Hello, my Fedora 37 update https://bodhi.fedoraproject.org/updates/FEDORA-2022-ea61708c2d runs a gating test https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pi... In the test we check if the tool (rpm2swidtag) generates the correct SWID tags, and one of the things that it checks is the match between the distribution and the signatures used on the packages. However, the output of the gating test shows that the rpm -qi bash | grep '^Signature' command produces + rpm -qi bash + grep '^Signature' Signature : RSA/SHA256, Wed 19 Jan 2022 10:50:42 PM UTC, Key ID 999f7cbf38ab71f4 which is exactly the same that the Fedora 36 job shows in https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pi... but it's not the key with which for example the package in the Fedora rawhide container is signed: $ podman run --rm registry.fedoraproject.org/fedora:rawhide rpm -qi bash | grep '^Signature' Signature : RSA/SHA256, Wed Feb 9 02:13:15 2022, Key ID f55ad3fb5323552a Note that the container still has the .fc36 build $ podman run --rm registry.fedoraproject.org/fedora:rawhide rpm -q bash bash-5.1.16-2.fc36.x86_64 but its signature matches the rawhide (and future Fedora 37) key. It seems the environment used to run the tests for Fedora 37 has /etc/os-release which says Fedora 37 but at the same time the packages are not signed with the respective key, even if those signatures are already available as shown by the rawhide compose image. Is this expected or a bug? -- Jan Pazdziora Product Owner, Platform Security Readiness, Red Hat _______________________________________________ CI mailing list -- ci(a)lists.fedoraproject.org To unsubscribe send an email to ci-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ci@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Unfortunately we were not able to find a working newer Rawhide image: https://pagure.io/cloud-sig/issue/372 So we are blocked until this is resolved. Best regards, /M On Mon, Mar 14, 2022 at 12:09 PM Miroslav Vadkerti <mvadkert(a)redhat.com&gt; wrote: > Hi, > > We have a fairly old rawhide image due to > > https://pagure.io/fedora-infrastructure/issue/10532 > > I am updating it today manually and will restart your job afterwards. > > HTH, > /M > > On Mon, Mar 14, 2022 at 12:01 PM Jan Pazdziora <jpazdziora(a)redhat.com&gt; > wrote: > >> >> Hello, >> >> my Fedora 37 update >> >> https://bodhi.fedoraproject.org/updates/FEDORA-2022-ea61708c2d >> >> runs a gating test >> >> >> https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pi... >> >> In the test we check if the tool (rpm2swidtag) generates the correct >> SWID tags, and one of the things that it checks is the match between >> the distribution and the signatures used on the packages. >> >> However, the output of the gating test shows that the >> >> rpm -qi bash | grep '^Signature' >> >> command produces >> >> + rpm -qi bash >> + grep '^Signature' >> Signature : RSA/SHA256, Wed 19 Jan 2022 10:50:42 PM UTC, Key >> ID 999f7cbf38ab71f4 >> >> which is exactly the same that the Fedora 36 job shows in >> >> >> https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/dist-git-pi... >> >> but it's not the key with which for example the package in the Fedora >> rawhide container is signed: >> >> $ podman run --rm registry.fedoraproject.org/fedora:rawhide rpm >> -qi bash | grep '^Signature' >> Signature : RSA/SHA256, Wed Feb 9 02:13:15 2022, Key ID >> f55ad3fb5323552a >> >> Note that the container still has the .fc36 build >> >> $ podman run --rm registry.fedoraproject.org/fedora:rawhide rpm >> -q bash >> bash-5.1.16-2.fc36.x86_64 >> >> but its signature matches the rawhide (and future Fedora 37) key. >> >> It seems the environment used to run the tests for Fedora 37 has >> /etc/os-release which says Fedora 37 but at the same time the packages >> are not signed with the respective key, even if those signatures are >> already available as shown by the rawhide compose image. >> >> Is this expected or a bug? >> >> -- >> Jan Pazdziora >> Product Owner, Platform Security Readiness, Red Hat >> _______________________________________________ >> CI mailing list -- ci(a)lists.fedoraproject.org >> To unsubscribe send an email to ci-leave(a)lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/ci@lists.fedoraproject.org >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> > > > -- > Miroslav Vadkerti :: Senior Principal QE :: Testing Farm / Linux QE > IRC mvadkert #tft #tmt #osci :: Mobile +420 773 944 252 > Remote Czech Republic :: Red Hat Czech s.r.o > > > -- Miroslav Vadkerti :: Senior Principal QE :: Testing Farm / Linux QE IRC mvadkert #tft #tmt #osci :: Mobile +420 773 944 252 Remote Czech Republic :: Red Hat Czech s.r.o