Add tagging scripts with signature checks and gating handling

Resolves: RHEL-147634

java-25-openjdk.spec

@@ -349,7 +349,7 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        10
-%global rpmrelease      3
+%global rpmrelease      4
 # Settings used by the portable build
 %global portablerelease 3
 # Portable suffix differs between RHEL and CentOS
@@ -2614,6 +2614,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Mar 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-4
+- Add tagging scripts with signature checks and gating handling
+- Resolves: RHEL-155327
+
 * Wed Mar 11 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.2.0.10-3
 - Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm
 - See: https://docs.testing-farm.io/Testing%20Farm/0.1/errors.html#TFE-1

scripts/builds/build_rhel_7_portable_build.sh

@@ -1,29 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2024 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Builds the portable on RHEL 7
-
-rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check
-
-# Local Variables:
-# compile-command: "shellcheck build_rhel_7_portable_build.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:

scripts/builds/build_rhel_8.sh

@@ -1,43 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2024 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Builds the RPM on RHEL 8
-
-NVR=${1}
-USER=${2}
-
-if test "${NVR}" = ""; then
-    echo "${0} <NVR> <USER>";
-    exit 1;
-fi
-
-if test "${USER}" = ""; then
-    echo "${0} <NVR> <USER>";
-    exit 2;
-fi
-
-METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}"
-rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}"
-
-# Local Variables:
-# compile-command: "shellcheck build_rhel_8.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:

scripts/builds/check_signatures.sh

@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Check the signatures (if any) in RHEL RPM buildinfo
+# This is intended to be run from the tagging scripts
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+
+BUILDINFO=${1}
+NEW_SIGNATURE="release4";
+OLD_SIGNATURE="fd431d51";
+
+if test "${BUILDINFO}" = ""; then
+    echo "${0} <BUILDINFO>";
+    exit 1;
+fi
+
+if ! test -e "${BUILDINFO}" ; then
+    echo "${BUILDINFO} not found.";
+    exit 2;
+fi
+
+if cat ${BUILDINFO} | grep -q Signatures ; then
+    signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c);
+    uniq_count=$(echo ${signature} | wc -l);
+    if test ${uniq_count} -gt 1; then
+        echo "Multiple signature types found:";
+        echo "${signature}";
+        exit 4;
+    fi
+    sig_count=$(echo ${signature} | cut -d ' ' -f 1);
+    sig_type=$(echo ${signature} | cut -d ' ' -f 2);
+    echo "${sig_count} signatures of type ${sig_type} found";
+    if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then
+        echo "PQC signature found.";
+        exit 5;
+    elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then
+        echo "Old pre-PQC signature found.";
+        exit 6;
+    else
+        echo "Unknown signature found.";
+        exit 7;
+    fi
+else
+    echo "Build has no signatures.";
+    exit 3;
+fi
+
+# Local Variables:
+# compile-command: "shellcheck check_signatures.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag public RHEL RPMs into gating for all supported streams
+# This is intended to be run from tag_rhel_<ver>_(public|embargoed).sh
+
+BUILD="${1}"
+BUILDLOG="${2}"
+SUFFIX="${3}"
+shift 3;
+SUPPORTED_VERS="$*"
+
+CMD_SYNTAX="${0} <BUILD> <BUILDLOG> <SUFFIX> <SUPPORTED_VERS>";
+GATE_SUFFIX="gate"
+
+if test "${BUILD}" = ""; then
+    echo "${CMD_SYNTAX}";
+    exit 1;
+fi
+
+if test "${BUILDLOG}" = ""; then
+    echo "${CMD_SYNTAX}";
+    exit 2;
+fi
+
+if test "${SUPPORTED_VERS}" = ""; then
+    echo "${CMD_SYNTAX}";
+    exit 3;
+fi
+
+buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-)
+echo "Build has tags ${buildtags}";
+
+if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then
+    echo "Gating system can only handle one tag at a time."
+    echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate."
+    if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then
+        echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running.";
+        exit 1;
+    fi
+fi
+
+done=0;
+for ver in ${SUPPORTED_VERS}; do
+    vertag="rhel-${ver}";
+    proposedtag="${vertag}-${SUFFIX}";
+    echo "Checking if ${BUILD} has been added to ${vertag}...";
+    if echo "${buildtags}" | grep -q "${vertag}" ; then
+        echo "${BUILD} has been tagged into ${proposedtag}";
+    else
+        if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then
+            echo "Already added a tag. Need to tag ${proposedtag} in a future run.";
+        else
+            echo "Tagging ${BUILD} into ${proposedtag}";
+            brew tag-build --nowait "${proposedtag}" "${BUILD}";
+            done=1;
+        fi
+    fi
+done
+if [ "${done}" -eq 1 ]; then
+    brew watch-task --mine;
+else
+    echo "Nothing to do.";
+fi
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_10_embargoed_pqc.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag newer PQC embargoed RHEL 10 RPMs into supported z-streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="10.1-z"
+WORKING_DIR=$(dirname "${0}")
+EMBARGOED_SUFFIX="nocompose-candidate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 6 ] ; then
+    echo "Build has old signatures which should not be the case for OpenJDK 25";
+    exit 2;
+elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_10_embargoed_pqc.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_10_public_pqc.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag newer PQC public RHEL 10 RPMs into gating for all supported streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="10.2 10.1-z"
+WORKING_DIR=$(dirname "${0}")
+GATE_SUFFIX="gate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 6 ] ; then
+    echo "Build has old signatures which should not be the case for OpenJDK 25";
+    exit 2;
+elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging build into gating for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_10_public_pqc.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_9_embargoed_pqc.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="9.7.0-z"
+WORKING_DIR=$(dirname "${0}")
+EMBARGOED_SUFFIX="nocompose-candidate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 6 ] ; then
+    echo "Build has old signatures which should not be the case for OpenJDK 25";
+    exit 2;
+elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:

scripts/builds/tag_rhel_9_public_pqc.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# Copyright (C) 2026 Red Hat, Inc.
+# Written by:
+#     Andrew John Hughes <gnu.andrew@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams
+
+BUILD=${1}
+
+if test "${BUILD}" = ""; then
+    echo "${0} <BUILD>";
+    exit 1;
+fi
+
+BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
+SUPPORTED_VERS="9.8.0 9.7.0-z"
+WORKING_DIR=$(dirname "${0}")
+GATE_SUFFIX="gate"
+
+echo "Obtaining buildinfo for ${BUILD}...";
+brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
+
+echo "Checking signatures for ${BUILD}...";
+"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
+
+# Return codes:
+# - 1 - Buildinfo file not specified
+# - 2 = Missing buildinfo file
+# - 3 = No signatures
+# - 4 = Multiple signature types found
+# - 5 = PQC signature found
+# - 6 = Old signature (fd431d51) found
+# - 7 = Unknown signature found
+ret=$?;
+if [ "${ret}" -eq 6 ] ; then
+    echo "Build has old signatures which should not be the case for OpenJDK 25";
+    exit 2;
+elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
+    echo "Signature check failed.";
+    exit 3;
+fi
+
+echo "Tagging build into gating for ${SUPPORTED_VERS}...";
+"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
+
+rm -f "${BUILDLOG}"
+
+# Local Variables:
+# compile-command: "shellcheck tag_rhel_9_public_pqc.sh"
+# fill-column: 80
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End: