Update tagging scripts to include signature checks and correctly handle gating

Resolves: RHEL-147634

java-1.8.0-openjdk.spec

@@ -360,7 +360,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      2
+%global rpmrelease      3
 # Settings used by the portable build
 %global portablerelease 1
 # Portable suffix differs between RHEL and CentOS
@@ -2970,6 +2970,10 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Sat Feb 07 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.482.b08-3
+- Update tagging scripts to include signature checks and correctly handle gating
+- Resolves: RHEL-147634
+
 * Wed Jan 28 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.482.b08-2
 - Bump rpmrelease for CentOS build
 - Related: RHEL-142687

scripts/builds/check_signatures.sh

@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check the signatures (if any) in RHEL RPM buildinfo
+# This is intended to be run from the tagging scripts
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+
+BUILDINFO=${1}
+NEW_SIGNATURE="release4";
+OLD_SIGNATURE="fd431d51";
+
+if test "${BUILDINFO}" = ""; then
+    echo "${0} <BUILDINFO>";
+    exit 1;
+fi
+
+if ! test -e "${BUILDINFO}" ; then
+    echo "${BUILDINFO} not found.";
+    exit 2;
+fi
+
+if cat ${BUILDINFO} | grep -q Signatures ; then
+    signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c);
+    uniq_count=$(echo ${signature} | wc -l);
+    if test ${uniq_count} -gt 1; then
+        echo "Multiple signature types found:";
+        echo "${signature}";
+        exit 4;
+    fi
+    sig_count=$(echo ${signature} | cut -d ' ' -f 1);
+    sig_type=$(echo ${signature} | cut -d ' ' -f 2);
+    echo "${sig_count} signatures of type ${sig_type} found";
+    if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then
+        echo "PQC signature found.";
+        exit 5;
+    elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then
+        echo "Old pre-PQC signature found.";
+        exit 6;
+    else
+        echo "Unknown signature found.";
+        exit 7;
+    fi
+else
+    echo "Build has no signatures.";
+    exit 3;
+fi
+
+# Local Variables:
+# compile-command: "shellcheck check_signatures.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag public RHEL RPMs into gating for all supported streams
+# This is intended to be run from tag_rhel_<ver>_(public|embargoed).sh
+
+BUILD="${1}"
+BUILDLOG="${2}"
+SUFFIX="${3}"
+shift 3;
+SUPPORTED_VERS="$*"
+
+CMD_SYNTAX="${0} <BUILD> <BUILDLOG> <SUFFIX> <SUPPORTED_VERS>";
+GATE_SUFFIX="gate"
+
+if test "${BUILD}" = ""; then
+    echo "${CMD_SYNTAX}";
+    exit 1;
+fi
+
+if test "${BUILDLOG}" = ""; then
+    echo "${CMD_SYNTAX}";
+    exit 2;
+fi
+
+if test "${SUPPORTED_VERS}" = ""; then
+    echo "${CMD_SYNTAX}";
+    exit 3;
+fi
+
+buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-)
+echo "Build has tags ${buildtags}";
+
+if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then
+    echo "Gating system can only handle one tag at a time."
+    echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate."
+    if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then
+        echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running.";
+        exit 1;
+    fi
+fi
+
+done=0;
+for ver in ${SUPPORTED_VERS}; do
+    vertag="rhel-${ver}";
+    proposedtag="${vertag}-${SUFFIX}";
+    echo "Checking if ${BUILD} has been added to ${vertag}...";
+    if echo "${buildtags}" | grep -q "${vertag}" ; then
+        echo "${BUILD} has been tagged into ${proposedtag}";
+    else
+        if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then
+            echo "Already added a tag. Need to tag ${proposedtag} in a future run.";
+        else
+            echo "Tagging ${BUILD} into ${proposedtag}";
+            brew tag-build --nowait "${proposedtag}" "${BUILD}";
+            done=1;
+        fi
+    fi
+done
+if [ "${done}" -eq 1 ]; then
+    brew watch-task --mine;
+else
+    echo "Nothing to do.";
+fi
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_8_embargoed.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2025 Red Hat, Inc.
+# Copyright (C) 2026 Red Hat, Inc.
 # Written by:
 #     Andrew John Hughes <gnu.andrew@redhat.com>
 #
@@ -19,7 +19,6 @@
 
 # Tag embargoed RHEL 8 RPMs into supported z-streams
 
-SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z"
 BUILD=${1}
 
 if test "${BUILD}" = ""; then
@@ -27,15 +26,21 @@ if test "${BUILD}" = ""; then
     exit 1;
 fi
 
-for ver in ${SUPPORTED_VERS}; do
-    tag="rhel-${ver}-nocompose-candidate";
-    echo "Tagging ${BUILD} into ${tag}";
-    brew tag-build --nowait ${tag} ${BUILD};
-done
-brew watch-task --mine
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z"
+WORKING_DIR=$(dirname "${0}")
+EMBARGOED_SUFFIX="nocompose-candidate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
 
 # Local Variables:
-# compile-command: "shellcheck tag_rhel_8_nocompose.sh"
+# compile-command: "shellcheck tag_rhel_8_embargoed.sh"
 # fill-column: 80
 # indent-tabs-mode: nil
 # sh-basic-offset: 4

scripts/builds/tag_rhel_8_public.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2025 Red Hat, Inc.
+# Copyright (C) 2026 Red Hat, Inc.
 # Written by:
 #     Andrew John Hughes <gnu.andrew@redhat.com>
 #
@@ -17,9 +17,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# Tag RHEL 8 RPMs into all supported streams
+# Tag public RHEL 8 RPMs into gating for all supported streams
 
-SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z"
 BUILD=${1}
 
 if test "${BUILD}" = ""; then
@@ -27,15 +26,21 @@ if test "${BUILD}" = ""; then
     exit 1;
 fi
 
-for ver in ${SUPPORTED_VERS}; do
-    tag="rhel-${ver}-gate";
-    echo "Tagging ${BUILD} into ${tag}";
-    brew tag-build --nowait ${tag} ${BUILD};
-done
-brew watch-task --mine
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z"
+WORKING_DIR=$(dirname "${0}")
+GATE_SUFFIX="gate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Tagging build into gating for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
 
 # Local Variables:
-# compile-command: "shellcheck tag_rhel_8.sh"
+# compile-command: "shellcheck tag_rhel_8_public.sh"
 # fill-column: 80
 # indent-tabs-mode: nil
 # sh-basic-offset: 4

scripts/builds/tag_rhel_9.sh

@@ -1,42 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2025 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag RHEL 9 RPMs into all supported streams
-
-SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z 9.7.0-z 9.8.0"
-BUILD=${1}
-
-if test "${BUILD}" = ""; then
-    echo "${0} <BUILD>";
-    exit 1;
-fi
-
-for ver in ${SUPPORTED_VERS}; do
-    tag="rhel-${ver}-gate";
-    echo "Tagging ${BUILD} into ${tag}";
-    brew tag-build --nowait ${tag} ${BUILD};
-done
-brew watch-task --mine
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel_9.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:

scripts/builds/tag_rhel_9_embargoed.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag older embargoed RHEL 9 RPMs into supported z-streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z"
+WORKING_DIR=$(dirname "${0}")
+EMBARGOED_SUFFIX="nocompose-candidate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 5 ] ; then
+    echo "Build has PQC signatures; use tag_rhel_9_embargoed_pqc.sh";
+    exit 2;
+elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_9_embargoed.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_9_embargoed_pqc.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="9.7.0-z"
+WORKING_DIR=$(dirname "${0}")
+EMBARGOED_SUFFIX="nocompose-candidate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 6 ] ; then
+    echo "Build has old signatures; use tag_rhel_9_embargoed.sh";
+    exit 2;
+elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_9_nocompose.sh

@@ -1,42 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2025 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag embargoed RHEL 9 RPMs into supported z-streams
-
-SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z"
-BUILD=${1}
-
-if test "${BUILD}" = ""; then
-    echo "${0} <BUILD>";
-    exit 1;
-fi
-
-for ver in ${SUPPORTED_VERS}; do
-    tag="rhel-${ver}-nocompose-candidate";
-    echo "Tagging ${BUILD} into ${tag}";
-    brew tag-build --nowait ${tag} ${BUILD};
-done
-brew watch-task --mine
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel_9_nocompose.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:

scripts/builds/tag_rhel_9_public.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag older public RHEL 9 RPMs into gating for all supported streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z"
+WORKING_DIR=$(dirname "${0}")
+GATE_SUFFIX="gate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 5 ] ; then
+    echo "Build has PQC signatures; use tag_rhel_9_public_pqc.sh";
+    exit 2;
+elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging build into gating for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_9_public.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_9_public_pqc.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="9.8.0 9.7.0-z"
+WORKING_DIR=$(dirname "${0}")
+GATE_SUFFIX="gate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 6 ] ; then
+    echo "Build has old signatures; use tag_rhel_9_public.sh";
+    exit 2;
+elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging build into gating for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_9_public_pqc.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End: