diff --git a/flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch b/flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch new file mode 100644 index 0000000..edd563f --- /dev/null +++ b/flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch @@ -0,0 +1,123 @@ +From 9b5276b866e9eda60683c74381c44d748a7a6da2 Mon Sep 17 00:00:00 2001 +From: "Owen W. Taylor" +Date: Mon, 24 Mar 2025 15:07:35 -0400 +Subject: [PATCH] For registry.redhat.io get certificates from + /etc/pki/entitlement + +The Red Hat container registry at registry.redhat.io accepts RHEL +entitlement (and consumer) certificates for authentication. +Until subscription manager gets proper support for writing certificates into +/etc/containers/certs.d, this implements a temporary workaround where +if we recognize the host as being the Red Hat registry, we look for +entitlement certificates in the subscription manager entitlement directory. +--- + common/flatpak-utils-http.c | 86 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 86 insertions(+) + +diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c +index ab707876..1f070f90 100644 +--- a/common/flatpak-utils-http.c ++++ b/common/flatpak-utils-http.c +@@ -243,6 +243,89 @@ check_http_status (guint status_code, + return FALSE; + } + ++#define SUBSCRIPTION_MANAGER_ENTITLEMENT_DIR "/etc/pki/entitlement" ++ ++/** ++ * get_redhat_certificates: ++ * @certificates: A #FlatpakCertificates ++ * @host: The host to get certificates for ++ * ++ * The Red Hat container registry at registry.redhat.io accepts RHEL ++ * entitlement (and consumer) certificates for authentication. ++ * Until subscription manager gets proper support for writing certificates into ++ * /etc/containers/certs.d, this implements a temporary workaround where ++ * if we recognize the host as being the Red Hat registry, we look for ++ * entitlement certificates in the subscription manager entitlement directory. ++ * ++ * Returns: %TRUE if certificates were added, %FALSE otherwise ++ */ ++static gboolean ++get_redhat_certificates (FlatpakCertificates *certificates, ++ const char *host) ++{ ++ g_autoptr(GFile) entitlement_dir = NULL; ++ g_autoptr(GFileEnumerator) enumerator = NULL; ++ g_autoptr(GError) local_error = NULL; ++ ++ if (!(strcmp (host, "flatpaks.registry.redhat.io") == 0 || ++ strcmp (host, "flatpaks.registry.stage.redhat.io") == 0)) ++ return FALSE; ++ ++ g_info ("Looking for Red Hat entitlement certificates for %s in %s", ++ host, SUBSCRIPTION_MANAGER_ENTITLEMENT_DIR); ++ ++ entitlement_dir = g_file_new_for_path (SUBSCRIPTION_MANAGER_ENTITLEMENT_DIR); ++ enumerator = g_file_enumerate_children (entitlement_dir, G_FILE_ATTRIBUTE_STANDARD_NAME, ++ G_FILE_QUERY_INFO_NONE, ++ NULL, &local_error); ++ if (enumerator == NULL) ++ { ++ g_info ("Failed to enumerate entitlement directory: %s", local_error->message); ++ g_clear_error (&local_error); ++ ++ return FALSE; ++ } ++ ++ while (TRUE) ++ { ++ GFile *child; ++ g_autofree char *basename = NULL; ++ ++ if (!g_file_enumerator_iterate (enumerator, NULL, &child, NULL, &local_error)) ++ { ++ g_info ("Failed to enumerate entitlement directory: %s", local_error->message); ++ g_clear_error (&local_error); ++ return FALSE; ++ } ++ ++ if (child == NULL) ++ break; ++ ++ basename = g_file_get_basename (child); ++ if (g_str_has_suffix (basename, ".pem") && !g_str_has_suffix (basename, "-key.pem")) ++ { ++ g_autofree char *without_ext = g_strndup (basename, strlen (basename) - 4); ++ g_autofree char *cert_basename = g_strconcat (without_ext, "-key.pem", NULL); ++ g_autoptr(GFile) key_file = g_file_get_child (entitlement_dir, cert_basename); ++ if (!g_file_query_exists (key_file, NULL)) ++ { ++ g_info ("No key for %s, ignoring", basename); ++ continue; ++ } ++ ++ g_info ("Using cert %s and key %s", ++ flatpak_file_get_path_cached (child), flatpak_file_get_path_cached (key_file)); ++ certificates->client_cert_file = g_file_get_path (child); ++ certificates->client_key_file = g_file_get_path (key_file); ++ ++ return TRUE; ++ } ++ } ++ ++ g_info ("No entitlement certificate found"); ++ return FALSE; ++} ++ + FlatpakCertificates* + flatpak_get_certificates_for_uri (const char *uri, + GError **error) +@@ -369,6 +452,9 @@ flatpak_get_certificates_for_uri (const char *uri, + } + } + ++ if (certificates->client_cert_file == NULL) ++ get_redhat_certificates (certificates, g_uri_get_host (parsed_uri)); ++ + return g_steal_pointer (&certificates); + } + +-- +2.47.0 + diff --git a/flatpak.spec b/flatpak.spec index dc1c275..9657102 100644 --- a/flatpak.spec +++ b/flatpak.spec @@ -12,7 +12,7 @@ Name: flatpak Version: 1.16.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Application deployment framework for desktop apps License: LGPL-2.1-or-later @@ -45,6 +45,8 @@ Patch3: flatpak-add-support-for-preinstalling-flatpaks.patch Patch4: flatpak-enable-collection-ids-for-oci-remotes.patch # Fix crash and installatcion of OCI images Patch5: flatpak-pass-token-to-flatpak-image-source-new-remote.patch +# /etc/pki/entitlement +Patch6: flatpak-for-registry.redhat.io-get-certificates-from-etc-pki.patch # ostree not on i686 for RHEL 10 # https://github.com/containers/composefs/pull/229#issuecomment-1838735764 @@ -314,6 +316,10 @@ fi %changelog +* Mon Oct 13 2025 Jan Grulich - 1.16.0-7 +- Get certificates from /etc/pki/entitlement for registry.redhat.io + Resolves: RHEL-85004 + * Mon Aug 04 2025 Jan Grulich - 1.16.0-6 - Fix wrongly marked failed installs as pre-installed Resolves: RHEL-89989