Explicitly add Red Hat Release Public key contents

openshift · Jan 19, 2025 · f89c985 · f89c985
1 parent fecb474
commit f89c985
Showing 1 changed file with 34 additions and 8 deletions.
diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg
@@ -1,15 +1,15 @@
 # The pull secret is mandatory for MicroShift builds on top of OpenShift, but not OKD
 # The /etc/crio/crio.conf.d/microshift.conf references the /etc/crio/openshift-pull-secret file
 mkdir -p /etc/crio
-cat > /etc/crio/openshift-pull-secret <<EOF
+cat > /etc/crio/openshift-pull-secret <<'EOF'
 REPLACE_PULL_SECRET
 EOF
 chmod 600 /etc/crio/openshift-pull-secret
 
 # Setup mirror registries configuration here, as the hostname is dynamic and the file is verbose.
 # Use hostnames as IP addresses are not allowed.
 mkdir -p /etc/containers/registries.conf.d
-cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf <<EOF
+cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf <<'EOF'
 [[registry]]
     prefix = ""
     location = "REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT"
@@ -33,15 +33,33 @@ cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf <<EOF
     insecure = true
 EOF
 
-# Download the Red Hat public key published at https://access.redhat.com/security/team/key.
+# Red Hat public keys are published at https://access.redhat.com/security/team/key.
 # Currently release key 3 is used.
-curl -L https://access.redhat.com/security/data/63405576.txt > /etc/containers/RedHat_ReleaseKey3.pub
+cat > /etc/containers/RedHat_ReleaseKey3.pub <<'EOF'
+pub   4096R/E60D446E63405576 2024-09-20
+uid                          Red Hat, Inc. (release key 3) <[email protected]>
+
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
+75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
+M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
+RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
+tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
+XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
+ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
+BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
+VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
+p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
+gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
+secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
+-----END PUBLIC KEY-----
+EOF
 
 # Configure containers policy to use the Red Hat public key
 if [ -f /etc/containers/policy.json ] ; then
     mv /etc/containers/policy.json /etc/containers/policy.json.orig
 fi
-cat > /etc/containers/policy.json <<EOF
+cat > /etc/containers/policy.json <<'EOF'
 {
     "default": [
         {
@@ -69,14 +87,22 @@ cat > /etc/containers/policy.json <<EOF
 }
 EOF
 
-# Configure the MicroShift registries to use sigstore attachments
-cat > /etc/containers/registries.d/registry.quay.io.yaml <<EOF
+# Configure the MicroShift remote registries to use sigstore attachments
+# Note that registry.redhat.io.yaml should already be present.
+cat > /etc/containers/registries.d/registry.quay.io.yaml <<'EOF'
 docker:
     quay.io/openshift-release-dev:
         use-sigstore-attachments: true
 EOF
 
+# Configure the MicroShift local registries to use sigstore attachments
+cat > /etc/containers/registries.d/registry.quay.local.yaml <<'EOF'
+docker:
+    REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT:
+        use-sigstore-attachments: true
+EOF
+
 # Add the mirror registry host name resolution
-cat >> /etc/hosts <<EOF
+cat >> /etc/hosts <<'EOF'
 REPLACE_VM_BRIDGE_IP REPLACE_MIRROR_HOSTNAME
 EOF