swap postgres signature check for rocky linux baseline rpm (#4941)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-10 06:18:24 +02:00 · 2026-05-26 10:11:38 -04:00 · 2026-05-26 10:11:38 -04:00 · e8c6b7151e
commit e8c6b7151e
parent 0fb8762f41
2 changed files with 29 additions and 31 deletions
--- a/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go
+++ b/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go
@ -118,32 +118,32 @@ func TestParseRpmFiles(t *testing.T) {
 			skipFiles:    true,
 			expected: []pkg.Package{
 				{
-					Name:      "postgresql14-server",
-					Version:   "0:14.10-1PGDG.rhel9",
-					PURL:      "pkg:rpm/postgresql14-server@14.10-1PGDG.rhel9?arch=x86_64&epoch=0&upstream=postgresql14-14.10-1PGDG.rhel9.src.rpm",
-					Locations: file.NewLocationSet(file.NewLocation("/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm")),
+					Name:      "basesystem",
+					Version:   "0:11-13.el9.0.1",
+					PURL:      "pkg:rpm/basesystem@11-13.el9.0.1?arch=noarch&epoch=0&upstream=basesystem-11-13.el9.0.1.src.rpm",
+					Locations: file.NewLocationSet(file.NewLocation("/basesystem-11-13.el9.0.1.noarch.rpm")),
 					FoundBy:   "rpm-archive-cataloger",
 					Type:      pkg.RpmPkg,
-					Licenses:  pkg.NewLicenseSet(pkg.NewLicenseFromLocations("PostgreSQL", file.NewLocation("/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm"))),
+					Licenses:  pkg.NewLicenseSet(pkg.NewLicenseFromLocations("Public Domain", file.NewLocation("/basesystem-11-13.el9.0.1.noarch.rpm"))),
 					Language:  "",
 					CPEs:      nil,
 					Metadata: pkg.RpmArchive{
-						Name:      "postgresql14-server",
-						Version:   "14.10",
+						Name:      "basesystem",
+						Version:   "11",
 						Epoch:     ref(0),
-						Arch:      "x86_64",
-						Release:   "1PGDG.rhel9",
-						SourceRpm: "postgresql14-14.10-1PGDG.rhel9.src.rpm",
-						Size:      24521699,
+						Arch:      "noarch",
+						Release:   "13.el9.0.1",
+						SourceRpm: "basesystem-11-13.el9.0.1.src.rpm",
+						Size:      0,
 						Signatures: []pkg.RpmSignature{
 							{
 								PublicKeyAlgorithm: "RSA",
 								HashAlgorithm:      "SHA256",
-								Created:            "Tue Jan  2 16:45:56 2024",
-								IssuerKeyID:        "40bca2b408b40d20",
+								Created:            "Thu Feb 29 17:37:22 2024",
+								IssuerKeyID:        "702d426d350d275d",
 							},
 						},
-						Vendor: "PostgreSQL Global Development Group",
+						Vendor: "Rocky Enterprise Software Foundation",
 						// note: files are not asserted in this test
 					},
 				},
--- a/syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile
+++ b/syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile
@ -1,26 +1,24 @@

 FROM --platform=linux/amd64 rockylinux:9 AS rpm-downloader

-# download a signed RPM (PostgreSQL in this example, known to be signed)
-# using PostgreSQL official RPM which is signed with their GPG key
-# $ rpm -Kv postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm
-#   postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm:
-#      Header V4 RSA/SHA256 Signature, key ID 08b40d20: NOKEY
+# download a signed RPM from the Rocky Linux 9.3 vault. Rocky Linux freezes
+# minor-version contents in the vault indefinitely, which gives us a stable
+# upstream that won't rotate the way distro "current" repos do (the previous
+# fixture used a PostgreSQL repo and broke when PG removed older 14.x RPMs).
+#
+# $ rpm -Kv basesystem-11-13.el9.0.1.noarch.rpm
+#   basesystem-11-13.el9.0.1.noarch.rpm:
+#       Header V4 RSA/SHA256 Signature, key ID 350d275d: NOKEY
 #       Header SHA256 digest: OK
 #       Header SHA1 digest: OK
 #       Payload SHA256 digest: OK
 #       MD5 digest: OK
 #
-# $ rpm -ivh --nodeps --force postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm
-#   warning: postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 08b40d20: NOKEY
-#   Verifying...                          ################################# [100%]
-#   Preparing...                          ################################# [100%]
-#
-# $ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{RSAHEADER:pgpsig}\n' postgresql14-server-14.10-1PGDG.rhel9.x86_64
-#   postgresql14-server-14.10-1PGDG.rhel9 RSA/SHA256, Tue Jan  2 16:45:56 2024, Key ID 40bca2b408b40d20
+# $ rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} %{RSAHEADER:pgpsig}\n' basesystem-11-13.el9.0.1.noarch.rpm
+#   basesystem-11-13.el9.0.1 RSA/SHA256, Thu Feb 29 17:37:22 2024, Key ID 702d426d350d275d

-RUN curl -O https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-9-x86_64/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm
+RUN curl -O https://dl.rockylinux.org/vault/rocky/9.3/BaseOS/x86_64/os/Packages/b/basesystem-11-13.el9.0.1.noarch.rpm

 FROM scratch

-COPY --from=rpm-downloader /postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm /postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm
+COPY --from=rpm-downloader /basesystem-11-13.el9.0.1.noarch.rpm /basesystem-11-13.el9.0.1.noarch.rpm