Skip to content

WIP: Use Sequoia in RHEL 10 instead of GPG #14193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

WIP: Use Sequoia in RHEL 10 instead of GPG #14193

wants to merge 6 commits into from

Conversation

@vojtapolasek
Copy link
Collaborator

@vojtapolasek vojtapolasek commented Nov 28, 2025

Description:

  • create a new rule package_sequoia-sq_installed
  • enhance rule ensure_redhat_gpgkey_installed so that it uses the sq command instead of gpg n RHEL 10
  • check for new PQC key in RHEL >= 10
  • The build system ordering takes care that the sq package is installed so that it can be later used. So in case rule ensure_redhat_gpgkey_installed exists in the profile, the rule package_sequoia-sq_installed should be present in the profile as well.

Rationale:

  • There are two reasons for this change.
    • there is a new RPM release key in RHEL >= 10 and it needs to be checked that it exists
    • in case this key is shipped, the regular gpg command cannot handle it and it needs to be inspected with the sq command

Question to be answered: Is the new PQC key going to be present always or only sometimes?

Review Hints:

Test with Automatus. But ensure that the RHEL machine contains all three keys.

@vojtapolasek vojtapolasek added this to the 0.1.80 milestone Nov 28, 2025
@vojtapolasek vojtapolasek added New Rule Issues or pull requests related to new Rules. Update Profile Issues or pull requests related to Profiles updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Nov 28, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 28, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 28, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny will be requested when the pull request is marked ready for review jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Used by openshift-ci bot. New Rule Issues or pull requests related to new Rules. RHEL10 Red Hat Enterprise Linux 10 product related. Update Profile Issues or pull requests related to Profiles updates.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

1 participant

@vojtapolasek