skopeo-1.3.1-9.el9
- Add support for signed RHEL images, enabled by default - Related: #1970747 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy
parent
9e66845657
commit
c76ea72a3b
34
RPM-GPG-KEY-redhat-release
Normal file
34
RPM-GPG-KEY-redhat-release
Normal file
@ -0,0 +1,34 @@
|
||||
pub 4096R/FD431D51 2009-10-22
|
||||
Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51
|
||||
uid Red Hat, Inc. (release key 2) <security@redhat.com>
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1.4.5 (GNU/Linux)
|
||||
|
||||
mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
|
||||
0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
|
||||
0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
|
||||
u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
|
||||
XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
|
||||
5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
|
||||
9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
|
||||
/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
|
||||
PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
|
||||
HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
|
||||
buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
|
||||
tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
|
||||
LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
|
||||
CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
|
||||
2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
|
||||
C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
|
||||
un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
|
||||
0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
|
||||
IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
|
||||
8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
|
||||
Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
|
||||
JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
|
||||
OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
|
||||
dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
|
||||
=zbHE
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
32
default-policy.json
Normal file
32
default-policy.json
Normal file
@ -0,0 +1,32 @@
|
||||
{
|
||||
"default": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
],
|
||||
"transports": {
|
||||
"docker": {
|
||||
"registry.access.redhat.com": [
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
}
|
||||
],
|
||||
"registry.redhat.io": [
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
}
|
||||
]
|
||||
},
|
||||
"docker-daemon": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
26
default.yaml
Normal file
26
default.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
# This is a default registries.d configuration file. You may
|
||||
# add to this file or create additional files in registries.d/.
|
||||
#
|
||||
# sigstore: indicates a location that is read and write
|
||||
# sigstore-staging: indicates a location that is only for write
|
||||
#
|
||||
# sigstore and sigstore-staging take a value of the following:
|
||||
# sigstore: {schema}://location
|
||||
#
|
||||
# For reading signatures, schema may be http, https, or file.
|
||||
# For writing signatures, schema may only be file.
|
||||
|
||||
# This is the default signature write location for docker registries.
|
||||
default-docker:
|
||||
# sigstore: file:///var/lib/containers/sigstore
|
||||
sigstore-staging: file:///var/lib/containers/sigstore
|
||||
|
||||
# The 'docker' indicator here is the start of the configuration
|
||||
# for docker registries.
|
||||
#
|
||||
# docker:
|
||||
#
|
||||
# privateregistry.com:
|
||||
# sigstore: http://privateregistry.com/sigstore/
|
||||
# sigstore-staging: /mnt/nfs/privateregistry/sigstore
|
||||
|
||||
3
registry.access.redhat.com.yaml
Normal file
3
registry.access.redhat.com.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
docker:
|
||||
registry.access.redhat.com:
|
||||
sigstore: https://access.redhat.com/webassets/docker/content/sigstore
|
||||
3
registry.redhat.io.yaml
Normal file
3
registry.redhat.io.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
docker:
|
||||
registry.redhat.io:
|
||||
sigstore: https://registry.redhat.io/containers/sigstore
|
||||
28
skopeo.spec
28
skopeo.spec
@ -30,7 +30,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
|
||||
Epoch: 1
|
||||
Name: skopeo
|
||||
Version: 1.3.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Summary: Inspect container images and repositories on registries
|
||||
License: ASL 2.0
|
||||
URL: %{git0}
|
||||
@ -48,7 +48,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs
|
||||
#Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf
|
||||
Source5: registries.conf
|
||||
Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
|
||||
Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
|
||||
Source7: https://raw.githubusercontent.com/containers/common/main/pkg/seccomp/seccomp.json
|
||||
Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
|
||||
Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
|
||||
Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
|
||||
@ -61,6 +61,12 @@ Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/doc
|
||||
Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
|
||||
Source19: 001-rhel-shortnames-pyxis.conf
|
||||
Source20: 002-rhel-shortnames-overrides.conf
|
||||
Source21: RPM-GPG-KEY-redhat-release
|
||||
Source22: registry.access.redhat.com.yaml
|
||||
Source23: registry.redhat.io.yaml
|
||||
#Source24: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default-policy.json
|
||||
Source24: default-policy.json
|
||||
Source25: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default.yaml
|
||||
# scripts used for synchronization with upstream and shortname generation
|
||||
Source100: update.sh
|
||||
Source101: update-vendored.sh
|
||||
@ -151,6 +157,16 @@ install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf
|
||||
install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
|
||||
install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
|
||||
|
||||
# for signature verification
|
||||
install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
|
||||
install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
|
||||
install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
|
||||
install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json
|
||||
install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
|
||||
install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
|
||||
|
||||
# for containers-common
|
||||
install -dp %{buildroot}%{_mandir}/man5
|
||||
go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
|
||||
@ -208,9 +224,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%dir %{_sysconfdir}/containers
|
||||
%dir %{_sysconfdir}/containers/certs.d
|
||||
%dir %{_sysconfdir}/containers/registries.d
|
||||
%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
|
||||
%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
|
||||
%dir %{_sysconfdir}/containers/oci
|
||||
%dir %{_sysconfdir}/containers/oci/hooks.d
|
||||
%dir %{_sysconfdir}/containers/registries.conf.d
|
||||
%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
|
||||
%config(noreplace) %{_sysconfdir}/containers/policy.json
|
||||
%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
|
||||
%config(noreplace) %{_sysconfdir}/containers/storage.conf
|
||||
@ -227,6 +246,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%dir %{_datadir}/rhel/secrets
|
||||
%{_datadir}/rhel/secrets/*
|
||||
|
||||
|
||||
%files
|
||||
%license LICENSE
|
||||
%doc README.md
|
||||
@ -241,6 +261,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
* Tue Jul 27 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-9
|
||||
- Add support for signed RHEL images, enabled by default
|
||||
- Related: #1970747
|
||||
|
||||
* Mon Jul 26 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-8
|
||||
- update seccomp.json from Fedora to allow clone3 to pass
|
||||
- Related: #1970747
|
||||
|
||||
Loading…
Reference in New Issue
Block a user