rpms/containers-common
7
0
Fork 0
Code Issues Pull Requests Releases Activity

containers-common-1-92.el9

Browse Source 
- update vendored components
- Related: RHEL-27608

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2024-08-27 10:52:42 +02:00
parent 6bd89ce541
commit 556dc2220d
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
containers-common.spec
View File

@ -4,15 +4,15 @@
# pick the oldest version on c/image, c/common, c/storage vendored in # pick the oldest version on c/image, c/common, c/storage vendored in
# podman/skopeo/podman. # podman/skopeo/podman.
%global skopeo_branch main %global skopeo_branch main
%global image_branch v5.32.0 %global image_branch v5.32.2
%global common_branch v0.60.0 %global common_branch v0.60.2
%global storage_branch v1.55.0 %global storage_branch v1.55.0
%global shortnames_branch main %global shortnames_branch main
Epoch: 2 Epoch: 2
Name: containers-common Name: containers-common
Version: 1 Version: 1
Release: 91%{?dist} Release: 92%{?dist}
Summary: Common configuration and documentation for containers Summary: Common configuration and documentation for containers
License: ASL 2.0 License: ASL 2.0
ExclusiveArch: %{go_arches} ExclusiveArch: %{go_arches}
@ -173,6 +173,10 @@ EOF
%{_datadir}/rhel/secrets/* %{_datadir}/rhel/secrets/*
%changelog %changelog
* Tue Aug 27 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-92
- update vendored components
- Related: RHEL-27608
* Wed Aug 07 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-91 * Wed Aug 07 2024 Jindrich Novy <jnovy@redhat.com> - 2:1-91
- Update shortnames and vendored components - Update shortnames and vendored components
- Related: RHEL-27608 - Related: RHEL-27608

13
containers-policy.json.5.md
View File

@ -320,7 +320,9 @@ This requirement requires an image to be signed using a sigstore signature with
{ {
"type": "sigstoreSigned", "type": "sigstoreSigned",
"keyPath": "/path/to/local/public/key/file", "keyPath": "/path/to/local/public/key/file",
"keyPaths": ["/path/to/first/public/key/one", "/path/to/first/public/key/two"],
"keyData": "base64-encoded-public-key-data", "keyData": "base64-encoded-public-key-data",
"keyDatas": ["base64-encoded-public-key-one-data", "base64-encoded-public-key-two-data"]
"fulcio": { "fulcio": {
"caPath": "/path/to/local/CA/file", "caPath": "/path/to/local/CA/file",
"caData": "base64-encoded-CA-data", "caData": "base64-encoded-CA-data",
@ -328,28 +330,33 @@ This requirement requires an image to be signed using a sigstore signature with
"subjectEmail", "expected-signing-user@example.com", "subjectEmail", "expected-signing-user@example.com",
}, },
"rekorPublicKeyPath": "/path/to/local/public/key/file", "rekorPublicKeyPath": "/path/to/local/public/key/file",
"rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"],
"rekorPublicKeyData": "base64-encoded-public-key-data", "rekorPublicKeyData": "base64-encoded-public-key-data",
"rekorPublicKeyDatas": ["base64-encoded-public-key-one-data","base64-encoded-public-key-two-data"],
"signedIdentity": identity_requirement "signedIdentity": identity_requirement
} }
``` ```
Exactly one of `keyPath`, `keyData` and `fulcio` must be present. Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas` and `fulcio` must be present.
If `keyPath` or `keyData` is present, it contains a sigstore public key. If `keyPath` or `keyData` is present, it contains a sigstore public key.
Only signatures made by this key are accepted. Only signatures made by this key are accepted.
If `keyPaths` or `keyDatas` is present, it contains sigstore public keys.
Only signatures made by any key in the list are accepted.
If `fulcio` is present, the signature must be based on a Fulcio-issued certificate. If `fulcio` is present, the signature must be based on a Fulcio-issued certificate.
One of `caPath` and `caData` must be specified, containing the public key of the Fulcio instance. One of `caPath` and `caData` must be specified, containing the public key of the Fulcio instance.
Both `oidcIssuer` and `subjectEmail` are mandatory, Both `oidcIssuer` and `subjectEmail` are mandatory,
exactly specifying the expected identity provider, exactly specifying the expected identity provider,
and the identity of the user obtaining the Fulcio certificate. and the identity of the user obtaining the Fulcio certificate.
At most one of `rekorPublicKeyPath` and `rekorPublicKeyData` can be present; At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present;
it is mandatory if `fulcio` is specified. it is mandatory if `fulcio` is specified.
If a Rekor public key is specified, If a Rekor public key is specified,
the signature must have been uploaded to a Rekor server the signature must have been uploaded to a Rekor server
and the signature must contain an (offline-verifiable) “signed entry timestamp” and the signature must contain an (offline-verifiable) “signed entry timestamp”
proving the existence of the Rekor log record, proving the existence of the Rekor log record,
signed by the provided public key. signed by one of the provided public keys.
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).