From d8129e85f3a10d54f503e8123b1ce33f0d4c84bd Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sat, 7 Feb 2026 17:18:10 +0000 Subject: [PATCH] Update tagging scripts to include signature checks and correctly handle gating Resolves: RHEL-147634 --- java-1.8.0-openjdk.spec | 6 +- scripts/builds/check_signatures.sh | 77 ++++++++++++++++ scripts/builds/tag_rhel.sh | 87 +++++++++++++++++++ ...8_nocompose.sh => tag_rhel_8_embargoed.sh} | 23 +++-- .../{tag_rhel_8.sh => tag_rhel_8_public.sh} | 25 +++--- scripts/builds/tag_rhel_9.sh | 42 --------- scripts/builds/tag_rhel_9_embargoed.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_embargoed_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_nocompose.sh | 42 --------- scripts/builds/tag_rhel_9_public.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_public_pqc.sh | 67 ++++++++++++++ 11 files changed, 466 insertions(+), 104 deletions(-) create mode 100755 scripts/builds/check_signatures.sh create mode 100755 scripts/builds/tag_rhel.sh rename scripts/builds/{tag_rhel_8_nocompose.sh => tag_rhel_8_embargoed.sh} (66%) rename scripts/builds/{tag_rhel_8.sh => tag_rhel_8_public.sh} (64%) delete mode 100755 scripts/builds/tag_rhel_9.sh create mode 100755 scripts/builds/tag_rhel_9_embargoed.sh create mode 100755 scripts/builds/tag_rhel_9_embargoed_pqc.sh delete mode 100755 scripts/builds/tag_rhel_9_nocompose.sh create mode 100755 scripts/builds/tag_rhel_9_public.sh create mode 100755 scripts/builds/tag_rhel_9_public_pqc.sh diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 1b50741..07f905e 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -360,7 +360,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 3 # Settings used by the portable build %global portablerelease 1 # Portable suffix differs between RHEL and CentOS @@ -2970,6 +2970,10 @@ cjc.mainProgram(args) %endif %changelog +* Sat Feb 07 2026 Andrew Hughes - 1:1.8.0.482.b08-3 +- Update tagging scripts to include signature checks and correctly handle gating +- Resolves: RHEL-147634 + * Wed Jan 28 2026 Andrew Hughes - 1:1.8.0.482.b08-2 - Bump rpmrelease for CentOS build - Related: RHEL-142687 diff --git a/scripts/builds/check_signatures.sh b/scripts/builds/check_signatures.sh new file mode 100755 index 0000000..815a97c --- /dev/null +++ b/scripts/builds/check_signatures.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Check the signatures (if any) in RHEL RPM buildinfo +# This is intended to be run from the tagging scripts + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found + +BUILDINFO=${1} +NEW_SIGNATURE="release4"; +OLD_SIGNATURE="fd431d51"; + +if test "${BUILDINFO}" = ""; then + echo "${0} "; + exit 1; +fi + +if ! test -e "${BUILDINFO}" ; then + echo "${BUILDINFO} not found."; + exit 2; +fi + +if cat ${BUILDINFO} | grep -q Signatures ; then + signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c); + uniq_count=$(echo ${signature} | wc -l); + if test ${uniq_count} -gt 1; then + echo "Multiple signature types found:"; + echo "${signature}"; + exit 4; + fi + sig_count=$(echo ${signature} | cut -d ' ' -f 1); + sig_type=$(echo ${signature} | cut -d ' ' -f 2); + echo "${sig_count} signatures of type ${sig_type} found"; + if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then + echo "PQC signature found."; + exit 5; + elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then + echo "Old pre-PQC signature found."; + exit 6; + else + echo "Unknown signature found."; + exit 7; + fi +else + echo "Build has no signatures."; + exit 3; +fi + +# Local Variables: +# compile-command: "shellcheck check_signatures.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel.sh b/scripts/builds/tag_rhel.sh new file mode 100755 index 0000000..7b733d8 --- /dev/null +++ b/scripts/builds/tag_rhel.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag public RHEL RPMs into gating for all supported streams +# This is intended to be run from tag_rhel__(public|embargoed).sh + +BUILD="${1}" +BUILDLOG="${2}" +SUFFIX="${3}" +shift 3; +SUPPORTED_VERS="$*" + +CMD_SYNTAX="${0} "; +GATE_SUFFIX="gate" + +if test "${BUILD}" = ""; then + echo "${CMD_SYNTAX}"; + exit 1; +fi + +if test "${BUILDLOG}" = ""; then + echo "${CMD_SYNTAX}"; + exit 2; +fi + +if test "${SUPPORTED_VERS}" = ""; then + echo "${CMD_SYNTAX}"; + exit 3; +fi + +buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-) +echo "Build has tags ${buildtags}"; + +if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then + echo "Gating system can only handle one tag at a time." + echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate." + if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then + echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running."; + exit 1; + fi +fi + +done=0; +for ver in ${SUPPORTED_VERS}; do + vertag="rhel-${ver}"; + proposedtag="${vertag}-${SUFFIX}"; + echo "Checking if ${BUILD} has been added to ${vertag}..."; + if echo "${buildtags}" | grep -q "${vertag}" ; then + echo "${BUILD} has been tagged into ${proposedtag}"; + else + if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then + echo "Already added a tag. Need to tag ${proposedtag} in a future run."; + else + echo "Tagging ${BUILD} into ${proposedtag}"; + brew tag-build --nowait "${proposedtag}" "${BUILD}"; + done=1; + fi + fi +done +if [ "${done}" -eq 1 ]; then + brew watch-task --mine; +else + echo "Nothing to do."; +fi + +# Local Variables: +# compile-command: "shellcheck tag_rhel.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_8_nocompose.sh b/scripts/builds/tag_rhel_8_embargoed.sh similarity index 66% rename from scripts/builds/tag_rhel_8_nocompose.sh rename to scripts/builds/tag_rhel_8_embargoed.sh index 01efe69..8b73e6b 100755 --- a/scripts/builds/tag_rhel_8_nocompose.sh +++ b/scripts/builds/tag_rhel_8_embargoed.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (C) 2025 Red Hat, Inc. +# Copyright (C) 2026 Red Hat, Inc. # Written by: # Andrew John Hughes # @@ -19,7 +19,6 @@ # Tag embargoed RHEL 8 RPMs into supported z-streams -SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z" BUILD=${1} if test "${BUILD}" = ""; then @@ -27,15 +26,21 @@ if test "${BUILD}" = ""; then exit 1; fi -for ver in ${SUPPORTED_VERS}; do - tag="rhel-${ver}-nocompose-candidate"; - echo "Tagging ${BUILD} into ${tag}"; - brew tag-build --nowait ${tag} ${BUILD}; -done -brew watch-task --mine +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" # Local Variables: -# compile-command: "shellcheck tag_rhel_8_nocompose.sh" +# compile-command: "shellcheck tag_rhel_8_embargoed.sh" # fill-column: 80 # indent-tabs-mode: nil # sh-basic-offset: 4 diff --git a/scripts/builds/tag_rhel_8.sh b/scripts/builds/tag_rhel_8_public.sh similarity index 64% rename from scripts/builds/tag_rhel_8.sh rename to scripts/builds/tag_rhel_8_public.sh index 67be647..5cd9af7 100755 --- a/scripts/builds/tag_rhel_8.sh +++ b/scripts/builds/tag_rhel_8_public.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (C) 2025 Red Hat, Inc. +# Copyright (C) 2026 Red Hat, Inc. # Written by: # Andrew John Hughes # @@ -17,9 +17,8 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -# Tag RHEL 8 RPMs into all supported streams +# Tag public RHEL 8 RPMs into gating for all supported streams -SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z" BUILD=${1} if test "${BUILD}" = ""; then @@ -27,15 +26,21 @@ if test "${BUILD}" = ""; then exit 1; fi -for ver in ${SUPPORTED_VERS}; do - tag="rhel-${ver}-gate"; - echo "Tagging ${BUILD} into ${tag}"; - brew tag-build --nowait ${tag} ${BUILD}; -done -brew watch-task --mine +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="8.2.0-z 8.4.0-z 8.6.0-z 8.8.0-z 8.10.0-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" # Local Variables: -# compile-command: "shellcheck tag_rhel_8.sh" +# compile-command: "shellcheck tag_rhel_8_public.sh" # fill-column: 80 # indent-tabs-mode: nil # sh-basic-offset: 4 diff --git a/scripts/builds/tag_rhel_9.sh b/scripts/builds/tag_rhel_9.sh deleted file mode 100755 index fa3c3ef..0000000 --- a/scripts/builds/tag_rhel_9.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2025 Red Hat, Inc. -# Written by: -# Andrew John Hughes -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -# Tag RHEL 9 RPMs into all supported streams - -SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z 9.7.0-z 9.8.0" -BUILD=${1} - -if test "${BUILD}" = ""; then - echo "${0} "; - exit 1; -fi - -for ver in ${SUPPORTED_VERS}; do - tag="rhel-${ver}-gate"; - echo "Tagging ${BUILD} into ${tag}"; - brew tag-build --nowait ${tag} ${BUILD}; -done -brew watch-task --mine - -# Local Variables: -# compile-command: "shellcheck tag_rhel_9.sh" -# fill-column: 80 -# indent-tabs-mode: nil -# sh-basic-offset: 4 -# End: diff --git a/scripts/builds/tag_rhel_9_embargoed.sh b/scripts/builds/tag_rhel_9_embargoed.sh new file mode 100755 index 0000000..e9e0821 --- /dev/null +++ b/scripts/builds/tag_rhel_9_embargoed.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag older embargoed RHEL 9 RPMs into supported z-streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 5 ] ; then + echo "Build has PQC signatures; use tag_rhel_9_embargoed_pqc.sh"; + exit 2; +elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_embargoed.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_embargoed_pqc.sh b/scripts/builds/tag_rhel_9_embargoed_pqc.sh new file mode 100755 index 0000000..2252938 --- /dev/null +++ b/scripts/builds/tag_rhel_9_embargoed_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.7.0-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures; use tag_rhel_9_embargoed.sh"; + exit 2; +elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_nocompose.sh b/scripts/builds/tag_rhel_9_nocompose.sh deleted file mode 100755 index 3bd6978..0000000 --- a/scripts/builds/tag_rhel_9_nocompose.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2025 Red Hat, Inc. -# Written by: -# Andrew John Hughes -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -# Tag embargoed RHEL 9 RPMs into supported z-streams - -SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z" -BUILD=${1} - -if test "${BUILD}" = ""; then - echo "${0} "; - exit 1; -fi - -for ver in ${SUPPORTED_VERS}; do - tag="rhel-${ver}-nocompose-candidate"; - echo "Tagging ${BUILD} into ${tag}"; - brew tag-build --nowait ${tag} ${BUILD}; -done -brew watch-task --mine - -# Local Variables: -# compile-command: "shellcheck tag_rhel_9_nocompose.sh" -# fill-column: 80 -# indent-tabs-mode: nil -# sh-basic-offset: 4 -# End: diff --git a/scripts/builds/tag_rhel_9_public.sh b/scripts/builds/tag_rhel_9_public.sh new file mode 100755 index 0000000..b89010b --- /dev/null +++ b/scripts/builds/tag_rhel_9_public.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag older public RHEL 9 RPMs into gating for all supported streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.0.0-z 9.2.0-z 9.4.0-z 9.6.0-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 5 ] ; then + echo "Build has PQC signatures; use tag_rhel_9_public_pqc.sh"; + exit 2; +elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_public.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_public_pqc.sh b/scripts/builds/tag_rhel_9_public_pqc.sh new file mode 100755 index 0000000..1093dcb --- /dev/null +++ b/scripts/builds/tag_rhel_9_public_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.8.0 9.7.0-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures; use tag_rhel_9_public.sh"; + exit 2; +elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_public_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: