Shyft Fedora Repository

This endpoint provides signed Fedora RPM repositories for Shyft. It is intended for both open-source users and controlled corporate environments.

Stable (recommended)

https://fedora.helset.gotdns.org/stable/x86_64/

Production releases.

Staging

https://fedora.helset.gotdns.org/staging/x86_64/

Pre-release builds for validation.

Trust model

All packages and repository metadata are cryptographically signed. Trust must be established by verifying the signing key fingerprint through a trusted channel.

Expected fingerprint:

CFFE BAE1 B25B AD34 C72A 2565 4A12 4000 37DA B695

User ID:

Sigbjørn Helset <sigbjorn.helset@gmail.com>
Never establish trust based solely on data downloaded from this endpoint. Verify the fingerprint via independent, trusted sources.

Quick setup (Fedora 43)

Commands shown with $ can normally be run as a regular user. Commands prefixed with sudo require administrative privileges. In minimal containers, you may instead be running directly as root.

1. Fetch key

$ curl -O https://fedora.helset.gotdns.org/stable/x86_64/RPM-GPG-KEY-shyft

2. Verify fingerprint

See expected output example below if unsure what to look for.

$ gpg --import RPM-GPG-KEY-shyft

$ gpg --show-keys --with-fingerprint RPM-GPG-KEY-shyft

3. Import key into RPM

$ sudo rpm --import RPM-GPG-KEY-shyft

4. Add repository

Stable (recommended)

$ sudo tee /etc/yum.repos.d/shyft-stable.repo <<'EOF'
[shyft-stable]
name=Shyft Stable
baseurl=https://fedora.helset.gotdns.org/stable/x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://fedora.helset.gotdns.org/stable/x86_64/RPM-GPG-KEY-shyft
EOF

Staging (optional)

$ sudo tee /etc/yum.repos.d/shyft-staging.repo <<'EOF'
[shyft-staging]
name=Shyft Staging
baseurl=https://fedora.helset.gotdns.org/staging/x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://fedora.helset.gotdns.org/staging/x86_64/RPM-GPG-KEY-shyft
EOF

5. Refresh

$ sudo dnf makecache
On first use, dnf makecache may report that the repository signing key is not yet known, then prompt to import the configured key from the repository URL. This is expected on first bootstrap. Carefully verify that the shown fingerprint is CFFE BAE1 B25B AD34 C72A 2565 4A12 4000 37DA B695 before accepting the import.

6. Install common components

$ sudo dnf install shyft-{runtime,python,development}

This provides a practical starting point with the most common Shyft components.

7. Optional: verify provenance

Stable

$ curl -O https://fedora.helset.gotdns.org/stable/x86_64/PROVENANCE.txt
$ curl -O https://fedora.helset.gotdns.org/stable/x86_64/PROVENANCE.txt.asc
$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt

Staging

$ curl -O https://fedora.helset.gotdns.org/staging/x86_64/PROVENANCE.txt
$ curl -O https://fedora.helset.gotdns.org/staging/x86_64/PROVENANCE.txt.asc
$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt

Review the signed provenance file together with RPM signatures and repository metadata as part of your supply-chain validation.

When verifying signatures with gpg --verify, you may see warnings such as: This is expected when the key is not part of your personal Web-of-Trust. The critical requirement is that the fingerprint matches a trusted source.

Expected output examples

After importing the key and checking the fingerprint, output similar to this is expected:

$ gpg --show-keys --with-fingerprint RPM-GPG-KEY-shyft
pub   ed25519 2026-04-03 [C] [expires: 2031-04-02]
      CFFE BAE1 B25B AD34 C72A  2565 4A12 4000 37DA B695
uid                      Sigbjørn Helset <sigbjorn.helset@gmail.com>
sub   ed25519 2026-04-03 [S] [expires: 2031-04-02]

On first repository bootstrap, output similar to this is expected from dnf makecache:

$ sudo dnf makecache
Updating and loading repositories:
 Shyft Stable                                                    100% |   5.1 KiB/s |   1.7 KiB |  00m00s
>>> repomd.xml GPG signature verification error: Signing key not found
 https://fedora.helset.gotdns.org/stable/x86_64/RPM-GPG-KEY-shyft 100% | 121.6 KiB/s |   1.2 KiB |  00m00s
Importing OpenPGP key 0x37DAB695:
 UserID     : "Sigbjørn Helset <sigbjorn.helset@gmail.com>"
 Fingerprint: CFFEBAE1B25BAD34C72A25654A12400037DAB695
 From       : https://fedora.helset.gotdns.org/stable/x86_64/RPM-GPG-KEY-shyft
Is this ok [y/N]: y
The key was successfully imported.
 Shyft Stable                                                    100% |  52.2 KiB/s |   4.7 KiB |  00m00s
Repositories loaded.
Metadata cache created.

When verifying the signed provenance file, output similar to this is expected:

$ gpg --verify PROVENANCE.txt.asc PROVENANCE.txt
gpg: Signature made Mon Apr 6 20:32:23 2026 UTC
gpg:                using EDDSA key A0AF2BD11681F281CED2324CBD8CB4F65431F486
gpg: Good signature from "Sigbjørn Helset <sigbjorn.helset@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CFFE BAE1 B25B AD34 C72A  2565 4A12 4000 37DA B695
     Subkey fingerprint: A0AF 2BD1 1681 F281 CED2  324C BD8C B4F6 5431 F486

The important parts are:

8. Optional: install debuginfo packages

$ sudo dnf debuginfo-install shyft-{runtime,python}

These packages are useful in professional support environments for coredump analysis, debugging, and improved error reporting.

High-assurance setup (recommended for controlled environments)

For regulated or audited environments, treat repository bootstrap as a controlled trust-establishment process.

Repository contents

Verify RPM signatures, repository metadata, and the signed provenance document as part of your supply-chain validation.

Notes