From 4c5b2476d69027bd66af933b8c3199587b68f5b0 Mon Sep 17 00:00:00 2001
From: Dewey Dunnington <dewey@dunnington.ca>
Date: Mon, 19 Jun 2023 10:30:03 -0300
Subject: [PATCH] chore: Allow skipping key verification on centos7 (#240)

...because something about the gpg version on centos7 is too old (
https://github.com/apache/arrow-nanoarrow/actions/runs/5293770871/jobs/9582325801#step:4:337
).
---
 .github/workflows/verify.yaml           |  6 +++++-
 dev/release/README.md                   |  5 +++++
 dev/release/verify-release-candidate.sh | 11 ++++++++++-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
index c3dcd5e87..7fe31508d 100644
--- a/.github/workflows/verify.yaml
+++ b/.github/workflows/verify.yaml
@@ -147,7 +147,11 @@ jobs:
           - {platform: "fedora", arch: "amd64"}
           - {platform: "archlinux", arch: "amd64"}
           - {platform: "alpine", arch: "amd64"}
-          - {platform: "centos7", arch: "amd64"}
+          - {
+              platform: "centos7",
+              arch: "amd64",
+              compose_args: "-e NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR=1"
+            }
           - {
               platform: "ubuntu",
               arch: "amd64",
diff --git a/dev/release/README.md b/dev/release/README.md
index 71ea07606..cf92e7b7d 100644
--- a/dev/release/README.md
+++ b/dev/release/README.md
@@ -235,6 +235,11 @@ curl -L https://github.com/apache/arrow/archive/refs/tags/apache-arrow-9.0.0.tar
 export NANOARROW_CMAKE_OPTIONS="-DArrow_DIR=$(pwd)/arrow/lib/cmake/Arrow"
 export CMAKE_BIN=cmake3
 export CTEST_BIN=ctest3
+
+# gpg on centos7 errors for some keys in the Arrow KEYS file. This does
+# not skip verifying signatures, just allows errors for unsupported entries in
+# the global Arrow KEYS file.
+export NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR=1
 ```
 
 ### Big endian
diff --git a/dev/release/verify-release-candidate.sh b/dev/release/verify-release-candidate.sh
index d513cf0c3..321100ffb 100755
--- a/dev/release/verify-release-candidate.sh
+++ b/dev/release/verify-release-candidate.sh
@@ -31,6 +31,10 @@
 #   If unset, the script will check out a version into NANOARROW_TMPDIR.
 # - NANOARROW_TMPDIR: Use to specify a persistent directory such that verification
 #   results are more easily retrieved.
+# - NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR: Don't stop verification even when
+#   "gpg --import KEYS" returns an error. In general, we should not use this
+#   to ensure importing all GPG keys. But newer algorithms such as ed25519 may
+#   not be supported in old GPG such as GPG on CentOS 7.
 # - TEST_SOURCE: Set to 0 to selectively run component verification.
 # - TEST_C: Builds C libraries and tests using the default CMake
 #   configuration. Defaults to the value of TEST_SOURCE.
@@ -114,7 +118,12 @@ import_gpg_keys() {
     return 0
   fi
   download_dist_file KEYS
-  gpg --import KEYS
+
+  if [ "${NANOARROW_ACCEPT_IMPORT_GPG_KEYS_ERROR:-0}" -gt 0 ]; then
+    gpg --import KEYS || true
+  else
+    gpg --import KEYS
+  fi
 
   GPGKEYS_ALREADY_IMPORTED=1
 }