Fixes #1831
Fixes #1832
Description
This PR addresses three related issues with
zypperand repository management to ensure repositories and packages deploy correctly out-of-the-box.zypper.repo()doesn´t check ifgpgkeyis a valid URL #1830):ensure_yum_reponow parses thegpgkeyargument to ensure it's a valid URL (or an absolute local path). If someone passes invalid text (like"INVALID TEXT"), it throws anOperationValueErrorearly during the generation phase rather than failing silently during deployment.zypper.repo()doesn't authorize new GPG keys #1831):zypper --non-interactiveautomatically rejects unrecognized GPG keys by default. To fix failed package installations from new repositories, I added the--gpg-auto-import-keysflag toinstall_commandandupgrade_commandinzypper.packages(). Zypper will now correctly import valid keys instead of failing..repoFiles (zypper.repo()creates REPO file with the wrong permissions #1832):files.putwas inheriting strict permissions from the internal string buffer, causing repo files to be created with restricted permissions (e.g.,0600). I addedmode="0644"to thefiles.putcall so that non-root users can correctly query and search repositories, matching native package manager defaults.Testing
I updated the JSON test fixtures in accordance with Pyinfra's testing guidelines to verify all the changes:
Key Auto-Import Tests: Updated the expected command output in
tests/operations/zypper.packages/add_packages.json,install_with_args.json,install_with_global_args.json, andupdate_clean.jsonto explicitly ensure the--gpg-auto-import-keysflag is present during installs and updates.Validation Tests: Updated
tests/operations/dnf.repo/add.json,yum.repo/add.json, andzypper.repo/add.jsonto use a valid dummy URL (https://test/key) so they pass the new URL validation checks.Permissions Tests: Added the expected
chmod 644 /etc/.../somerepo.repocommand to the expected outputs of thednf.repo,yum.repo, andzypper.repotest fixtures to mathematically verify themode="0644"implementation.Pull request is based on the default branch (
3.xat this time)Pull request includes tests for any new/updated operations/facts
Pull request includes documentation for any new/updated operations/facts
Tests pass (see
scripts/dev-test.sh)Type checking & code style passes (see
scripts/dev-lint.sh)Pull request title follows the conventional commits format