diff --git a/RPM-GPG-KEY-redhat-release b/RPM-GPG-KEY-redhat-release new file mode 100644 index 0000000..0009a3e --- /dev/null +++ b/RPM-GPG-KEY-redhat-release @@ -0,0 +1,34 @@ +pub 4096R/FD431D51 2009-10-22 + Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 +uid Red Hat, Inc. (release key 2) + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF +0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF +0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c +u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh +XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H +5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW +9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj +/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1 +PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY +HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF +buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB +tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0 +LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK +CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC +2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf +C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5 +un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E +0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE +IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh +8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL +Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki +JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25 +OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq +dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw== +=zbHE +-----END PGP PUBLIC KEY BLOCK----- + diff --git a/containers-common.spec b/containers-common.spec index 342b00e..1dfd5f1 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -44,6 +44,9 @@ Source16: %{github_containers}/skopeo/%{skopeo_branch}/default.yaml Source17: %{github_containers}/skopeo/%{skopeo_branch}/default-policy.json Source18: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md Source19: %{github_containers}/storage/%{storage_branch}/storage.conf +Source20: RPM-GPG-KEY-redhat-release +Source21: registry.access.redhat.com.yaml +Source22: registry.redhat.io.yaml %description This package contains common configuration files and documentation for container @@ -73,6 +76,9 @@ cp %{SOURCE16} . cp %{SOURCE17} . cp %{SOURCE18} . cp %{SOURCE19} . +cp %{SOURCE20} . +cp %{SOURCE21} . +cp %{SOURCE22} . %build @@ -85,6 +91,11 @@ install -m0644 storage.conf %{buildroot}%{_sysconfdir}/containers/storage.conf install -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registries.conf install -m0644 shortnames.conf %{buildroot}%{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf install -m0644 default-policy.json %{buildroot}%{_sysconfdir}/containers/policy.json +install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -m0644 RPM-GPG-KEY-redhat-release %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -dp %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 registry.access.redhat.com.yaml %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 registry.redhat.io.yaml %{buildroot}%{_sysconfdir}/containers/registries.d # install manpages install -dp %{buildroot}%{_mandir}/man5 @@ -123,8 +134,11 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %config(noreplace) %{_sysconfdir}/containers/policy.json %config(noreplace) %{_sysconfdir}/containers/registries.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf +%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf +%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml +%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml %ghost %{_sysconfdir}/containers/containers.conf %dir %{_sharedstatedir}/containers/sigstore %{_mandir}/man5/* @@ -136,9 +150,13 @@ ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secret %{_datadir}/rhel/secrets/* %changelog +* Mon Jul 26 2021 Dan Walsh - 4:1-24 +- Add support for signed RHEL images, enabled by default + * Wed Jul 21 2021 Fedora Release Engineering - 4:1-23 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Thu Jul 15 2021 Dan Walsh - 4:1-22 - Update to grab latest man pages and configuration files, also switch to using some main rather then master branches diff --git a/default-policy.json b/default-policy.json index dffc54a..7ed16d6 100644 --- a/default-policy.json +++ b/default-policy.json @@ -4,11 +4,29 @@ "type": "insecureAcceptAnything" } ], - "transports": - { - "docker-daemon": - { - "": [{"type":"insecureAcceptAnything"}] - } - } + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } } diff --git a/registry.access.redhat.com.yaml b/registry.access.redhat.com.yaml new file mode 100644 index 0000000..b426a4b --- /dev/null +++ b/registry.access.redhat.com.yaml @@ -0,0 +1,3 @@ +docker: + registry.access.redhat.com: + sigstore: https://access.redhat.com/webassets/docker/content/sigstore diff --git a/registry.redhat.io.yaml b/registry.redhat.io.yaml new file mode 100644 index 0000000..35f2c61 --- /dev/null +++ b/registry.redhat.io.yaml @@ -0,0 +1,3 @@ +docker: + registry.redhat.io: + sigstore: https://registry.redhat.io/containers/sigstore