diff --git a/RPM-GPG-KEY-redhat-release b/RPM-GPG-KEY-redhat-release new file mode 100644 index 0000000..0009a3e --- /dev/null +++ b/RPM-GPG-KEY-redhat-release @@ -0,0 +1,34 @@ +pub 4096R/FD431D51 2009-10-22 + Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 +uid Red Hat, Inc. (release key 2) + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF +0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF +0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c +u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh +XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H +5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW +9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj +/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1 +PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY +HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF +buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB +tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0 +LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK +CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC +2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf +C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5 +un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E +0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE +IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh +8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL +Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki +JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25 +OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq +dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw== +=zbHE +-----END PGP PUBLIC KEY BLOCK----- + diff --git a/default-policy.json b/default-policy.json new file mode 100644 index 0000000..7ed16d6 --- /dev/null +++ b/default-policy.json @@ -0,0 +1,32 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/default.yaml b/default.yaml new file mode 100644 index 0000000..943ea17 --- /dev/null +++ b/default.yaml @@ -0,0 +1,26 @@ +# This is a default registries.d configuration file. You may +# add to this file or create additional files in registries.d/. +# +# sigstore: indicates a location that is read and write +# sigstore-staging: indicates a location that is only for write +# +# sigstore and sigstore-staging take a value of the following: +# sigstore: {schema}://location +# +# For reading signatures, schema may be http, https, or file. +# For writing signatures, schema may only be file. + +# This is the default signature write location for docker registries. +default-docker: +# sigstore: file:///var/lib/containers/sigstore + sigstore-staging: file:///var/lib/containers/sigstore + +# The 'docker' indicator here is the start of the configuration +# for docker registries. +# +# docker: +# +# privateregistry.com: +# sigstore: http://privateregistry.com/sigstore/ +# sigstore-staging: /mnt/nfs/privateregistry/sigstore + diff --git a/registry.access.redhat.com.yaml b/registry.access.redhat.com.yaml new file mode 100644 index 0000000..b426a4b --- /dev/null +++ b/registry.access.redhat.com.yaml @@ -0,0 +1,3 @@ +docker: + registry.access.redhat.com: + sigstore: https://access.redhat.com/webassets/docker/content/sigstore diff --git a/registry.redhat.io.yaml b/registry.redhat.io.yaml new file mode 100644 index 0000000..35f2c61 --- /dev/null +++ b/registry.redhat.io.yaml @@ -0,0 +1,3 @@ +docker: + registry.redhat.io: + sigstore: https://registry.redhat.io/containers/sigstore diff --git a/skopeo.spec b/skopeo.spec index f13c9ba..b8be887 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 1 Name: skopeo Version: 1.3.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -48,7 +48,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs #Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf Source5: registries.conf Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md -Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json +Source7: https://raw.githubusercontent.com/containers/common/main/pkg/seccomp/seccomp.json Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md @@ -61,6 +61,12 @@ Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/doc Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf Source19: 001-rhel-shortnames-pyxis.conf Source20: 002-rhel-shortnames-overrides.conf +Source21: RPM-GPG-KEY-redhat-release +Source22: registry.access.redhat.com.yaml +Source23: registry.redhat.io.yaml +#Source24: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default-policy.json +Source24: default-policy.json +Source25: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default.yaml # scripts used for synchronization with upstream and shortname generation Source100: update.sh Source101: update-vendored.sh @@ -151,6 +157,16 @@ install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf +# for signature verification +install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg +install -dp %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d +install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json +install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore +install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml + # for containers-common install -dp %{buildroot}%{_mandir}/man5 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5 @@ -208,9 +224,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %dir %{_sysconfdir}/containers %dir %{_sysconfdir}/containers/certs.d %dir %{_sysconfdir}/containers/registries.d +%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml +%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml %dir %{_sysconfdir}/containers/oci %dir %{_sysconfdir}/containers/oci/hooks.d %dir %{_sysconfdir}/containers/registries.conf.d +%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release %config(noreplace) %{_sysconfdir}/containers/policy.json %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml %config(noreplace) %{_sysconfdir}/containers/storage.conf @@ -227,6 +246,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %dir %{_datadir}/rhel/secrets %{_datadir}/rhel/secrets/* + %files %license LICENSE %doc README.md @@ -241,6 +261,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Tue Jul 27 2021 Jindrich Novy - 1:1.3.1-9 +- Add support for signed RHEL images, enabled by default +- Related: #1970747 + * Mon Jul 26 2021 Jindrich Novy - 1:1.3.1-8 - update seccomp.json from Fedora to allow clone3 to pass - Related: #1970747