Test Build: Failing on some arch caused by untrusted GPG key

[Ra2-IFV]

arm_cortex-a9_vfpv3-d16 mips_24kc mipsel_24kc

https://github.com/openwrt/packages/actions/runs/12027875534?pr=25449

--2024-11-26 09:45:17--  https://downloads.openwrt.org/snapshots/targets/armsr/armv7/sha256sums.asc
Resolving downloads.openwrt.org (downloads.openwrt.org)... 146.75.30.132, 2a04:4e42:77::644
Connecting to downloads.openwrt.org (downloads.openwrt.org)|146.75.30.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 299 [text/plain]
Saving to: ‘sha256sums.asc’

     0K                                                       100% 23.9M=0s

2024-11-26 09:45:17 (23.9 MB/s) - ‘sha256sums.asc’ saved [299/299]

gpg: Signature made Tue 26 Nov 2024 09:34:36 AM UTC
gpg:                using EDDSA key 92C561DE55AE6552F3C736B82B0151090606D1D9
gpg: BAD signature from "OpenWrt Build System (Nitrokey3) <[email protected]>" [unknown]
Error: Process completed with exit code 1.

[ynezz]

This looks like a CDN issue, I'm not able to reproduce it here.

for file in sha256sum sha256sums; do \
   curl -s https://downloads.openwrt.org/snapshots/targets/armsr/armv7/$file -o $file ; \
done ;  \
gpg --verify sha256sums.asc

gpg: assuming signed data in 'sha256sums'
gpg: Signature made Tue 26 Nov 2024 09:34:36 AM UTC
gpg:                using EDDSA key 92C561DE55AE6552F3C736B82B0151090606D1D9
gpg: Good signature from "OpenWrt Build System (Nitrokey3) <[email protected]>" [ultimate]
Primary key fingerprint: 8A8B C12F 46B8 36C0 F9CD  B36F 1D53 D187 7742 E911
     Subkey fingerprint: 92C5 61DE 55AE 6552 F3C7  36B8 2B01 5109 0606 D1D9

[Ansuel]

Maybe we should exclude sha256sum from CDN cache?

[ynezz]

Maybe we should exclude sha256sum from CDN cache?

The problem is, that CDN is not synchronized, so the gpg --verify would pass, but the content check with sha256sum could still fail later.