Add option to require explicit gpg key verification for image builds

[dmcilvaney]

Allow the tools to directly validate rpm signatures during production image builds instead of relying on external validation. Set VALIDATE_IMAGE_GPG=y to enable.

Unlike the related VALIDATE_TOOLCHAIN_GPG option, it is not configured automatically since RPMs used in images may come from multiple sources and it is not feasible to automatically determine if they should all be signed (i.e. mix of official repos and locally built packages).

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Adds optional GPG signature verification for RPM packages during image builds. When VALIDATE_IMAGE_GPG=y is set, all packages fetched for image generation are validated against the Microsoft GPG signing keys (or custom keys via IMAGE_GPG_VALIDATION_KEYS). This provides defense-in-depth for production builds by ensuring all packages have completed the signing process before being included in images.

Change Log

• Add VALIDATE_IMAGE_GPG and IMAGE_GPG_VALIDATION_KEYS build variables
• Add --enable-gpg-check and --gpg-keys flags to imagepkgfetcher tool
• Add GPG signature validation functions to internal/rpm package (ImportGpgKeysToRpmDb, CheckRpmSignature, ValidateDirectoryRpmSignatures)
• Add comments to installutils.go explaining that --nogpgcheck is safe because validation happens at fetch time
• Add documentation for new variables and production build recommendations

Does this affect the toolchain?

NO

Associated issues

• https://microsoft.visualstudio.com/OS/_workitems/edit/60692596

Test Methodology

• Build with LKG toolchain (unsigned local packages), VALIDATE_IMAGE_GPG=n -> passed
• Same build with VALIDATE_IMAGE_GPG=y -> failed (unsigned packages rejected)
• Build from 3.0-stable (published signed packages only) with VALIDATE_IMAGE_GPG=y -> passed
• https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1021073&view=results
• https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1021171&view=results

[Copilot]

Pull request overview

This PR adds optional GPG signature verification for RPM packages during image builds to provide defense-in-depth for production deployments. When VALIDATE_IMAGE_GPG=y is set, all packages fetched for image generation are validated against Microsoft GPG signing keys before being included in images.

Key changes:

• Added VALIDATE_IMAGE_GPG and IMAGE_GPG_VALIDATION_KEYS build variables with corresponding CLI flags in imagepkgfetcher
• Implemented GPG signature validation functions in the internal/rpm package (ImportGpgKeysToRpmDb, CheckRpmSignature, ValidateDirectoryRpmSignatures)
• Added documentation explaining production build recommendations and clarifying that --nogpgcheck is safe during installation since validation occurs at fetch time

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
toolkit/tools/internal/rpm/rpm.go	Adds three new functions for GPG signature validation: importing keys to RPM database, checking individual RPM signatures, and validating all RPMs in a directory
toolkit/tools/imagepkgfetcher/imagepkgfetcher.go	Adds --enable-gpg-check and --gpg-keys flags, validates downloaded packages after cloning if GPG checking is enabled
toolkit/tools/imagegen/installutils/installutils.go	Adds explanatory comments to clarify that --nogpgcheck is safe because validation happens during package fetching
toolkit/scripts/utils.mk	Adds VALIDATE_IMAGE_GPG to the list of watched variables for dependency tracking
toolkit/scripts/imggen.mk	Adds conditional logic to pass GPG validation flags to imagepkgfetcher when VALIDATE_IMAGE_GPG=y
toolkit/docs/security/production-builds.md	New documentation file explaining production build workflow and GPG validation variables
toolkit/docs/security/intro.md	Adds links to new production builds documentation
toolkit/docs/building/building.md	Documents the new VALIDATE_IMAGE_GPG, IMAGE_GPG_VALIDATION_KEYS, VALIDATE_TOOLCHAIN_GPG, and TOOLCHAIN_GPG_VALIDATION_KEYS variables
toolkit/Makefile	Defines VALIDATE_IMAGE_GPG and IMAGE_GPG_VALIDATION_KEYS variables with defaults, consolidates default GPG keys into shared variable

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.