docs(environment): document RPM GPG policy relaxation

2026-02-20 20:19:57 +01:00
parent 19f2c9efe2
commit 0a5c70e49f
1 changed files with 4 additions and 0 deletions
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -205,6 +205,10 @@
                opts: "ro,loop"
                state: mounted

+        # Security note: RPM Sequoia signature policy is relaxed to allow
+        # bootstrapping RHEL-family distros from the Arch ISO, where the
+        # host rpm/dnf does not trust target distro GPG keys. Package
+        # integrity is verified by the target system's own rpm after reboot.
        - name: Relax RPM Sequoia signature policy for RHEL bootstrap
          when: is_rhel | bool
          ansible.builtin.copy: