containers-common-0.60.2-7.el10

- Enable sigstore support - Resolves: RUN-2164 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2024-10-29 13:58:05 +01:00 · 2024-10-29 13:58:05 +01:00 · fd3744ff22
commit fd3744ff22
parent f72731a5c9
9 changed files with 54 additions and 116 deletions
--- a/5
+++ b/5
@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENqXXmPchbztil/PU0uGBh4xYJkterHN0
+Yz/o/cXw2hmmr6WAjq0FIEilS5nlDM9La+RcBts4xekrPBKBn37thbYuCoxEH39U
+gmagLaBS92UAhZty93CXgXMy89h5pJFZ
+-----END PUBLIC KEY-----
--- a/29
+++ b/29
@ -1,29 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.2.6 (GNU/Linux)
-
-mQINBEmkAzABEAC2/c7bP1lHQ3XScxbIk0LQWe1YOiibQBRLwf8Si5PktgtuPibT
-kKpZjw8p4D+fM7jD1WUzUE0X7tXg2l/eUlMM4dw6XJAQ1AmEOtlwSg7rrMtTvM0A
-BEtI7Km6fC6sU6RtBMdcqD1cH/6dbsfh8muznVA7UlX+PRBHVzdWzj6y8h84dBjo
-gzcbYu9Hezqgj/lLzicqsSZPz9UdXiRTRAIhp8V30BD8uRaaa0KDDnD6IzJv3D9P
-xQWbFM4Z12GN9LyeZqmD7bpKzZmXG/3drvfXVisXaXp3M07t3NlBa3Dt8NFIKZ0D
-FRXBz5bvzxRVmdH6DtkDWXDPOt+Wdm1rZrCOrySFpBZQRpHw12eo1M1lirANIov7
-Z+V1Qh/aBxj5EUu32u9ZpjAPPNtQF6F/KjaoHHHmEQAuj4DLex4LY646Hv1rcv2i
-QFuCdvLKQGSiFBrfZH0j/IX3/0JXQlZzb3MuMFPxLXGAoAV9UP/Sw/WTmAuTzFVm
-G13UYFeMwrToOiqcX2VcK0aC1FCcTP2z4JW3PsWvU8rUDRUYfoXovc7eg4Vn5wHt
-0NBYsNhYiAAf320AUIHzQZYi38JgVwuJfFu43tJZE4Vig++RQq6tsEx9Ftz3EwRR
-fJ9z9mEvEiieZm+vbOvMvIuimFVPSCmLH+bI649K8eZlVRWsx3EXCVb0nQARAQAB
-tDBSZWQgSGF0LCBJbmMuIChiZXRhIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0LmNv
-bT6JAjYEEwECACAFAkpSM+cCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCT
-ioDK8hVB6/9tEAC0+KmzeKceXQ/GTUoU6jy9vtkFCFrmv+c7ol4XpdTt0QhqBOwy
-6m2mKWwmm8KfYfy0cADQ4y/EcoXl7FtFBwYmkCuEQGXhTDn9DvVjhooIq59LEMBQ
-OW879RwwzRIZ8ebbjMUjDPF5MfPQqP2LBu9N4KvXlZp4voykwuuaJ+cbsKZR6pZ6
-0RQKPHKP+NgUFC0fff7XY9cuOZZWFAeKRhLN2K7bnRHKxp+kELWb6R9ZfrYwZjWc
-MIPbTd1khE53L4NTfpWfAnJRtkPSDOKEGVlVLtLq4HEAxQt07kbslqISRWyXER3u
-QOJj64D1ZiIMz6t6uZ424VE4ry9rBR0Jz55cMMx5O/ni9x3xzFUgH8Su2yM0r3jE
-Rf24+tbOaPf7tebyx4OKe+JW95hNVstWUDyGbs6K9qGfI/pICuO1nMMFTo6GqzQ6
-DwLZvJ9QdXo7ujEtySZnfu42aycaQ9ZLC2DOCQCUBY350Hx6FLW3O546TAvpTfk0
-B6x+DV7mJQH7MGmRXQsE7TLBJKjq28Cn4tVp04PmybQyTxZdGA/8zY6pPl6xyVMH
-V68hSBKEVT/rlouOHuxfdmZva1DhVvUC6Xj7+iTMTVJUAq/4Uyn31P1OJmA2a0PT
-CAqWkbJSgKFccsjPoTbLyxhuMSNkEZFHvlZrSK9vnPzmfiRH0Orx3wYpMQ==
-=21pb
-----END PGP PUBLIC KEY BLOCK-----
--- a/69
+++ b/69
@ -1,69 +0,0 @@
-The following public key can be used to verify RPM packages built and
-signed by Red Hat, Inc.  This key is used for packages in Red Hat
-products shipped after November 2009, and for all updates to those
-products.
-
-Questions about this key should be sent to security@redhat.com.
-
-pub   4096R/FD431D51 2009-10-22
-      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
-uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
-
-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.22 (GNU/Linux)
-
-mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
-0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
-0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
-u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
-XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
-5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
-9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
-/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
-PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
-HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
-buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
-tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
-LmNvbT6JAjYEEwEIACACGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCSuBJPAAK
-CRAZni+R/UMdUfIkD/9m3HWv07uJG26R3KBexTo2FFu3rmZs+m2nfW8R3dBX+k0o
-AOFpgJCsNgKwU81LOPrkMN19G0+Yn/ZTCDD7cIQ7dhYuDyEX97xh4une/EhnnRuh
-ASzR+1xYbj/HcYZIL9kbslgpebMn+AhxbUTQF/mziug3hLidR9Bzvygq0Q09E11c
-OZL4BU6J2HqxL+9m2F+tnLdfhL7MsAq9nbmWAOpkbGefc5SXBSq0sWfwoes3X3yD
-Q8B5Xqr9AxABU7oUB+wRqvY69ZCxi/BhuuJCUxY89ZmwXfkVxeHl1tYfROUwOnJO
-GYSbI/o41KBK4DkIiDcT7QqvqvCyudnxZdBjL2QU6OrIJvWmKs319qSF9m3mXRSt
-ZzWtB89Pj5LZ6cdtuHvW9GO4qSoBLmAfB313pGkbgi1DE6tqCLHlA0yQ8zv99OWV
-cMDGmS7tVTZqfX1xQJ0N3bNORQNtikJC3G+zBCJzIeZleeDlMDQcww00yWU1oE7/
-To2UmykMGc7o9iggFWR2g0PIcKsA/SXdRKWPqCHG2uKHBvdRTQGupdXQ1sbV+AHw
-ycyA/9H/mp/NUSNM2cqnBDcZ6GhlHt59zWtEveiuU5fpTbp4GVcFXbW8jStj8j8z
-1HI3cywZO8+YNPzqyx0JWsidXGkfzkPHyS4jTG84lfu2JG8m/nqLnRSeKpl20Q==
-=79bX
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGIpIp4BEAC/o5e1WzLIsS6/JOQCs4XYATYTcf6B6ALzcP05G0W3uRpUQSrL
-FRKNrU8ZCelm/B+XSh2ljJNeklp2WLxYENDOsftDXGoyLr2hEkI5OyK267IHhFNJ
-g+BN+T5Cjh4ZiiWij6o9F7x2ZpxISE9M4iI80rwSv1KOnGSw5j2zD2EwoMjTVyVE
-/t3s5XJxnDclB7ZqL+cgjv0mWUY/4+b/OoRTkhq7b8QILuZp75Y64pkrndgakm1T
-8mAGXV02mEzpNj9DyAJdUqa11PIhMJMxxHOGHJ8CcHZ2NJL2e7yJf4orTj+cMhP5
-LzJcVlaXnQYu8Zkqa0V6J1Qdj8ZXL72QsmyicRYXAtK9Jm5pvBHuYU2m6Ja7dBEB
-Vkhe7lTKhAjkZC5ErPmANNS9kPdtXCOpwN1lOnmD2m04hks3kpH9OTX7RkTFUSws
-eARAfRID6RLfi59B9lmAbekecnsMIFMx7qR7ZKyQb3GOuZwNYOaYFevuxusSwCHv
-4FtLDIhk+Fge+EbPdEva+VLJeMOb02gC4V/cX/oFoPkxM1A5LHjkuAM+aFLAiIRd
-Np/tAPWk1k6yc+FqkcDqOttbP4ciiXb9JPtmzTCbJD8lgH0rGp8ufyMXC9x7/dqX
-TjsiGzyvlMnrkKB4GL4DqRFl8LAR02A3846DD8CAcaxoXggL2bJCU2rgUQARAQAB
-tDVSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5IDMpIDxzZWN1cml0eUByZWRo
-YXQuY29tPokCUgQTAQgAPBYhBH5GJCWMQGU11W1vE1BU5KRaY0CzBQJiKSKeAhsD
-BQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBQVOSkWmNAsyBfEACuTN/X
-YR+QyzeRw0pXcTvMqzNE4DKKr97hSQEwZH1/v1PEPs5O3psuVUm2iam7bqYwG+ry
-EskAgMHi8AJmY0lioQD5/LTSLTrM8UyQnU3g17DHau1NHIFTGyaW4a7xviU4C2+k
-c6X0u1CPHI1U4Q8prpNcfLsldaNYlsVZtUtYSHKPAUcswXWliW7QYjZ5tMSbu8jR
-OMOc3mZuf0fcVFNu8+XSpN7qLhRNcPv+FCNmk/wkaQfH4Pv+jVsOgHqkV3aLqJeN
-kNUnpyEKYkNqo7mNfNVWOcl+Z1KKKwSkIi3vg8maC7rODsy6IX+Y96M93sqYDQom
-aaWue2gvw6thEoH4SaCrCL78mj2YFpeg1Oew4QwVcBnt68KOPfL9YyoOicNs4Vuu
-fb/vjU2ONPZAeepIKA8QxCETiryCcP43daqThvIgdbUIiWne3gae6eSj0EuUPoYe
-H5g2Lw0qdwbHIOxqp2kvN96Ii7s1DK3VyhMt/GSPCxRnDRJ8oQKJ2W/I1IT5VtiU
-zMjjq5JcYzRPzHDxfVzT9CLeU/0XQ+2OOUAiZKZ0dzSyyVn8xbpviT7iadvjlQX3
-CINaPB+d2Kxa6uFWh+ZYOLLAgZ9B8NKutUHpXN66YSfe79xFBSFWKkJ8cSIMk13/
-Ifs7ApKlKCCRDpwoDqx/sjIaj1cpOfLHYjnefg==
-=UZd/
-----END PGP PUBLIC KEY BLOCK-----
--- a/22
+++ b/22
@ -0,0 +1,22 @@
+The following key is used to provide verification of sigstore signatures for
+artifacts that are sigstore-enabled.
+
+Questions about this key should be sent to security@redhat.com
+
+pub   4096R/E60D446E63405576 2024-09-20
+uid                          Red Hat, Inc. (release key 3) <security@redhat.com>
+
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
+75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
+M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
+RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
+tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
+XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
+ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
+BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
+VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
+p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
+gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
+secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
+-----END PUBLIC KEY-----
--- a/containers-common.spec
+++ b/containers-common.spec
@ -40,7 +40,7 @@ Epoch: 5
 # copr and koji builds.
 # If you're reading this on dist-git, the version is automatically filled in by Packit.
 Version: 0.60.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Apache-2.0
 BuildArch: noarch
 # for BuildRequires: go-md2man
@ -53,6 +53,10 @@ Requires: (container-selinux >= 2:2.162.1 if selinux-policy)
 Requires: netavark
 Obsoletes: containernetworking-plugins < 2
 Suggests: fuse-overlayfs
+%if 0%{?rhel}
+Requires: /etc/pki/sigstore/REKOR-signing-key
+Requires: /etc/pki/sigstore/SIGSTORE-redhat-release3
+%endif
 URL: https://github.com/%{project}/%{repo}
 Source0: %{url}/archive/v%{version_no_tilde}.tar.gz
 Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md
@ -69,8 +73,8 @@ Source11: %{raw_github_url}/image/%{image_branch}/default.yaml
 Source12: default-policy.json
 Source13: %{raw_github_url}/image/%{image_branch}/registries.conf
 Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf
-Source15: RPM-GPG-KEY-redhat-release
-Source16: RPM-GPG-KEY-redhat-beta
+Source15: REKOR-signing-key
+Source16: SIGSTORE-redhat-release3

 %description
 This package contains common configuration files and documentation for container
@ -154,9 +158,9 @@ install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registr
 install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf

 %if 0%{?fedora} || 0%{?centos}
-install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
-install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
-install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -dp %{buildroot}%{_sysconfdir}/pki/sigstore
+install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/sigstore
+install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/sigstore
 %endif

 install -Dp -m0644 contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
@ -200,8 +204,8 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %config(noreplace) %{_sysconfdir}/containers/registries.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
 %if 0%{?fedora} || 0%{?centos}
-%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
-%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
+%{_sysconfdir}/pki/sigstore/REKOR-signing-key
+%{_sysconfdir}/pki/sigstore/SIGSTORE-redhat-release3
 %endif
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
@ -226,6 +230,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %files extra

 %changelog
+* Tue Oct 29 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-7
+- Enable sigstore support
+- Resolves: RUN-2164
+
 * Tue Sep 10 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-6
 - package GPG keys only on Fedora and CentOS
 - Related: RHEL-39410
--- a/default-policy.json
+++ b/default-policy.json
@ -8,16 +8,16 @@
        "docker": {
 	    "registry.access.redhat.com": [
 		{
-		    "type": "signedBy",
-		    "keyType": "GPGKeys",
-		    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
+		    "type": "sigstoreSigned",
+		    "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3",
+		    "rekorPublicKeyPath": "/etc/pki/sigstore/REKOR-signing-key"
 		}
 	    ],
 	    "registry.redhat.io": [
 		{
-		    "type": "signedBy",
-		    "keyType": "GPGKeys",
-		    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
+		    "type": "sigstoreSigned",
+		    "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3",
+		    "rekorPublicKeyPath": "/etc/pki/sigstore/REKOR-signing-key"
 		}
 	    ]
 	},
--- a/registry.access.redhat.com.yaml
+++ b/registry.access.redhat.com.yaml
@ -1,3 +1,3 @@
 docker:
     registry.access.redhat.com:
-         sigstore: https://access.redhat.com/webassets/docker/content/sigstore
+         use-sigstore-attachments: true
--- a/registry.redhat.io.yaml
+++ b/registry.redhat.io.yaml
@ -1,3 +1,3 @@
 docker:
     registry.redhat.io:
-         sigstore: https://registry.redhat.io/containers/sigstore
+         use-sigstore-attachments: true
--- a/update.sh
+++ b/update.sh
@ -71,8 +71,9 @@ fi
 				"socket",' seccomp.json
 rhpkg clone redhat-release
 cd redhat-release
-rhpkg switch-branch rhel-10.0-beta
+rhpkg switch-branch rhel-10.0
 rhpkg prep
-cp -f redhat-release-*/RPM-GPG* ../
+cp -f redhat-release-*/REKOR-signing-key ../
+cp -f redhat-release-*/SIGSTORE-redhat-release3 ../
 cd -
 rm -rf redhat-release