From c76ea72a3b220054bd144aabcc31edfff86d571a Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Tue, 27 Jul 2021 07:35:15 +0200
Subject: [PATCH] skopeo-1.3.1-9.el9

- Add support for signed RHEL images, enabled by default
- Related: #1970747

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
---
 RPM-GPG-KEY-redhat-release      | 34 +++++++++++++++++++++++++++++++++
 default-policy.json             | 32 +++++++++++++++++++++++++++++++
 default.yaml                    | 26 +++++++++++++++++++++++++
 registry.access.redhat.com.yaml |  3 +++
 registry.redhat.io.yaml         |  3 +++
 skopeo.spec                     | 28 +++++++++++++++++++++++++--
 6 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 RPM-GPG-KEY-redhat-release
 create mode 100644 default-policy.json
 create mode 100644 default.yaml
 create mode 100644 registry.access.redhat.com.yaml
 create mode 100644 registry.redhat.io.yaml

diff --git a/RPM-GPG-KEY-redhat-release b/RPM-GPG-KEY-redhat-release
new file mode 100644
index 0000000..0009a3e
--- /dev/null
+++ b/RPM-GPG-KEY-redhat-release
@@ -0,0 +1,34 @@
+pub   4096R/FD431D51 2009-10-22
+      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
+uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
+0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
+0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
+u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
+XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
+5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
+9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
+/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
+PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
+HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
+buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
+tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
+LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
+CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
+2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
+C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
+un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
+0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
+IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
+8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
+Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
+JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
+OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
+dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
+=zbHE
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/default-policy.json b/default-policy.json
new file mode 100644
index 0000000..7ed16d6
--- /dev/null
+++ b/default-policy.json
@@ -0,0 +1,32 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports": {
+        "docker": {
+	    "registry.access.redhat.com": [
+		{
+		    "type": "signedBy",
+		    "keyType": "GPGKeys",
+		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+		}
+	    ],
+	    "registry.redhat.io": [
+		{
+		    "type": "signedBy",
+		    "keyType": "GPGKeys",
+		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+		}
+	    ]
+	},
+        "docker-daemon": {
+	    "": [
+		{
+		    "type": "insecureAcceptAnything"
+		}
+	    ]
+	}
+    }
+}
diff --git a/default.yaml b/default.yaml
new file mode 100644
index 0000000..943ea17
--- /dev/null
+++ b/default.yaml
@@ -0,0 +1,26 @@
+# This is a default registries.d configuration file.  You may
+# add to this file or create additional files in registries.d/.
+#
+# sigstore: indicates a location that is read and write
+# sigstore-staging: indicates a location that is only for write
+#
+# sigstore and sigstore-staging take a value of the following:
+#   sigstore:  {schema}://location
+#
+# For reading signatures, schema may be http, https, or file.
+# For writing signatures, schema may only be file.
+
+# This is the default signature write location for docker registries.
+default-docker:
+#  sigstore: file:///var/lib/containers/sigstore
+  sigstore-staging: file:///var/lib/containers/sigstore
+
+# The 'docker' indicator here is the start of the configuration
+# for docker registries.
+#
+# docker:
+#
+#   privateregistry.com:
+#    sigstore: http://privateregistry.com/sigstore/
+#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+
diff --git a/registry.access.redhat.com.yaml b/registry.access.redhat.com.yaml
new file mode 100644
index 0000000..b426a4b
--- /dev/null
+++ b/registry.access.redhat.com.yaml
@@ -0,0 +1,3 @@
+docker:
+     registry.access.redhat.com:
+         sigstore: https://access.redhat.com/webassets/docker/content/sigstore
diff --git a/registry.redhat.io.yaml b/registry.redhat.io.yaml
new file mode 100644
index 0000000..35f2c61
--- /dev/null
+++ b/registry.redhat.io.yaml
@@ -0,0 +1,3 @@
+docker:
+     registry.redhat.io:
+         sigstore: https://registry.redhat.io/containers/sigstore
diff --git a/skopeo.spec b/skopeo.spec
index f13c9ba..b8be887 100644
--- a/skopeo.spec
+++ b/skopeo.spec
@@ -30,7 +30,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 Epoch: 1
 Name: skopeo
 Version: 1.3.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@@ -48,7 +48,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs
 #Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf
 Source5: registries.conf
 Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
-Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
+Source7: https://raw.githubusercontent.com/containers/common/main/pkg/seccomp/seccomp.json
 Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
 Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
 Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
@@ -61,6 +61,12 @@ Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/doc
 Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
 Source19: 001-rhel-shortnames-pyxis.conf
 Source20: 002-rhel-shortnames-overrides.conf
+Source21: RPM-GPG-KEY-redhat-release
+Source22: registry.access.redhat.com.yaml
+Source23: registry.redhat.io.yaml
+#Source24: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default-policy.json
+Source24: default-policy.json
+Source25: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default.yaml
 # scripts used for synchronization with upstream and shortname generation
 Source100: update.sh
 Source101: update-vendored.sh
@@ -151,6 +157,16 @@ install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf
 install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
 install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
 
+# for signature verification
+install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
+install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
+install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
+install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json
+install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
+install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
+
 # for containers-common
 install -dp %{buildroot}%{_mandir}/man5
 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
@@ -208,9 +224,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %dir %{_sysconfdir}/containers
 %dir %{_sysconfdir}/containers/certs.d
 %dir %{_sysconfdir}/containers/registries.d
+%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
+%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
 %dir %{_sysconfdir}/containers/oci
 %dir %{_sysconfdir}/containers/oci/hooks.d
 %dir %{_sysconfdir}/containers/registries.conf.d
+%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %config(noreplace) %{_sysconfdir}/containers/policy.json
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/storage.conf
@@ -227,6 +246,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %dir %{_datadir}/rhel/secrets
 %{_datadir}/rhel/secrets/*
 
+
 %files
 %license LICENSE
 %doc README.md
@@ -241,6 +261,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 
 %changelog
+* Tue Jul 27 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-9
+- Add support for signed RHEL images, enabled by default
+- Related: #1970747
+
 * Mon Jul 26 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-8
 - update seccomp.json from Fedora to allow clone3 to pass
 - Related: #1970747