skopeo-1.3.1-9.el9

- Add support for signed RHEL images, enabled by default - Related: #1970747 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
2021-07-27 07:35:15 +02:00 · 2021-07-27 07:35:15 +02:00 · c76ea72a3b
commit c76ea72a3b
parent 9e66845657
6 changed files with 124 additions and 2 deletions
--- a/34
+++ b/34
@ -0,0 +1,34 @@
 pub   4096R/FD431D51 2009-10-22
      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
 uid                  Red Hat, Inc. (release key 2) <security@redhat.com>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.5 (GNU/Linux)
 mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
 0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
 0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
 u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
 XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
 5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
 9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
 /DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
 PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
 HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
 buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
 tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
 LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
 CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
 2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
 C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
 un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
 0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
 IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
 8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
 Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
 JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
 OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
 dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
 =zbHE
 -----END PGP PUBLIC KEY BLOCK-----
--- a/default-policy.json
+++ b/default-policy.json
@ -0,0 +1,32 @@
 {
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
 	    "registry.access.redhat.com": [
 		{
 		    "type": "signedBy",
 		    "keyType": "GPGKeys",
 		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
 		}
 	    ],
 	    "registry.redhat.io": [
 		{
 		    "type": "signedBy",
 		    "keyType": "GPGKeys",
 		    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
 		}
 	    ]
 	},
        "docker-daemon": {
 	    "": [
 		{
 		    "type": "insecureAcceptAnything"
 		}
 	    ]
 	}
    }
 }
--- a/default.yaml
+++ b/default.yaml
@ -0,0 +1,26 @@
 # This is a default registries.d configuration file.  You may
 # add to this file or create additional files in registries.d/.
 #
 # sigstore: indicates a location that is read and write
 # sigstore-staging: indicates a location that is only for write
 #
 # sigstore and sigstore-staging take a value of the following:
 #   sigstore:  {schema}://location
 #
 # For reading signatures, schema may be http, https, or file.
 # For writing signatures, schema may only be file.
 # This is the default signature write location for docker registries.
 default-docker:
 #  sigstore: file:///var/lib/containers/sigstore
  sigstore-staging: file:///var/lib/containers/sigstore
 # The 'docker' indicator here is the start of the configuration
 # for docker registries.
 #
 # docker:
 #
 #   privateregistry.com:
 #    sigstore: http://privateregistry.com/sigstore/
 #    sigstore-staging: /mnt/nfs/privateregistry/sigstore
--- a/registry.access.redhat.com.yaml
+++ b/registry.access.redhat.com.yaml
@ -0,0 +1,3 @@
 docker:
     registry.access.redhat.com:
         sigstore: https://access.redhat.com/webassets/docker/content/sigstore
--- a/registry.redhat.io.yaml
+++ b/registry.redhat.io.yaml
@ -0,0 +1,3 @@
 docker:
     registry.redhat.io:
         sigstore: https://registry.redhat.io/containers/sigstore
--- a/skopeo.spec
+++ b/skopeo.spec
@ -30,7 +30,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 Epoch: 1
 Name: skopeo
 Version: 1.3.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@ -48,7 +48,7 @@ Source4: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs
 #Source5: https://raw.githubusercontent.com/containers/image/%%{image_branch}/registries.conf
 Source5: registries.conf
 Source6: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-policy.json.5.md
-Source7: https://raw.githubusercontent.com/containers/common/%{common_branch}/pkg/seccomp/seccomp.json
+Source7: https://raw.githubusercontent.com/containers/common/main/pkg/seccomp/seccomp.json
 Source8: https://raw.githubusercontent.com/containers/common/%{common_branch}/docs/containers-mounts.conf.5.md
 Source9: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-signature.5.md
 Source10: https://raw.githubusercontent.com/containers/image/%{image_branch}/docs/containers-transports.5.md
@ -61,6 +61,12 @@ Source16: https://raw.githubusercontent.com/containers/image/%{image_branch}/doc
 Source17: https://raw.githubusercontent.com/containers/shortnames/%{shortnames_branch}/shortnames.conf
 Source19: 001-rhel-shortnames-pyxis.conf
 Source20: 002-rhel-shortnames-overrides.conf
 Source21: RPM-GPG-KEY-redhat-release
 Source22: registry.access.redhat.com.yaml
 Source23: registry.redhat.io.yaml
 #Source24: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default-policy.json
 Source24: default-policy.json
 Source25: https://raw.githubusercontent.com/containers/skopeo/%{branch}/default.yaml
 # scripts used for synchronization with upstream and shortname generation
 Source100: update.sh
 Source101: update-vendored.sh
@ -151,6 +157,16 @@ install -m0644 %{SOURCE17} %{buildroot}%{_sysconfdir}/containers/registries.conf
 install -m0644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/001-rhel-shortnames.conf
 install -m0644 %{SOURCE20} %{buildroot}%{_sysconfdir}/containers/registries.conf.d/002-rhel-shortnames-overrides.conf
 # for signature verification
 install -dp %{buildroot}%{_sysconfdir}/pki/rpm-gpg
 install -m0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/pki/rpm-gpg
 install -dp %{buildroot}%{_sysconfdir}/containers/registries.d
 install -m0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/registries.d
 install -m0644 %{SOURCE23} %{buildroot}%{_sysconfdir}/containers/registries.d
 install -m0644 %{SOURCE24} %{buildroot}%{_sysconfdir}/containers/policy.json
 install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
 install -m0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/containers/registries.d/default.yaml
 # for containers-common
 install -dp %{buildroot}%{_mandir}/man5
 go-md2man -in %{SOURCE2} -out %{buildroot}%{_mandir}/man5/containers-storage.conf.5
@ -208,9 +224,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %dir %{_sysconfdir}/containers
 %dir %{_sysconfdir}/containers/certs.d
 %dir %{_sysconfdir}/containers/registries.d
 %{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
 %{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
 %dir %{_sysconfdir}/containers/oci
 %dir %{_sysconfdir}/containers/oci/hooks.d
 %dir %{_sysconfdir}/containers/registries.conf.d
 %{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 %config(noreplace) %{_sysconfdir}/containers/policy.json
 %config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
 %config(noreplace) %{_sysconfdir}/containers/storage.conf
@ -227,6 +246,7 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %dir %{_datadir}/rhel/secrets
 %{_datadir}/rhel/secrets/*
 %files
 %license LICENSE
 %doc README.md
@ -241,6 +261,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 %changelog
 * Tue Jul 27 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-9
 - Add support for signed RHEL images, enabled by default
 - Related: #1970747
 * Mon Jul 26 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-8
 - update seccomp.json from Fedora to allow clone3 to pass
 - Related: #1970747