content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Use Sequoia in RHEL 10 instead of GPG

Open vojtapolasek opened this issue 1 month ago • 4 comments

Description:

  • create a new rule package_sequoia-sq_installed
  • enhance rule ensure_redhat_gpgkey_installed so that it uses the sq command instead of gpg n RHEL 10
  • check for new PQC key in RHEL >= 10
  • The build system ordering takes care that the sq package is installed so that it can be later used. So in case rule ensure_redhat_gpgkey_installed exists in the profile, the rule package_sequoia-sq_installed should be present in the profile as well.
  • Modify all RHEL 10 profiles so that the new rule is there. This involved also exempting the rule from many other profiles which are based on the same control file (ANSSI, PCI-DSS, OSPP etc)

Rationale:

  • There are two reasons for this change.
    • there is a new RPM release key in RHEL >= 10 and it needs to be checked that it exists
    • in case this key is shipped, the regular gpg command cannot handle it and it needs to be inspected with the sq command

Review Hints:

Test with Automatus. But ensure that the RHEL machine contains all three keys.

vojtapolasek avatar Nov 28 '25 14:11 vojtapolasek

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

openshift-ci[bot] avatar Nov 28 '25 14:11 openshift-ci[bot]

@jan-cerny I added the rule to all relevant RHEL 10 profiles.

vojtapolasek avatar Dec 09 '25 09:12 vojtapolasek

@vojtapolasek Unfortunately, the static-checks test still has problems with some references. See the test output https://artifacts.dev.testing-farm.io/992274c6-fdf8-4db5-821f-21487b721236/

jan-cerny avatar Dec 09 '25 10:12 jan-cerny

@vojtapolasek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance ac9f4e3d5114f725ec7bd5269e86e75030f9360a link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Dec 11 '25 12:12 openshift-ci[bot]

@ComplianceAsCode/suse-maintainers @ComplianceAsCode/ubuntu-maintainers @ComplianceAsCode/oracle-maintainers Can you please review this? It shouldn't add anything to your product's profiles.

jan-cerny avatar Dec 11 '25 12:12 jan-cerny

@jan-cerny I believe I solved all problems with missing references.

vojtapolasek avatar Dec 11 '25 12:12 vojtapolasek