From 68b316d15ba71717609fb8ff2a63d51253deaedc Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 25 Nov 2025 15:30:30 +0000 Subject: [PATCH] Add tagging scripts with signature checks and gating handling Resolves: RHEL-147634 --- java-25-openjdk.spec | 6 +- scripts/builds/build_rhel_7_portable_build.sh | 29 ------- scripts/builds/build_rhel_8.sh | 43 --------- scripts/builds/check_signatures.sh | 77 ++++++++++++++++ scripts/builds/tag_rhel.sh | 87 +++++++++++++++++++ scripts/builds/tag_rhel_10_embargoed_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_10_public_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_embargoed_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_public_pqc.sh | 67 ++++++++++++++ 9 files changed, 437 insertions(+), 73 deletions(-) delete mode 100755 scripts/builds/build_rhel_7_portable_build.sh delete mode 100755 scripts/builds/build_rhel_8.sh create mode 100755 scripts/builds/check_signatures.sh create mode 100755 scripts/builds/tag_rhel.sh create mode 100755 scripts/builds/tag_rhel_10_embargoed_pqc.sh create mode 100755 scripts/builds/tag_rhel_10_public_pqc.sh create mode 100755 scripts/builds/tag_rhel_9_embargoed_pqc.sh create mode 100755 scripts/builds/tag_rhel_9_public_pqc.sh diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index d8992ba..c7cba2a 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -349,7 +349,7 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 3 +%global rpmrelease 4 # Settings used by the portable build %global portablerelease 3 # Portable suffix differs between RHEL and CentOS @@ -2614,6 +2614,10 @@ exit 0 %endif %changelog +* Thu Mar 12 2026 Andrew Hughes - 1:25.0.2.0.10-4 +- Add tagging scripts with signature checks and gating handling +- Resolves: RHEL-155327 + * Wed Mar 11 2026 Thomas Fitzsimmons - 1:25.0.2.0.10-3 - Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm - See: https://docs.testing-farm.io/Testing%20Farm/0.1/errors.html#TFE-1 diff --git a/scripts/builds/build_rhel_7_portable_build.sh b/scripts/builds/build_rhel_7_portable_build.sh deleted file mode 100755 index 0cf02d0..0000000 --- a/scripts/builds/build_rhel_7_portable_build.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2024 Red Hat, Inc. -# Written by: -# Andrew John Hughes -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -# Builds the portable on RHEL 7 - -rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check - -# Local Variables: -# compile-command: "shellcheck build_rhel_7_portable_build.sh" -# fill-column: 80 -# indent-tabs-mode: nil -# sh-basic-offset: 4 -# End: diff --git a/scripts/builds/build_rhel_8.sh b/scripts/builds/build_rhel_8.sh deleted file mode 100755 index c1ea948..0000000 --- a/scripts/builds/build_rhel_8.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2024 Red Hat, Inc. -# Written by: -# Andrew John Hughes -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -# Builds the RPM on RHEL 8 - -NVR=${1} -USER=${2} - -if test "${NVR}" = ""; then - echo "${0} "; - exit 1; -fi - -if test "${USER}" = ""; then - echo "${0} "; - exit 2; -fi - -METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}" -rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}" - -# Local Variables: -# compile-command: "shellcheck build_rhel_8.sh" -# fill-column: 80 -# indent-tabs-mode: nil -# sh-basic-offset: 4 -# End: diff --git a/scripts/builds/check_signatures.sh b/scripts/builds/check_signatures.sh new file mode 100755 index 0000000..815a97c --- /dev/null +++ b/scripts/builds/check_signatures.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Check the signatures (if any) in RHEL RPM buildinfo +# This is intended to be run from the tagging scripts + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found + +BUILDINFO=${1} +NEW_SIGNATURE="release4"; +OLD_SIGNATURE="fd431d51"; + +if test "${BUILDINFO}" = ""; then + echo "${0} "; + exit 1; +fi + +if ! test -e "${BUILDINFO}" ; then + echo "${BUILDINFO} not found."; + exit 2; +fi + +if cat ${BUILDINFO} | grep -q Signatures ; then + signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c); + uniq_count=$(echo ${signature} | wc -l); + if test ${uniq_count} -gt 1; then + echo "Multiple signature types found:"; + echo "${signature}"; + exit 4; + fi + sig_count=$(echo ${signature} | cut -d ' ' -f 1); + sig_type=$(echo ${signature} | cut -d ' ' -f 2); + echo "${sig_count} signatures of type ${sig_type} found"; + if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then + echo "PQC signature found."; + exit 5; + elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then + echo "Old pre-PQC signature found."; + exit 6; + else + echo "Unknown signature found."; + exit 7; + fi +else + echo "Build has no signatures."; + exit 3; +fi + +# Local Variables: +# compile-command: "shellcheck check_signatures.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel.sh b/scripts/builds/tag_rhel.sh new file mode 100755 index 0000000..7b733d8 --- /dev/null +++ b/scripts/builds/tag_rhel.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag public RHEL RPMs into gating for all supported streams +# This is intended to be run from tag_rhel__(public|embargoed).sh + +BUILD="${1}" +BUILDLOG="${2}" +SUFFIX="${3}" +shift 3; +SUPPORTED_VERS="$*" + +CMD_SYNTAX="${0} "; +GATE_SUFFIX="gate" + +if test "${BUILD}" = ""; then + echo "${CMD_SYNTAX}"; + exit 1; +fi + +if test "${BUILDLOG}" = ""; then + echo "${CMD_SYNTAX}"; + exit 2; +fi + +if test "${SUPPORTED_VERS}" = ""; then + echo "${CMD_SYNTAX}"; + exit 3; +fi + +buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-) +echo "Build has tags ${buildtags}"; + +if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then + echo "Gating system can only handle one tag at a time." + echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate." + if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then + echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running."; + exit 1; + fi +fi + +done=0; +for ver in ${SUPPORTED_VERS}; do + vertag="rhel-${ver}"; + proposedtag="${vertag}-${SUFFIX}"; + echo "Checking if ${BUILD} has been added to ${vertag}..."; + if echo "${buildtags}" | grep -q "${vertag}" ; then + echo "${BUILD} has been tagged into ${proposedtag}"; + else + if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then + echo "Already added a tag. Need to tag ${proposedtag} in a future run."; + else + echo "Tagging ${BUILD} into ${proposedtag}"; + brew tag-build --nowait "${proposedtag}" "${BUILD}"; + done=1; + fi + fi +done +if [ "${done}" -eq 1 ]; then + brew watch-task --mine; +else + echo "Nothing to do."; +fi + +# Local Variables: +# compile-command: "shellcheck tag_rhel.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_10_embargoed_pqc.sh b/scripts/builds/tag_rhel_10_embargoed_pqc.sh new file mode 100755 index 0000000..63a1a2d --- /dev/null +++ b/scripts/builds/tag_rhel_10_embargoed_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC embargoed RHEL 10 RPMs into supported z-streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="10.1-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_10_embargoed_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_10_public_pqc.sh b/scripts/builds/tag_rhel_10_public_pqc.sh new file mode 100755 index 0000000..5f4a3c4 --- /dev/null +++ b/scripts/builds/tag_rhel_10_public_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC public RHEL 10 RPMs into gating for all supported streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="10.2 10.1-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_10_public_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_embargoed_pqc.sh b/scripts/builds/tag_rhel_9_embargoed_pqc.sh new file mode 100755 index 0000000..dfa79dd --- /dev/null +++ b/scripts/builds/tag_rhel_9_embargoed_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.7.0-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_public_pqc.sh b/scripts/builds/tag_rhel_9_public_pqc.sh new file mode 100755 index 0000000..748ab69 --- /dev/null +++ b/scripts/builds/tag_rhel_9_public_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.8.0 9.7.0-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_public_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: