From 467f7dcb3cead9ce736c1c6fd0518e8ae61faef6 Mon Sep 17 00:00:00 2001
From: Dusty Mabe <dusty@dustymabe.com>
Date: Fri, 23 Jun 2017 08:40:55 -0400
Subject: [PATCH] atomic: enable gpg verification after install

Taking the first step towards enabling gpg verification for our
users we'll make it so that the media they download will verify
gpg signatures of commits by default.

The next step is to enable gpg verification during install as well
but there is a race condition where the commit that was just created
might not yet be signed. See [1] for more details.

[1] https://pagure.io/pungi/issue/650
---
 fedora-atomic.ks | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fedora-atomic.ks b/fedora-atomic.ks
index d28c9da..c7f3622 100644
--- a/fedora-atomic.ks
+++ b/fedora-atomic.ks
@@ -42,7 +42,7 @@ reboot
 # This location is where the compose gets synced to after the compose
 # is done.
 ostree remote delete fedora-atomic
-ostree remote add --set=gpg-verify=false fedora-atomic 'https://kojipkgs.fedoraproject.org/atomic/rawhide/'
+ostree remote add --set=gpg-verify=true --set=gpgkeypath=/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-primary fedora-atomic 'https://kojipkgs.fedoraproject.org/atomic/rawhide/'
 
 # older versions of livecd-tools do not follow "rootpw --lock" line above
 # https://bugzilla.redhat.com/show_bug.cgi?id=964299