Add new SHA512 RPM key, use per-disto RPMs

zfs-release/README.md

@@ -2,7 +2,7 @@
 ```
 sudo yum -y install rpm-build
 mkdir -p ~/rpmbuild/{BUILDROOT,SPECS,RPMS,SRPMS,SOURCES,BUILD}
-cp RPM-GPG-KEY-zfsonlinux zfs-el.repo zfs-fedora.repo ~/rpmbuild/SOURCES
+cp RPM-GPG-KEY-openzfs* *.repo ~/rpmbuild/SOURCES
 cp zfs-release.spec ~/rpmbuild/SPECS/
 rpmbuild -ba ~/rpmbuild/SPECS/zfs-release.spec
 ```
@@ -12,3 +12,11 @@ The released zfs-release RPMs should be checked into the top level
 `fedora/` and `epel/` directories in this repo.  Remember to build
 the Fedora RPMs on Fedora, and the EPEL RPMs on a RHEL derivative, as
 the SPEC file does different things depending on the OS it's built upon.
+
+### Keys ###
+`RPM-GPG-KEY-openzfs-key1` - Older key used to sign packages for Fedora 36
+(and older) and EL 6-8.  It's header is encoded with SHA1, and thus is not
+supported by default on EL 9.
+
+`RPM-GPG-KEY-openzfs-key2` - Newer key used to sign EL 9 (and newer) and
+Fedora 37 (and newer).  It's header is encoded with SHA512.

zfs-release/RPM-GPG-KEY-openzfs-key2

@@ -0,0 +1,57 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBGLYiZQBEADFiO0tDOd+EOS2tLvLI+0fvX8xWPR+cohAnvMJFWciUt0ucN3c
+XHkEwbTkZNzJJ3s2AIVzq+zhi8SF3t/y0VIiK4pba5OOp14HvzkxBPStPw6Q7KNG
+x07QZxrQ5BwKW2IU1HNUm+bsj8pKjoYWFc2XAzvOR8I/247RyiNVHLD385oHRR6T
+DQKv0ZLwEekokgqqtJwapjCm5nUmwxr4FmBQKzu7bHYS/hqv4q1z2d5YY23UQ9B0
+gazILmenU/xgIHWkPl/7HHetq0zbFrgFao9TfRkaMHLubmX34N7xJD99wszy8ZR0
+yf+b/16oQrNY3BRsD2ZMO5I3elRPYdaXvRvwuzYGVpULWdEEaDr2FaA+JnEJHZac
+v9EdZhROROKIZI1BxPOeNxIlumAgSXTIvFIC2sRGWb7/a/WbI+N7bGXcMENn2s7d
++xiRHhAkdehqY6iWwLFX7jmueesL46Qzsaqn+547aHivuBxETPWuvLs+ANzmqBP4
+T5NP2VVpux9in5VOP5JbE+kRZRH3HrTMQJBMIqFhUFYlkfFBbVDsgZLEFMBpNbZx
+4+xcIp2Qe3ODv1+gL2ocOaYmPdMKDoLk/+qecDiZGChHJlUk2MWLEJ+yZ0ZN3RWw
+hb+JB8xoJVTRQrOgToPHaVeRTSwRmwMTGICLIG3KRxZ6aKgBEfjqGyeKLwARAQAB
+tB1PcGVuWkZTIDxyZWxlYXNlQG9wZW56ZnMub3JnPokCNwQTAQoAIQUCYtiJlAIb
+AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRClmf1enbhBQTixD/9IxQ/StgUv
+pf/qybWa38dEI2Iri+UvR6zy9Nja9SJ2rBrSF5umNNsuRxTD2qvbjNcvOt40sFoj
+pM8aS8JO0Rv5ouMh/Kxbpn0fyzvXVpx3c/ulCHRC38Dnw9G/HijYwxGy+WbysbGF
+HwxepI5MTdImbSJnteNx0q/2SPWCK+KdSTXcbKM113QDXM9b8mJFdOvRa0Mxfu0y
+7qFz+yNmTDZ/tCNoWCCa4G3lmpDosCIjnDoHoethwVvf/M1THRYeXLT8SQEOXJDp
+gT5K0ffzFbqnbio+3r4EDjCZFM+ZKfaRb5kSDdt+xYreW6Q35OIsoVZsEHeAy+J8
+gmk2HGmHCZ8nzO2iUFkq4OQWtOubmYpSB49CDn8zEplhy72BNFL6MTBH9RsaLOBH
+uJbmZFwrFRA6aq5c/NKY2PsgWlxKx3no2grScQC/VmGWu1YZ/rnkiPSf2l+PmFWo
+EvJyElSj52NmpJv0KfggDNGm4j7Axo9uxRMetO0g0Ee1xS0d2ApcpgCd5DmRYcEt
+bUoj/qDdtlTJSLJLClWswEjxYM54NmPE2/Fp8qv58iFJgQsrgaB9RK0VShA8+zK2
+/lbv7aTlQ1SUBdryvMXb9W+xupjzBW1M4rJACZyJegQlnuBYmtlcYW2RarESWmEY
+5vBCc5OBlsKFDLkmHITiFIvotDsDsDS+tokBHAQQAQoABgUCYtiNdgAKCRCp1aHA
+8Uq2IM4EB/oCB0Wwysk08Xgl3nfpZccliG+QSL8Rj4FVV/eJUq+V8kxlkFDGeql/
+f5Qhji0ma8jIJyB8gsi6g/3HVJK7ry5XwHWBPyTv6NR+PrfB2tGrbN7S4R+S5rd7
+yfgRkvsP7+DjUQcMkzY8oXvy0YR84QcO2f+zcqZmY6trwn+p1S4HNjpG/28vZrix
+Ytdogg8b9F1OFtfJiCQABC1XnT3R8mvIcwCjtkvwJY8L30CNkBZ6svOyVfRVsEG1
+HQl1bPo8LTLpDQU52uC41J89i0heBxv9tIUTrbxJIPx5l9QvQYSJ8pKTRxyAFrlR
+n5ANBdk+deEpazZWoZmbDVsPMYXnTwzGuQINBGLYiZQBEACyqsd/q4GWA8MJuk2h
+q/qqKGBf6xU3GBPDm0CF0EWB1sTKx17Rl9cwe7wyDrB0iw4w4bcfujO/k7y6rNGQ
+7PuBpG17dMsQM9H5DBPptO0e00jn5DBNcgSvgTSJpXIzC0VBrfPRDTpZmBP6GWuI
+/Xqa8RahhpEZmXOqxfOi1qZsD8+gDAv2G595025/9nf/KfbYZTibVWurkzHx/URG
+GASMnip3Y0q7Plo3CjEP28EvtyK3fA+OpCOuHYbhJVJGKsVszP/ZRppjjh2yS4hz
+EB6u41Zv0h5/imBFxMyCF3Q44ZvxeMyEXRZG9Omh7swqu3HW/BspEnefxCvc+zp5
+CW6Pjs5yVx4CKzb+Uo7fR7tnUwbKXvUnKJLWO+POFUn7sc3wtY8WpS9XSXIfwLHX
+oiDqirGO3sKG/Mm9ydQL794zykjm6tM32A1VJT7Lz9eLAyo4BQl04X8na/O+kBbR
+0LB7EEhpHokx5cD3NALfKa6S7ZK0/rsrH5n/7RsKnEunyoUjViOnSRbfuz19bV7b
+A6SxrLkY+RRW7GVUHvPIYwOAlifCUQVFnezc9HEMMr5aM0D0PppKwDoJhisLttQN
+FLp9pagcIAg7bxTtvRPJxPgXSeAbI0WOYpyD1dHy4YN1OpY4x0kONB+6rxAKEwUp
+HzDmDSXXLYcFyXFDiNDPwWTaKwARAQABiQIeBBgBCgAJBQJi2ImUAhsMAAoJEKWZ
+/V6duEFBeP8P9Ah4NUIX9AetziaKsG9nxMSc6O1C3BFr05ZRXT1ochHlJZEkI850
+EdLZv5e6cxO4Xuobb0DsdmsMavd0v739SpBqzXh+xvr5Y7JmwTiMzTrcJumHEVbs
+9bUxCIrB2ORgbR3ZrgCK2tjB8EtTQRAaDnh3UdQIY58KVpgVLtY1uOEuP3Vi76i+
+RgPZtLSooPrIyL9uFD3bfn5Ebuml2mHlw/MEBTLCMh2gKqnYzYbB1C7OmqwM5RtM
+SeVWFTctFHo/P9nkE8OSr29MCx7MKalYrS1rU6O8Cg2S7CIOQ/MHpepcs8Z7M1jn
+suYWBkgzX/hnOwCNkoWQv/LRh9HTcRe4bYctsGKb35dUAArah0xB2BpQ+srw5IOf
+C2spzYmFB2rx/wNSftEmAT7YwDlhFsS0/fGAPkW6Um2h3H0L2lLVG5XgBbfpY1my
+o80d20LSVbvftDhAeR9/Dj3Plgve5tIdUZLNN6CXmAUJYlGkLdv03hQ69lIFkwPO
+dn3ycQkk86Pnwt+DY2nUHsxFcEstZIASCr+htCv2YI/MYDWfDpO7j2TfCqspXV+7
+FgeCqkEZ1d8uha1/3VQmGXKHOQwc2YZ42k+at8LzlgseGdez+OBh4rc2WM3csB34
+yBGA1C8bQc8pIpWQ/eR8VGdmg1BYhrrSlyhepSjhBZ3UP3HjPL9WhoA=
+=g37Q
+-----END PGP PUBLIC KEY BLOCK-----

zfs-release/zfs-el.repo

@@ -4,42 +4,42 @@ baseurl=http://download.zfsonlinux.org/epel/$releasever/$basearch/
 enabled=1
 metadata_expire=7d
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-kmod]
 name=ZFS on Linux for EL$releasever - kmod
 baseurl=http://download.zfsonlinux.org/epel/$releasever/kmod/$basearch/
 enabled=0
 metadata_expire=7d
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-source]
 name=ZFS on Linux for EL$releasever - Source
 baseurl=http://download.zfsonlinux.org/epel/$releasever/SRPMS/
 enabled=0
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-testing]
 name=ZFS on Linux for EL$releasever - dkms - Testing
 baseurl=http://download.zfsonlinux.org/epel-testing/$releasever/$basearch/
 enabled=0
 metadata_expire=7d
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-testing-kmod]
 name=ZFS on Linux for EL$releasever - kmod - Testing
 baseurl=http://download.zfsonlinux.org/epel-testing/$releasever/kmod/$basearch/
 enabled=0
 metadata_expire=7d
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-testing-source]
 name=ZFS on Linux for EL$releasever - Testing Source
 baseurl=http://download.zfsonlinux.org/epel-testing/$releasever/SRPMS/
 enabled=0
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs

zfs-release/zfs-fedora.repo

@@ -4,26 +4,26 @@ baseurl=http://download.zfsonlinux.org/fedora/$releasever/$basearch/
 enabled=1
 metadata_expire=7d
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-source]
 name=ZFS on Linux for Fedora $releasever - Source
 baseurl=http://download.zfsonlinux.org/fedora/$releasever/SRPMS/
 enabled=0
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-testing]
 name=ZFS on Linux for Fedora $releasever - Testing
 baseurl=http://download.zfsonlinux.org/fedora-testing/$releasever/$basearch/
 enabled=0
 metadata_expire=7d
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 [zfs-testing-source]
 name=ZFS on Linux for Fedora $releasever - Testing Source
 baseurl=http://download.zfsonlinux.org/fedora-testing/$releasever/SRPMS/
 enabled=0
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-openzfs

zfs-release/zfs-release.spec

@@ -6,19 +6,44 @@
 %global osname      el
 %endif
 
-Name:           zfs-release-%{osname}
+Name:           zfs-release
 Version:        2
-Release:        1
+Release:        2%{dist}
 Summary:        OpenZFS Repository Configuration
 
 Group:          System Environment/Base
 License:        BSD
 URL:            http://zfsonlinux.org
 Source0:        zfs-el.repo
 Source1:        zfs-fedora.repo
-Source10:       RPM-GPG-KEY-zfsonlinux
+Source10:       RPM-GPG-KEY-openzfs-key1
+Source11:       RPM-GPG-KEY-openzfs-key2
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
+Obsoletes:      zfs-release <= %{version}-%{release}
+Obsoletes:      zfs-release-%{osname} <= %{version}-%{release}
+Provides:       zfs-release = %{version}-%{release}
+
+# We have two GPG keys -
+#
+# RPM-GPG-KEY-openzfs-key1:
+#     Older, SHA1-encoded key used on RHEL 6-8 and Fedora 36 and older.
+#
+# RPM-GPG-KEY-openzfs-key2:
+#     Newer, SHA512-encoded key used on RHEL 9+ and Fedora 37+.  RHEL 9
+#     no longer allows SHA1 RPM keys by default.
+#
+# We install the correct one depending on the distro version.
+#
+%if 0%{?rhel} && 0%{?rhel} < 9
+%global rpmkey  %{SOURCE10}
+%else
+%if 0%{?fedora} && 0%{?fedora} < 37
+%global rpmkey  %{SOURCE10}
+%else
+%global rpmkey  %{SOURCE11}
+%endif
+%endif
 
 # RHEL 9 defaults to using zstd for RPM compression.  Unfortunately, CentOS 7
 # does not support zstd, so force gzip compression for compatibility.
@@ -44,9 +69,8 @@ install -d -m755 \
   $RPM_BUILD_ROOT%{_sysconfdir}/yum.repos.d
 
 # GPG Key
-%{__install} -Dp -m644 \
-    %{SOURCE10} \
-    $RPM_BUILD_ROOT%{_sysconfdir}/pki/rpm-gpg
+%{__install} -Dp -m644 %{rpmkey} \
+    $RPM_BUILD_ROOT%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-openzfs
 
 # Yum .repo files
 %{__install} -p -m644 zfs-%{osname}.repo \
@@ -61,13 +85,11 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) %{_sysconfdir}/yum.repos.d/*
 
 %post
-# We only need to import the key on RHEL 7 and below
-# https://github.com/zfsonlinux/zfsonlinux.github.com/pull/63
-%if 0%{?rhel} && 0%{?rhel} < 8
-rpm --import %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
-%endif
 
 %changelog
+* Mon Jul 25 2022 Tony Hutter <hutter2@llnl.gov> - 2-2
+- Add newer, SHA512-encoded, RPM-GPG-KEY-openzfs-key2 key.
+- Add "Obsoletes" and "Provides" sections.
 * Wed Jun 22 2022 Todd Zullinger <tmz@pobox.com> - 2-1
 - Build Fedora and EL packages from the same source
 * Wed Jun 22 2022 Tony Hutter <hutter2@llnl.gov> - 2-1