Ok, the issue was PEBKAC

So we now have Fedora-Cloud-Base-Rawhide-20220314.n.0 but it still has fc36 bash, but the signature seems correct:

[fedora@ip-172-31-31-119 ~]$ rpm -q bash
bash-5.1.16-2.fc36.aarch64

[fedora@ip-172-31-31-119 ~]$  rpm -qi bash | grep '^Signature'
Signature   : RSA/SHA256, Wed 09 Feb 2022 02:13:17 AM UTC, Key ID f55ad3fb5323552a

Restarted your test:

https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pipeline/job/master/122039/console

HTH,
/M

On Tue, Mar 15, 2022 at 12:24 AM Miroslav Vadkerti <mvadkert@redhat.com> wrote:
Unfortunately we were not able to find a working newer Rawhide image:

https://pagure.io/cloud-sig/issue/372

So we are blocked until this is resolved.

Best regards,
/M

On Mon, Mar 14, 2022 at 12:09 PM Miroslav Vadkerti <mvadkert@redhat.com> wrote:
Hi,

We have a fairly old rawhide image due to

https://pagure.io/fedora-infrastructure/issue/10532

I am updating it today manually and will restart your job afterwards.

HTH,
/M

On Mon, Mar 14, 2022 at 12:01 PM Jan Pazdziora <jpazdziora@redhat.com> wrote:

Hello,

my Fedora 37 update

        https://bodhi.fedoraproject.org/updates/FEDORA-2022-ea61708c2d

runs a gating test

        https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pipeline/job/master/121780/testReport/(root)/tests/simple/

In the test we check if the tool (rpm2swidtag) generates the correct
SWID tags, and one of the things that it checks is the match between
the distribution and the signatures used on the packages.

However, the output of the gating test shows that the

        rpm -qi bash | grep '^Signature'

command produces

        + rpm -qi bash
        + grep '^Signature'
        Signature   : RSA/SHA256, Wed 19 Jan 2022 10:50:42 PM UTC, Key ID 999f7cbf38ab71f4

which is exactly the same that the Fedora 36 job shows in

        https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pipeline/job/master/117404/testReport/(root)/tests/simple/

but it's not the key with which for example the package in the Fedora
rawhide container is signed:

        $ podman run --rm registry.fedoraproject.org/fedora:rawhide rpm -qi bash | grep '^Signature'
        Signature   : RSA/SHA256, Wed Feb  9 02:13:15 2022, Key ID f55ad3fb5323552a

Note that the container still has the .fc36 build

        $ podman run --rm registry.fedoraproject.org/fedora:rawhide rpm -q bash
        bash-5.1.16-2.fc36.x86_64

but its signature matches the rawhide (and future Fedora 37) key.

It seems the environment used to run the tests for Fedora 37 has
/etc/os-release which says Fedora 37 but at the same time the packages
are not signed with the respective key, even if those signatures are
already available as shown by the rawhide compose image.

Is this expected or a bug?

--
Jan Pazdziora
Product Owner, Platform Security Readiness, Red Hat
_______________________________________________
CI mailing list -- ci@lists.fedoraproject.org
To unsubscribe send an email to ci-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/ci@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


--
Miroslav Vadkerti :: Senior Principal QE :: Testing Farm / Linux QE
IRC mvadkert #tft #tmt #osci :: Mobile +420 773 944 252
Remote Czech Republic :: Red Hat Czech s.r.o




--
Miroslav Vadkerti :: Senior Principal QE :: Testing Farm / Linux QE
IRC mvadkert #tft #tmt #osci :: Mobile +420 773 944 252
Remote Czech Republic :: Red Hat Czech s.r.o




--
Miroslav Vadkerti :: Senior Principal QE :: Testing Farm / Linux QE
IRC mvadkert #tft #tmt #osci :: Mobile +420 773 944 252
Remote Czech Republic :: Red Hat Czech s.r.o