diff --git a/REKOR-signing-key b/REKOR-signing-key new file mode 100644 index 0000000..17996d9 --- /dev/null +++ b/REKOR-signing-key @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENqXXmPchbztil/PU0uGBh4xYJkterHN0 +Yz/o/cXw2hmmr6WAjq0FIEilS5nlDM9La+RcBts4xekrPBKBn37thbYuCoxEH39U +gmagLaBS92UAhZty93CXgXMy89h5pJFZ +-----END PUBLIC KEY----- diff --git a/RPM-GPG-KEY-redhat-beta b/RPM-GPG-KEY-redhat-beta deleted file mode 100644 index 1efd150..0000000 --- a/RPM-GPG-KEY-redhat-beta +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.2.6 (GNU/Linux) - -mQINBEmkAzABEAC2/c7bP1lHQ3XScxbIk0LQWe1YOiibQBRLwf8Si5PktgtuPibT -kKpZjw8p4D+fM7jD1WUzUE0X7tXg2l/eUlMM4dw6XJAQ1AmEOtlwSg7rrMtTvM0A -BEtI7Km6fC6sU6RtBMdcqD1cH/6dbsfh8muznVA7UlX+PRBHVzdWzj6y8h84dBjo -gzcbYu9Hezqgj/lLzicqsSZPz9UdXiRTRAIhp8V30BD8uRaaa0KDDnD6IzJv3D9P -xQWbFM4Z12GN9LyeZqmD7bpKzZmXG/3drvfXVisXaXp3M07t3NlBa3Dt8NFIKZ0D -FRXBz5bvzxRVmdH6DtkDWXDPOt+Wdm1rZrCOrySFpBZQRpHw12eo1M1lirANIov7 -Z+V1Qh/aBxj5EUu32u9ZpjAPPNtQF6F/KjaoHHHmEQAuj4DLex4LY646Hv1rcv2i -QFuCdvLKQGSiFBrfZH0j/IX3/0JXQlZzb3MuMFPxLXGAoAV9UP/Sw/WTmAuTzFVm -G13UYFeMwrToOiqcX2VcK0aC1FCcTP2z4JW3PsWvU8rUDRUYfoXovc7eg4Vn5wHt -0NBYsNhYiAAf320AUIHzQZYi38JgVwuJfFu43tJZE4Vig++RQq6tsEx9Ftz3EwRR -fJ9z9mEvEiieZm+vbOvMvIuimFVPSCmLH+bI649K8eZlVRWsx3EXCVb0nQARAQAB -tDBSZWQgSGF0LCBJbmMuIChiZXRhIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0LmNv -bT6JAjYEEwECACAFAkpSM+cCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCT -ioDK8hVB6/9tEAC0+KmzeKceXQ/GTUoU6jy9vtkFCFrmv+c7ol4XpdTt0QhqBOwy -6m2mKWwmm8KfYfy0cADQ4y/EcoXl7FtFBwYmkCuEQGXhTDn9DvVjhooIq59LEMBQ -OW879RwwzRIZ8ebbjMUjDPF5MfPQqP2LBu9N4KvXlZp4voykwuuaJ+cbsKZR6pZ6 -0RQKPHKP+NgUFC0fff7XY9cuOZZWFAeKRhLN2K7bnRHKxp+kELWb6R9ZfrYwZjWc -MIPbTd1khE53L4NTfpWfAnJRtkPSDOKEGVlVLtLq4HEAxQt07kbslqISRWyXER3u -QOJj64D1ZiIMz6t6uZ424VE4ry9rBR0Jz55cMMx5O/ni9x3xzFUgH8Su2yM0r3jE -Rf24+tbOaPf7tebyx4OKe+JW95hNVstWUDyGbs6K9qGfI/pICuO1nMMFTo6GqzQ6 -DwLZvJ9QdXo7ujEtySZnfu42aycaQ9ZLC2DOCQCUBY350Hx6FLW3O546TAvpTfk0 -B6x+DV7mJQH7MGmRXQsE7TLBJKjq28Cn4tVp04PmybQyTxZdGA/8zY6pPl6xyVMH -V68hSBKEVT/rlouOHuxfdmZva1DhVvUC6Xj7+iTMTVJUAq/4Uyn31P1OJmA2a0PT -CAqWkbJSgKFccsjPoTbLyxhuMSNkEZFHvlZrSK9vnPzmfiRH0Orx3wYpMQ== -=21pb ------END PGP PUBLIC KEY BLOCK----- diff --git a/RPM-GPG-KEY-redhat-release b/RPM-GPG-KEY-redhat-release deleted file mode 100644 index a59198e..0000000 --- a/RPM-GPG-KEY-redhat-release +++ /dev/null @@ -1,69 +0,0 @@ -The following public key can be used to verify RPM packages built and -signed by Red Hat, Inc. This key is used for packages in Red Hat -products shipped after November 2009, and for all updates to those -products. - -Questions about this key should be sent to security@redhat.com. - -pub 4096R/FD431D51 2009-10-22 - Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 -uid Red Hat, Inc. (release key 2) - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.22 (GNU/Linux) - -mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF -0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF -0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c -u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh -XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H -5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW -9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj -/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1 -PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY -HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF -buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB -tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0 -LmNvbT6JAjYEEwEIACACGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCSuBJPAAK -CRAZni+R/UMdUfIkD/9m3HWv07uJG26R3KBexTo2FFu3rmZs+m2nfW8R3dBX+k0o -AOFpgJCsNgKwU81LOPrkMN19G0+Yn/ZTCDD7cIQ7dhYuDyEX97xh4une/EhnnRuh -ASzR+1xYbj/HcYZIL9kbslgpebMn+AhxbUTQF/mziug3hLidR9Bzvygq0Q09E11c -OZL4BU6J2HqxL+9m2F+tnLdfhL7MsAq9nbmWAOpkbGefc5SXBSq0sWfwoes3X3yD -Q8B5Xqr9AxABU7oUB+wRqvY69ZCxi/BhuuJCUxY89ZmwXfkVxeHl1tYfROUwOnJO -GYSbI/o41KBK4DkIiDcT7QqvqvCyudnxZdBjL2QU6OrIJvWmKs319qSF9m3mXRSt -ZzWtB89Pj5LZ6cdtuHvW9GO4qSoBLmAfB313pGkbgi1DE6tqCLHlA0yQ8zv99OWV -cMDGmS7tVTZqfX1xQJ0N3bNORQNtikJC3G+zBCJzIeZleeDlMDQcww00yWU1oE7/ -To2UmykMGc7o9iggFWR2g0PIcKsA/SXdRKWPqCHG2uKHBvdRTQGupdXQ1sbV+AHw -ycyA/9H/mp/NUSNM2cqnBDcZ6GhlHt59zWtEveiuU5fpTbp4GVcFXbW8jStj8j8z -1HI3cywZO8+YNPzqyx0JWsidXGkfzkPHyS4jTG84lfu2JG8m/nqLnRSeKpl20Q== -=79bX ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBGIpIp4BEAC/o5e1WzLIsS6/JOQCs4XYATYTcf6B6ALzcP05G0W3uRpUQSrL -FRKNrU8ZCelm/B+XSh2ljJNeklp2WLxYENDOsftDXGoyLr2hEkI5OyK267IHhFNJ -g+BN+T5Cjh4ZiiWij6o9F7x2ZpxISE9M4iI80rwSv1KOnGSw5j2zD2EwoMjTVyVE -/t3s5XJxnDclB7ZqL+cgjv0mWUY/4+b/OoRTkhq7b8QILuZp75Y64pkrndgakm1T -8mAGXV02mEzpNj9DyAJdUqa11PIhMJMxxHOGHJ8CcHZ2NJL2e7yJf4orTj+cMhP5 -LzJcVlaXnQYu8Zkqa0V6J1Qdj8ZXL72QsmyicRYXAtK9Jm5pvBHuYU2m6Ja7dBEB -Vkhe7lTKhAjkZC5ErPmANNS9kPdtXCOpwN1lOnmD2m04hks3kpH9OTX7RkTFUSws -eARAfRID6RLfi59B9lmAbekecnsMIFMx7qR7ZKyQb3GOuZwNYOaYFevuxusSwCHv -4FtLDIhk+Fge+EbPdEva+VLJeMOb02gC4V/cX/oFoPkxM1A5LHjkuAM+aFLAiIRd -Np/tAPWk1k6yc+FqkcDqOttbP4ciiXb9JPtmzTCbJD8lgH0rGp8ufyMXC9x7/dqX -TjsiGzyvlMnrkKB4GL4DqRFl8LAR02A3846DD8CAcaxoXggL2bJCU2rgUQARAQAB -tDVSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5IDMpIDxzZWN1cml0eUByZWRo -YXQuY29tPokCUgQTAQgAPBYhBH5GJCWMQGU11W1vE1BU5KRaY0CzBQJiKSKeAhsD -BQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBQVOSkWmNAsyBfEACuTN/X -YR+QyzeRw0pXcTvMqzNE4DKKr97hSQEwZH1/v1PEPs5O3psuVUm2iam7bqYwG+ry -EskAgMHi8AJmY0lioQD5/LTSLTrM8UyQnU3g17DHau1NHIFTGyaW4a7xviU4C2+k -c6X0u1CPHI1U4Q8prpNcfLsldaNYlsVZtUtYSHKPAUcswXWliW7QYjZ5tMSbu8jR -OMOc3mZuf0fcVFNu8+XSpN7qLhRNcPv+FCNmk/wkaQfH4Pv+jVsOgHqkV3aLqJeN -kNUnpyEKYkNqo7mNfNVWOcl+Z1KKKwSkIi3vg8maC7rODsy6IX+Y96M93sqYDQom -aaWue2gvw6thEoH4SaCrCL78mj2YFpeg1Oew4QwVcBnt68KOPfL9YyoOicNs4Vuu -fb/vjU2ONPZAeepIKA8QxCETiryCcP43daqThvIgdbUIiWne3gae6eSj0EuUPoYe -H5g2Lw0qdwbHIOxqp2kvN96Ii7s1DK3VyhMt/GSPCxRnDRJ8oQKJ2W/I1IT5VtiU -zMjjq5JcYzRPzHDxfVzT9CLeU/0XQ+2OOUAiZKZ0dzSyyVn8xbpviT7iadvjlQX3 -CINaPB+d2Kxa6uFWh+ZYOLLAgZ9B8NKutUHpXN66YSfe79xFBSFWKkJ8cSIMk13/ -Ifs7ApKlKCCRDpwoDqx/sjIaj1cpOfLHYjnefg== -=UZd/ ------END PGP PUBLIC KEY BLOCK----- diff --git a/SIGSTORE-redhat-release3 b/SIGSTORE-redhat-release3 new file mode 100644 index 0000000..5d79e4e --- /dev/null +++ b/SIGSTORE-redhat-release3 @@ -0,0 +1,22 @@ +The following key is used to provide verification of sigstore signatures for +artifacts that are sigstore-enabled. + +Questions about this key should be sent to security@redhat.com + +pub 4096R/E60D446E63405576 2024-09-20 +uid Red Hat, Inc. (release key 3) + +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip +75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7 +M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p +RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP +tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ +XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg +ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM +BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f +VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF +p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT +gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d +secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/containers-common.spec b/containers-common.spec index 15bae8d..ba3e9f0 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -40,7 +40,7 @@ Epoch: 5 # copr and koji builds. # If you're reading this on dist-git, the version is automatically filled in by Packit. Version: 0.60.2 -Release: 6%{?dist} +Release: 7%{?dist} License: Apache-2.0 BuildArch: noarch # for BuildRequires: go-md2man @@ -53,6 +53,10 @@ Requires: (container-selinux >= 2:2.162.1 if selinux-policy) Requires: netavark Obsoletes: containernetworking-plugins < 2 Suggests: fuse-overlayfs +%if 0%{?rhel} +Requires: /etc/pki/sigstore/REKOR-signing-key +Requires: /etc/pki/sigstore/SIGSTORE-redhat-release3 +%endif URL: https://github.com/%{project}/%{repo} Source0: %{url}/archive/v%{version_no_tilde}.tar.gz Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md @@ -69,8 +73,8 @@ Source11: %{raw_github_url}/image/%{image_branch}/default.yaml Source12: default-policy.json Source13: %{raw_github_url}/image/%{image_branch}/registries.conf Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf -Source15: RPM-GPG-KEY-redhat-release -Source16: RPM-GPG-KEY-redhat-beta +Source15: REKOR-signing-key +Source16: SIGSTORE-redhat-release3 %description This package contains common configuration files and documentation for container @@ -154,9 +158,9 @@ install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registr install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf %if 0%{?fedora} || 0%{?centos} -install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg -install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/rpm-gpg -install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -dp %{buildroot}%{_sysconfdir}/pki/sigstore +install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/sigstore +install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/sigstore %endif install -Dp -m0644 contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d @@ -200,8 +204,8 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/ %config(noreplace) %{_sysconfdir}/containers/registries.conf %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf %if 0%{?fedora} || 0%{?centos} -%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta +%{_sysconfdir}/pki/sigstore/REKOR-signing-key +%{_sysconfdir}/pki/sigstore/SIGSTORE-redhat-release3 %endif %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml @@ -226,6 +230,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/ %files extra %changelog +* Tue Oct 29 2024 Jindrich Novy - 5:0.60.2-7 +- Enable sigstore support +- Resolves: RUN-2164 + * Tue Sep 10 2024 Jindrich Novy - 5:0.60.2-6 - package GPG keys only on Fedora and CentOS - Related: RHEL-39410 diff --git a/default-policy.json b/default-policy.json index eb5934e..99dd0ee 100644 --- a/default-policy.json +++ b/default-policy.json @@ -8,16 +8,16 @@ "docker": { "registry.access.redhat.com": [ { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] + "type": "sigstoreSigned", + "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3", + "rekorPublicKeyPath": "/etc/pki/sigstore/REKOR-signing-key" } ], "registry.redhat.io": [ { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"] + "type": "sigstoreSigned", + "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3", + "rekorPublicKeyPath": "/etc/pki/sigstore/REKOR-signing-key" } ] }, diff --git a/registry.access.redhat.com.yaml b/registry.access.redhat.com.yaml index b426a4b..758bf85 100644 --- a/registry.access.redhat.com.yaml +++ b/registry.access.redhat.com.yaml @@ -1,3 +1,3 @@ docker: registry.access.redhat.com: - sigstore: https://access.redhat.com/webassets/docker/content/sigstore + use-sigstore-attachments: true diff --git a/registry.redhat.io.yaml b/registry.redhat.io.yaml index 35f2c61..24fd6ea 100644 --- a/registry.redhat.io.yaml +++ b/registry.redhat.io.yaml @@ -1,3 +1,3 @@ docker: registry.redhat.io: - sigstore: https://registry.redhat.io/containers/sigstore + use-sigstore-attachments: true diff --git a/update.sh b/update.sh index 044c5f8..345af60 100755 --- a/update.sh +++ b/update.sh @@ -71,8 +71,9 @@ fi "socket",' seccomp.json rhpkg clone redhat-release cd redhat-release -rhpkg switch-branch rhel-10.0-beta +rhpkg switch-branch rhel-10.0 rhpkg prep -cp -f redhat-release-*/RPM-GPG* ../ +cp -f redhat-release-*/REKOR-signing-key ../ +cp -f redhat-release-*/SIGSTORE-redhat-release3 ../ cd - rm -rf redhat-release