Manually adding/verifying gpg keys

lenovo-16arh7h/Containerfile

@@ -1,6 +1,14 @@
 FROM quay.io/fedora/fedora-silverblue:43
 
-RUN dnf5 install -y https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
+COPY gpg-keys/* /keys/
+
+RUN rpm --import \
+      /keys/public_key_proton.asc \
+      /keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \
+      /keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \
+      /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
+    rm -rf /keys && \
+    dnf5 install -y https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
       https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \
       https://repo.protonvpn.com/fedora-$(cat /etc/fedora-release | cut -d' ' -f 3)-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.3-1.noarch.rpm && \
     dnf5 install -y \
@@ -39,9 +47,10 @@ RUN git clone https://github.com/johnfanv2/LenovoLegionLinux.git && \
     dkms build -m LenovoLegionLinux -v 1.0.0 -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
     rm -rf LenovoLegionLinux
 
-# Cleanup image for linting
-RUN rm -rf /var && mkdir /var && \
-    rm -rf /boot && mkdir /boot
-
-# Verify image is good
-RUN bootc container lint --fatal-warnings --skip baseimage-composefs
+# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones manually imported above).
+# Any more than that means that dnf automatically added a new one, which is shady!
+# Then: cleanup image for linting
+# Finally: verify image is good
+RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
+    rm -rf /var /boot && mkdir /var /boot && \
+    bootc container lint --fatal-warnings --skip baseimage-composefs