containers-common-0.60.2-7.el10

- Enable sigstore support - Resolves: RUN-2164 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2024-10-29 13:58:05 +01:00 · 2024-10-29 13:58:05 +01:00 · fd3744ff22
commit fd3744ff22
parent f72731a5c9
9 changed files with 54 additions and 116 deletions
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 -----BEGIN PUBLIC KEY-----
 MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENqXXmPchbztil/PU0uGBh4xYJkterHN0
 Yz/o/cXw2hmmr6WAjq0FIEilS5nlDM9La+RcBts4xekrPBKBn37thbYuCoxEH39U
 gmagLaBS92UAhZty93CXgXMy89h5pJFZ
 -----END PUBLIC KEY-----
--- a/29
+++ b/29
@ -1,29 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.2.6 (GNU/Linux)
 mQINBEmkAzABEAC2/c7bP1lHQ3XScxbIk0LQWe1YOiibQBRLwf8Si5PktgtuPibT
 kKpZjw8p4D+fM7jD1WUzUE0X7tXg2l/eUlMM4dw6XJAQ1AmEOtlwSg7rrMtTvM0A
 BEtI7Km6fC6sU6RtBMdcqD1cH/6dbsfh8muznVA7UlX+PRBHVzdWzj6y8h84dBjo
 gzcbYu9Hezqgj/lLzicqsSZPz9UdXiRTRAIhp8V30BD8uRaaa0KDDnD6IzJv3D9P
 xQWbFM4Z12GN9LyeZqmD7bpKzZmXG/3drvfXVisXaXp3M07t3NlBa3Dt8NFIKZ0D
 FRXBz5bvzxRVmdH6DtkDWXDPOt+Wdm1rZrCOrySFpBZQRpHw12eo1M1lirANIov7
 Z+V1Qh/aBxj5EUu32u9ZpjAPPNtQF6F/KjaoHHHmEQAuj4DLex4LY646Hv1rcv2i
 QFuCdvLKQGSiFBrfZH0j/IX3/0JXQlZzb3MuMFPxLXGAoAV9UP/Sw/WTmAuTzFVm
 G13UYFeMwrToOiqcX2VcK0aC1FCcTP2z4JW3PsWvU8rUDRUYfoXovc7eg4Vn5wHt
 0NBYsNhYiAAf320AUIHzQZYi38JgVwuJfFu43tJZE4Vig++RQq6tsEx9Ftz3EwRR
 fJ9z9mEvEiieZm+vbOvMvIuimFVPSCmLH+bI649K8eZlVRWsx3EXCVb0nQARAQAB
 tDBSZWQgSGF0LCBJbmMuIChiZXRhIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0LmNv
 bT6JAjYEEwECACAFAkpSM+cCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCT
 ioDK8hVB6/9tEAC0+KmzeKceXQ/GTUoU6jy9vtkFCFrmv+c7ol4XpdTt0QhqBOwy
 6m2mKWwmm8KfYfy0cADQ4y/EcoXl7FtFBwYmkCuEQGXhTDn9DvVjhooIq59LEMBQ
 OW879RwwzRIZ8ebbjMUjDPF5MfPQqP2LBu9N4KvXlZp4voykwuuaJ+cbsKZR6pZ6
 0RQKPHKP+NgUFC0fff7XY9cuOZZWFAeKRhLN2K7bnRHKxp+kELWb6R9ZfrYwZjWc
 MIPbTd1khE53L4NTfpWfAnJRtkPSDOKEGVlVLtLq4HEAxQt07kbslqISRWyXER3u
 QOJj64D1ZiIMz6t6uZ424VE4ry9rBR0Jz55cMMx5O/ni9x3xzFUgH8Su2yM0r3jE
 Rf24+tbOaPf7tebyx4OKe+JW95hNVstWUDyGbs6K9qGfI/pICuO1nMMFTo6GqzQ6
 DwLZvJ9QdXo7ujEtySZnfu42aycaQ9ZLC2DOCQCUBY350Hx6FLW3O546TAvpTfk0
 B6x+DV7mJQH7MGmRXQsE7TLBJKjq28Cn4tVp04PmybQyTxZdGA/8zY6pPl6xyVMH
 V68hSBKEVT/rlouOHuxfdmZva1DhVvUC6Xj7+iTMTVJUAq/4Uyn31P1OJmA2a0PT
 CAqWkbJSgKFccsjPoTbLyxhuMSNkEZFHvlZrSK9vnPzmfiRH0Orx3wYpMQ==
 =21pb
 -----END PGP PUBLIC KEY BLOCK-----
--- a/69
+++ b/69
@ -1,69 +0,0 @@
 The following public key can be used to verify RPM packages built and
 signed by Red Hat, Inc.  This key is used for packages in Red Hat
 products shipped after November 2009, and for all updates to those
 products.
 Questions about this key should be sent to security@redhat.com.
 pub   4096R/FD431D51 2009-10-22
      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
 uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
 0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
 0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
 u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
 XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
 5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
 9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
 /DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
 PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
 HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
 buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
 tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
 LmNvbT6JAjYEEwEIACACGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCSuBJPAAK
 CRAZni+R/UMdUfIkD/9m3HWv07uJG26R3KBexTo2FFu3rmZs+m2nfW8R3dBX+k0o
 AOFpgJCsNgKwU81LOPrkMN19G0+Yn/ZTCDD7cIQ7dhYuDyEX97xh4une/EhnnRuh
 ASzR+1xYbj/HcYZIL9kbslgpebMn+AhxbUTQF/mziug3hLidR9Bzvygq0Q09E11c
 OZL4BU6J2HqxL+9m2F+tnLdfhL7MsAq9nbmWAOpkbGefc5SXBSq0sWfwoes3X3yD
 Q8B5Xqr9AxABU7oUB+wRqvY69ZCxi/BhuuJCUxY89ZmwXfkVxeHl1tYfROUwOnJO
 GYSbI/o41KBK4DkIiDcT7QqvqvCyudnxZdBjL2QU6OrIJvWmKs319qSF9m3mXRSt
 ZzWtB89Pj5LZ6cdtuHvW9GO4qSoBLmAfB313pGkbgi1DE6tqCLHlA0yQ8zv99OWV
 cMDGmS7tVTZqfX1xQJ0N3bNORQNtikJC3G+zBCJzIeZleeDlMDQcww00yWU1oE7/
 To2UmykMGc7o9iggFWR2g0PIcKsA/SXdRKWPqCHG2uKHBvdRTQGupdXQ1sbV+AHw
 ycyA/9H/mp/NUSNM2cqnBDcZ6GhlHt59zWtEveiuU5fpTbp4GVcFXbW8jStj8j8z
 1HI3cywZO8+YNPzqyx0JWsidXGkfzkPHyS4jTG84lfu2JG8m/nqLnRSeKpl20Q==
 =79bX
 -----END PGP PUBLIC KEY BLOCK-----
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGIpIp4BEAC/o5e1WzLIsS6/JOQCs4XYATYTcf6B6ALzcP05G0W3uRpUQSrL
 FRKNrU8ZCelm/B+XSh2ljJNeklp2WLxYENDOsftDXGoyLr2hEkI5OyK267IHhFNJ
 g+BN+T5Cjh4ZiiWij6o9F7x2ZpxISE9M4iI80rwSv1KOnGSw5j2zD2EwoMjTVyVE
 /t3s5XJxnDclB7ZqL+cgjv0mWUY/4+b/OoRTkhq7b8QILuZp75Y64pkrndgakm1T
 8mAGXV02mEzpNj9DyAJdUqa11PIhMJMxxHOGHJ8CcHZ2NJL2e7yJf4orTj+cMhP5
 LzJcVlaXnQYu8Zkqa0V6J1Qdj8ZXL72QsmyicRYXAtK9Jm5pvBHuYU2m6Ja7dBEB
 Vkhe7lTKhAjkZC5ErPmANNS9kPdtXCOpwN1lOnmD2m04hks3kpH9OTX7RkTFUSws
 eARAfRID6RLfi59B9lmAbekecnsMIFMx7qR7ZKyQb3GOuZwNYOaYFevuxusSwCHv
 4FtLDIhk+Fge+EbPdEva+VLJeMOb02gC4V/cX/oFoPkxM1A5LHjkuAM+aFLAiIRd
 Np/tAPWk1k6yc+FqkcDqOttbP4ciiXb9JPtmzTCbJD8lgH0rGp8ufyMXC9x7/dqX
 TjsiGzyvlMnrkKB4GL4DqRFl8LAR02A3846DD8CAcaxoXggL2bJCU2rgUQARAQAB
 tDVSZWQgSGF0LCBJbmMuIChhdXhpbGlhcnkga2V5IDMpIDxzZWN1cml0eUByZWRo
 YXQuY29tPokCUgQTAQgAPBYhBH5GJCWMQGU11W1vE1BU5KRaY0CzBQJiKSKeAhsD
 BQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBQVOSkWmNAsyBfEACuTN/X
 YR+QyzeRw0pXcTvMqzNE4DKKr97hSQEwZH1/v1PEPs5O3psuVUm2iam7bqYwG+ry
 EskAgMHi8AJmY0lioQD5/LTSLTrM8UyQnU3g17DHau1NHIFTGyaW4a7xviU4C2+k
 c6X0u1CPHI1U4Q8prpNcfLsldaNYlsVZtUtYSHKPAUcswXWliW7QYjZ5tMSbu8jR
 OMOc3mZuf0fcVFNu8+XSpN7qLhRNcPv+FCNmk/wkaQfH4Pv+jVsOgHqkV3aLqJeN
 kNUnpyEKYkNqo7mNfNVWOcl+Z1KKKwSkIi3vg8maC7rODsy6IX+Y96M93sqYDQom
 aaWue2gvw6thEoH4SaCrCL78mj2YFpeg1Oew4QwVcBnt68KOPfL9YyoOicNs4Vuu
 fb/vjU2ONPZAeepIKA8QxCETiryCcP43daqThvIgdbUIiWne3gae6eSj0EuUPoYe
 H5g2Lw0qdwbHIOxqp2kvN96Ii7s1DK3VyhMt/GSPCxRnDRJ8oQKJ2W/I1IT5VtiU
 zMjjq5JcYzRPzHDxfVzT9CLeU/0XQ+2OOUAiZKZ0dzSyyVn8xbpviT7iadvjlQX3
 CINaPB+d2Kxa6uFWh+ZYOLLAgZ9B8NKutUHpXN66YSfe79xFBSFWKkJ8cSIMk13/
 Ifs7ApKlKCCRDpwoDqx/sjIaj1cpOfLHYjnefg==
 =UZd/
 -----END PGP PUBLIC KEY BLOCK-----
--- a/22
+++ b/22
@ -0,0 +1,22 @@
 The following key is used to provide verification of sigstore signatures for
 artifacts that are sigstore-enabled.
 Questions about this key should be sent to security@redhat.com
 pub   4096R/E60D446E63405576 2024-09-20
 uid                          Red Hat, Inc. (release key 3) <security@redhat.com>
 -----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
 75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
 M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
 RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
 tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
 XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
 ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
 BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
 VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
 p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
 gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
 secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
 -----END PUBLIC KEY-----
--- a/containers-common.spec
+++ b/containers-common.spec
@ -40,7 +40,7 @@ Epoch: 5
 # copr and koji builds.
 # If you're reading this on dist-git, the version is automatically filled in by Packit.
 Version: 0.60.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Apache-2.0
 BuildArch: noarch
 # for BuildRequires: go-md2man
@ -53,6 +53,10 @@ Requires: (container-selinux >= 2:2.162.1 if selinux-policy)
 Requires: netavark
 Obsoletes: containernetworking-plugins < 2
 Suggests: fuse-overlayfs
 %if 0%{?rhel}
 Requires: /etc/pki/sigstore/REKOR-signing-key
 Requires: /etc/pki/sigstore/SIGSTORE-redhat-release3
 %endif
 URL: https://github.com/%{project}/%{repo}
 Source0: %{url}/archive/v%{version_no_tilde}.tar.gz
 Source1: %{raw_github_url}/image/%{image_branch}/docs/containers-auth.json.5.md
@ -69,8 +73,8 @@ Source11: %{raw_github_url}/image/%{image_branch}/default.yaml
 Source12: default-policy.json
 Source13: %{raw_github_url}/image/%{image_branch}/registries.conf
 Source14: %{raw_github_url}/storage/%{storage_branch}/storage.conf
-Source15: RPM-GPG-KEY-redhat-release
+Source15: REKOR-signing-key
-Source16: RPM-GPG-KEY-redhat-beta
+Source16: SIGSTORE-redhat-release3
 %description
 This package contains common configuration files and documentation for container
@ -154,9 +158,9 @@ install -Dp -m0644 registries.conf %{buildroot}%{_sysconfdir}/containers/registr
 install -Dp -m0644 storage.conf %{buildroot}%{_datadir}/containers/storage.conf
 %if 0%{?fedora} || 0%{?centos}
-install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -dp %{buildroot}%{_sysconfdir}/pki/sigstore
-install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -m0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pki/sigstore
-install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -m0644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/sigstore
 %endif
 install -Dp -m0644 contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
@ -200,8 +204,8 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %config(noreplace) %{_sysconfdir}/containers/registries.conf
 %config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
 %if 0%{?fedora} || 0%{?centos}
-%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+%{_sysconfdir}/pki/sigstore/REKOR-signing-key
-%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta
+%{_sysconfdir}/pki/sigstore/SIGSTORE-redhat-release3
 %endif
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
@ -226,6 +230,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %files extra
 %changelog
 * Tue Oct 29 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-7
 - Enable sigstore support
 - Resolves: RUN-2164
 * Tue Sep 10 2024 Jindrich Novy <jnovy@redhat.com> - 5:0.60.2-6
 - package GPG keys only on Fedora and CentOS
 - Related: RHEL-39410
--- a/default-policy.json
+++ b/default-policy.json
@ -8,16 +8,16 @@
        "docker": {
 	    "registry.access.redhat.com": [
 		{
-		    "type": "signedBy",
+		    "type": "sigstoreSigned",
-		    "keyType": "GPGKeys",
+		    "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3",
-		    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
+		    "rekorPublicKeyPath": "/etc/pki/sigstore/REKOR-signing-key"
 		}
 	    ],
 	    "registry.redhat.io": [
 		{
-		    "type": "signedBy",
+		    "type": "sigstoreSigned",
-		    "keyType": "GPGKeys",
+		    "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3",
-		    "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
+		    "rekorPublicKeyPath": "/etc/pki/sigstore/REKOR-signing-key"
 		}
 	    ]
 	},
--- a/registry.access.redhat.com.yaml
+++ b/registry.access.redhat.com.yaml
@ -1,3 +1,3 @@
 docker:
     registry.access.redhat.com:
-         sigstore: https://access.redhat.com/webassets/docker/content/sigstore
+         use-sigstore-attachments: true
--- a/registry.redhat.io.yaml
+++ b/registry.redhat.io.yaml
@ -1,3 +1,3 @@
 docker:
     registry.redhat.io:
-         sigstore: https://registry.redhat.io/containers/sigstore
+         use-sigstore-attachments: true
--- a/update.sh
+++ b/update.sh
@ -71,8 +71,9 @@ fi
 				"socket",' seccomp.json
 rhpkg clone redhat-release
 cd redhat-release
-rhpkg switch-branch rhel-10.0-beta
+rhpkg switch-branch rhel-10.0
 rhpkg prep
-cp -f redhat-release-*/RPM-GPG* ../
+cp -f redhat-release-*/REKOR-signing-key ../
 cp -f redhat-release-*/SIGSTORE-redhat-release3 ../
 cd -
 rm -rf redhat-release