From e8c6b7151e5b78a0a50fa6505b25f6633b3746c3 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Tue, 26 May 2026 10:11:38 -0400 Subject: [PATCH] swap postgres signature check for rocky linux baseline rpm (#4941) Signed-off-by: Alex Goodman --- .../redhat/parse_rpm_archive_test.go | 28 ++++++++-------- .../testdata/image-rpm-archive/Dockerfile | 32 +++++++++---------- 2 files changed, 29 insertions(+), 31 deletions(-) diff --git a/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go b/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go index 28083b6be..b588aaad4 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go @@ -118,32 +118,32 @@ func TestParseRpmFiles(t *testing.T) { skipFiles: true, expected: []pkg.Package{ { - Name: "postgresql14-server", - Version: "0:14.10-1PGDG.rhel9", - PURL: "pkg:rpm/postgresql14-server@14.10-1PGDG.rhel9?arch=x86_64&epoch=0&upstream=postgresql14-14.10-1PGDG.rhel9.src.rpm", - Locations: file.NewLocationSet(file.NewLocation("/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm")), + Name: "basesystem", + Version: "0:11-13.el9.0.1", + PURL: "pkg:rpm/basesystem@11-13.el9.0.1?arch=noarch&epoch=0&upstream=basesystem-11-13.el9.0.1.src.rpm", + Locations: file.NewLocationSet(file.NewLocation("/basesystem-11-13.el9.0.1.noarch.rpm")), FoundBy: "rpm-archive-cataloger", Type: pkg.RpmPkg, - Licenses: pkg.NewLicenseSet(pkg.NewLicenseFromLocations("PostgreSQL", file.NewLocation("/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm"))), + Licenses: pkg.NewLicenseSet(pkg.NewLicenseFromLocations("Public Domain", file.NewLocation("/basesystem-11-13.el9.0.1.noarch.rpm"))), Language: "", CPEs: nil, Metadata: pkg.RpmArchive{ - Name: "postgresql14-server", - Version: "14.10", + Name: "basesystem", + Version: "11", Epoch: ref(0), - Arch: "x86_64", - Release: "1PGDG.rhel9", - SourceRpm: "postgresql14-14.10-1PGDG.rhel9.src.rpm", - Size: 24521699, + Arch: "noarch", + Release: "13.el9.0.1", + SourceRpm: "basesystem-11-13.el9.0.1.src.rpm", + Size: 0, Signatures: []pkg.RpmSignature{ { PublicKeyAlgorithm: "RSA", HashAlgorithm: "SHA256", - Created: "Tue Jan 2 16:45:56 2024", - IssuerKeyID: "40bca2b408b40d20", + Created: "Thu Feb 29 17:37:22 2024", + IssuerKeyID: "702d426d350d275d", }, }, - Vendor: "PostgreSQL Global Development Group", + Vendor: "Rocky Enterprise Software Foundation", // note: files are not asserted in this test }, }, diff --git a/syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile b/syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile index 0e972ecf5..b66f3d00f 100644 --- a/syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile +++ b/syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile @@ -1,26 +1,24 @@ FROM --platform=linux/amd64 rockylinux:9 AS rpm-downloader -# download a signed RPM (PostgreSQL in this example, known to be signed) -# using PostgreSQL official RPM which is signed with their GPG key -# $ rpm -Kv postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm -# postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm: -# Header V4 RSA/SHA256 Signature, key ID 08b40d20: NOKEY -# Header SHA256 digest: OK -# Header SHA1 digest: OK -# Payload SHA256 digest: OK -# MD5 digest: OK +# download a signed RPM from the Rocky Linux 9.3 vault. Rocky Linux freezes +# minor-version contents in the vault indefinitely, which gives us a stable +# upstream that won't rotate the way distro "current" repos do (the previous +# fixture used a PostgreSQL repo and broke when PG removed older 14.x RPMs). # -# $ rpm -ivh --nodeps --force postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm -# warning: postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 08b40d20: NOKEY -# Verifying... ################################# [100%] -# Preparing... ################################# [100%] +# $ rpm -Kv basesystem-11-13.el9.0.1.noarch.rpm +# basesystem-11-13.el9.0.1.noarch.rpm: +# Header V4 RSA/SHA256 Signature, key ID 350d275d: NOKEY +# Header SHA256 digest: OK +# Header SHA1 digest: OK +# Payload SHA256 digest: OK +# MD5 digest: OK # -# $ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{RSAHEADER:pgpsig}\n' postgresql14-server-14.10-1PGDG.rhel9.x86_64 -# postgresql14-server-14.10-1PGDG.rhel9 RSA/SHA256, Tue Jan 2 16:45:56 2024, Key ID 40bca2b408b40d20 +# $ rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} %{RSAHEADER:pgpsig}\n' basesystem-11-13.el9.0.1.noarch.rpm +# basesystem-11-13.el9.0.1 RSA/SHA256, Thu Feb 29 17:37:22 2024, Key ID 702d426d350d275d -RUN curl -O https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-9-x86_64/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm +RUN curl -O https://dl.rockylinux.org/vault/rocky/9.3/BaseOS/x86_64/os/Packages/b/basesystem-11-13.el9.0.1.noarch.rpm FROM scratch -COPY --from=rpm-downloader /postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm /postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm \ No newline at end of file +COPY --from=rpm-downloader /basesystem-11-13.el9.0.1.noarch.rpm /basesystem-11-13.el9.0.1.noarch.rpm