Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package runc for openSUSE:Factory checked in at 2023-04-28 16:22:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/runc (Old) and /work/SRC/openSUSE:Factory/.runc.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "runc" Fri Apr 28 16:22:37 2023 rev:55 rq:1083239 version:1.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/runc/runc.changes 2023-04-17 17:41:15.554207498 +0200 +++ /work/SRC/openSUSE:Factory/.runc.new.1533/runc.changes 2023-04-28 16:22:53.717844566 +0200 @@ -1,0 +2,7 @@ +Thu Apr 27 09:43:31 UTC 2023 - Aleksa Sarai <asa...@suse.com> + +- Update to runc v1.1.7. Upstream changelog is available from + <https://github.com/opencontainers/runc/releases/tag/v1.1.7>. +- Update runc.keyring to upstream version. + +------------------------------------------------------------------- Old: ---- runc-1.1.6.tar.xz runc-1.1.6.tar.xz.asc New: ---- runc-1.1.7.tar.xz runc-1.1.7.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ runc.spec ++++++ --- /var/tmp/diff_new_pack.tv0m0L/_old 2023-04-28 16:22:54.277847834 +0200 +++ /var/tmp/diff_new_pack.tv0m0L/_new 2023-04-28 16:22:54.285847881 +0200 @@ -18,13 +18,13 @@ # MANUAL: Make sure you update this each time you update runc. -%define git_version 0f48801a0e21e3f0bc4e74643ead2a502df4818d -%define git_short 0f48801a0e21 +%define git_version 860f061b76bb4fc671f0f9e900f7d80ff93d4eb7 +%define git_short 860f061b76bb %define project github.com/opencontainers/runc Name: runc -Version: 1.1.6 +Version: 1.1.7 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -33,6 +33,7 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz#/runc-%{version}.tar.xz Source1: https://github.com/opencontainers/runc/releases/download/v%{version}/runc.tar.xz.asc#/runc-%{version}.tar.xz.asc Source2: runc.keyring +BuildRequires: diffutils BuildRequires: fdupes BuildRequires: go BuildRequires: go-go-md2man @@ -70,6 +71,15 @@ # build man pages man/md2man-all.sh +# make sure that our keyring copy is identical to upstream. +our_keyring=$(sha256sum <"%{SOURCE2}") +src_keyring=$(sha256sum <runc.keyring) +if [ "$our_keyring" != "$src_keyring" ]; then + echo "keyring file doesn't match upstream" + diff -u "%{SOURCE2}" runc.keyring + exit 1 +fi + %install # We install to /usr/sbin/runc as per upstream and create a symlink in /usr/bin # for rootless tools. ++++++ runc-1.1.6.tar.xz -> runc-1.1.7.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/.github/workflows/validate.yml new/runc-1.1.7/.github/workflows/validate.yml --- old/runc-1.1.6/.github/workflows/validate.yml 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/.github/workflows/validate.yml 2023-04-26 23:49:01.000000000 +0200 @@ -11,6 +11,12 @@ GO_VERSION: 1.19.x jobs: + keyring: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v3 + - name: check runc.keyring + run: make validate-keyring lint: runs-on: ubuntu-20.04 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/CHANGELOG.md new/runc-1.1.7/CHANGELOG.md --- old/runc-1.1.6/CHANGELOG.md 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/CHANGELOG.md 2023-04-26 23:49:01.000000000 +0200 @@ -6,6 +6,22 @@ ## [Unreleased 1.1.z] +## [1.1.7] - 2023-04-26 + +> ÐоÑевала ÑÑÑка золоÑÐ°Ñ Ð½Ð° гÑÑди ÑÑеÑа-великана. + +### Fixed + +* When used with systemd v240+, systemd cgroup drivers no longer skip + `DeviceAllow` rules if the device does not exist (a regression introduced + in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5, + removing an extra warning emitted by runc run/start. (#3845, #3708, #3671) + +### Added + +* The source code now has a new file, `runc.keyring`, which contains the keys + used to sign runc releases. (#3838) + ## [1.1.6] - 2023-04-11 > In this world nothing is certain but death and taxes. @@ -394,7 +410,8 @@ [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 <!-- 1.1.z patch releases --> -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.6...release-1.1 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.7...release-1.1 +[1.1.7]: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7 [1.1.6]: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6 [1.1.5]: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5 [1.1.4]: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/Makefile new/runc-1.1.7/Makefile --- old/runc-1.1.6/Makefile 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/Makefile 2023-04-26 23:49:01.000000000 +0200 @@ -160,9 +160,12 @@ || (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \ && echo "all vendor files are up to date." +validate-keyring: + script/keyring_validate.sh + .PHONY: runc all recvtty sd-helper seccompagent static releaseall release \ localrelease dbuild lint man runcimage \ test localtest unittest localunittest integration localintegration \ rootlessintegration localrootlessintegration shell install install-bash \ install-man clean cfmt shfmt localshfmt shellcheck \ - vendor verify-changelog verify-dependencies + vendor verify-changelog verify-dependencies validate-keyring diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/README.md new/runc-1.1.7/README.md --- old/runc-1.1.6/README.md 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/README.md 2023-04-26 23:49:01.000000000 +0200 @@ -15,6 +15,8 @@ You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page. +All releases are signed by one of the keys listed in the [`runc.keyring` file in the root of this repository](runc.keyring). + ## Security The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/VERSION new/runc-1.1.7/VERSION --- old/runc-1.1.6/VERSION 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/VERSION 2023-04-26 23:49:01.000000000 +0200 @@ -1 +1 @@ -1.1.6 +1.1.7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/libcontainer/cgroups/systemd/common.go new/runc-1.1.7/libcontainer/cgroups/systemd/common.go --- old/runc-1.1.6/libcontainer/cgroups/systemd/common.go 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/libcontainer/cgroups/systemd/common.go 2023-04-26 23:49:01.000000000 +0200 @@ -177,7 +177,7 @@ // generateDeviceProperties takes the configured device rules and generates a // corresponding set of systemd properties to configure the devices correctly. -func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, error) { +func generateDeviceProperties(r *configs.Resources, sdVer int) ([]systemdDbus.Property, error) { if r.SkipDevices { return nil, nil } @@ -238,9 +238,10 @@ // trickery to convert things: // // * Concrete rules with non-wildcard major/minor numbers have to use - // /dev/{block,char} paths. This is slightly odd because it means - // that we cannot add whitelist rules for devices that don't exist, - // but there's not too much we can do about that. + // /dev/{block,char}/MAJOR:minor paths. Before v240, systemd uses + // stat(2) on such paths to look up device properties, meaning we + // cannot add whitelist rules for devices that don't exist. Since v240, + // device properties are parsed from the path string. // // However, path globbing is not support for path-based rules so we // need to handle wildcards in some other manner. @@ -288,21 +289,14 @@ case devices.CharDevice: entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor) } - // systemd will issue a warning if the path we give here doesn't exist. - // Since all of this logic is best-effort anyway (we manually set these - // rules separately to systemd) we can safely skip entries that don't - // have a corresponding path. - if _, err := os.Stat(entry.Path); err != nil { - // Also check /sys/dev so that we don't depend on /dev/{block,char} - // being populated. (/dev/{block,char} is populated by udev, which - // isn't strictly required for systemd). Ironically, this happens most - // easily when starting containerd within a runc created container - // itself. - - // We don't bother with securejoin here because we create entry.Path - // right above here, so we know it's safe. - if _, err := os.Stat("/sys" + entry.Path); err != nil { - logrus.Warnf("skipping device %s for systemd: %s", entry.Path, err) + if sdVer < 240 { + // Old systemd versions use stat(2) on path to find out device major:minor + // numbers and type. If the path doesn't exist, it will not add the rule, + // emitting a warning instead. + // Since all of this logic is best-effort anyway (we manually set these + // rules separately to systemd) we can safely skip entries that don't + // have a corresponding path. + if _, err := os.Stat(entry.Path); err != nil { continue } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/libcontainer/cgroups/systemd/v1.go new/runc-1.1.7/libcontainer/cgroups/systemd/v1.go --- old/runc-1.1.6/libcontainer/cgroups/systemd/v1.go 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/libcontainer/cgroups/systemd/v1.go 2023-04-26 23:49:01.000000000 +0200 @@ -77,7 +77,7 @@ func genV1ResourcesProperties(r *configs.Resources, cm *dbusConnManager) ([]systemdDbus.Property, error) { var properties []systemdDbus.Property - deviceProperties, err := generateDeviceProperties(r) + deviceProperties, err := generateDeviceProperties(r, systemdVersion(cm)) if err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/libcontainer/cgroups/systemd/v2.go new/runc-1.1.7/libcontainer/cgroups/systemd/v2.go --- old/runc-1.1.6/libcontainer/cgroups/systemd/v2.go 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/libcontainer/cgroups/systemd/v2.go 2023-04-26 23:49:01.000000000 +0200 @@ -182,7 +182,7 @@ // aren't the end of the world, but it is a bit concerning. However // it's unclear if systemd removes all eBPF programs attached when // doing SetUnitProperties... - deviceProperties, err := generateDeviceProperties(r) + deviceProperties, err := generateDeviceProperties(r, systemdVersion(cm)) if err != nil { return nil, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/runc.keyring new/runc-1.1.7/runc.keyring --- old/runc-1.1.6/runc.keyring 1970-01-01 01:00:00.000000000 +0100 +++ new/runc-1.1.7/runc.keyring 2023-04-26 23:49:01.000000000 +0200 @@ -0,0 +1,221 @@ +pub rsa4096 2016-06-21 [SC] [expires: 2031-06-18] + 5F36C6C61B5460124A75F5A69E18AA267DDB8DB4 +uid [ultimate] Aleksa Sarai <asa...@suse.com> +uid [ultimate] Aleksa Sarai <asa...@suse.de> +sub rsa4096 2016-06-21 [E] [expires: 2031-06-18] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar + +mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8 +ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0 +CfekjIpoR1CffYtCvkLr8/f74jHNRfqsmZ1Oxa9GjbhgDnbw4Baztp6WctzMXyOJ +j5bJuSfQTcgFbIeQ27zx7gNjbnHyEP5TEm1/CeoWpGPpZLJPiKHdI/TBCyFexHJ0 +IlabKc4DC43RZyh0Btuf+FiX9K2NkoCC7l5nQdde8B6YG7SA6xEhwhQ73bSs7A56 +rlZxfIFmLCB/81FyXk5eH0Eu9Lbwj69YQ81EdkLnLAyP3ZB+MRGuiWVD88Jr1He2 +25m3dxTVzaP0TAV4LqdbuqTwr2wagu9MZQ5XXDiaEuiPwTrO10xlmivOjRaWxoWA +E0I3fOdrzqfg9XK6g1pG23v2WhHFIejqVCXrf5oPcCd62lGeh0ghEdNN89ikXbka +1PJRiWI3uDQ6STSKa+6uC5eUM7tK/ymqS8JYSQf4d3eIaC2H403psPt5kbq1bHdx +nRPX2eh/t1QzR1dhPxzai4CzLERIYJ9iD4nGiSscwy0P44AgyeuywSg4qXzr9Sfe +igOj+6lfJb3iZRN3dKLTRAKWvo7yfdi/UOycodlaQyW8v0yXAx7Yh1NgJQARAQAB +tB1BbGVrc2EgU2FyYWkgPGFzYXJhaUBzdXNlLmRlPokCPQQTAQgAJwUCV2kY3QIb +AwUJHDIEgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCeGKomfduNtGecEACZ +JLVdeKHKsSUqTLOjbC6t9uKfKlNpu+iQ2/TS9YazLWXoFEc8f/uWB8BpHcJBFrqz +j+mI34ShEkbbNJArxR76njnAtPF+73GiD0dAjRDWz8YtQgSg5UhYm6O2Si/EM4I8 +TDzflyjaZltCkDe2U+2T8dTkYxqOi11IuCukPBNe0moxGKvLGPWEqZQMPCfBgllD +lv2Toiry2Fp1bkBlT6hk0C684rfAwzPQuH0BBv8vgfgroRMJg/qfZb64lhMCXaPr +rCtVHP+F1bVXKZCBCt7ETTtcteUEKaFmGgDGpXGnIqPL5iWLK5u8DQL/1lGcinj9 +QdD9IUNqsrsNAbdyMMqQvZKQwIVDgFMXrCwSRymOi6cppN7eF0VyFN7YsATttRGx +CZBoSMhVW6VVxuJFGaQWFXWthVGVEd2jkvny1TX8Nm8KBHC2G/wNVU3pKrCPhMCt +rYc8xWZ+6uisQ6XWs8H4nyBOVN6RvhIqqXJL1nvViOSFMLSDyFgPA16368krgxYE +pVDvie04aDjKZj2/0LSogNQPqZxs8uKIjLZ1NYQQmCQ8Dx9/nshg1wbyDD/c///M +EmVFmZhlNLZ8tV/iTlwfD/4vjbeaAQTVanhPFRbUtmL/iuz5f0gH0b0xc+mc+yQ1 +egjBwMuKr+h7jbSXIWoFGZLrqT3WswTg0Khk6oEL57QeQWxla3NhIFNhcmFpIDxh +c2FyYWlAc3VzZS5jb20+iQI9BBMBCAAnBQJXaRngAhsDBQkcMgSABQsJCAcCBhUI +CQoLAgQWAgMBAh4BAheAAAoJEJ4YqiZ924202mIQAIjGrikF7OPBCbV5Oo4oC0QQ +7HcG+DM9cN6UcFO+rzWQxZ/atEpiULa4O3YKoGOkSV5WAjUpaY5Rf7Obt3EjgrwE +PhtGvOpC6kkkTV43RmmK06CxHiZPrUJBwcpbW1rf2JZx7PPBMbZfsmWdVZc+LjzC +D3KtJ7xhzT0mi+zN5ONNHody6sDQO6n0mN+bRVxiVdcxwjYHfJYGobI6aaKyupvl ++xCGK4ekzNCVzaxudzqmbFE6qk+cWcvcA8HpggA63rCvCLfK1embNOtqzKAcJh1o +cJvrtpe18qBvd4yXFWEqQBW6IoDLvdzaLY7eNMI97UDInciz/GUtbxhqbs1lAOBz +V1y9fi0+NIIq1qmhbLxpUFC2BWsZRuWEqYWdr4FFJCuYEEXX6KXM7d9CSdWlErCU +mqKYsx6X4E7Iy1yupYbIqXRea9wBr8aPoFk+gLdNbCWAE4o7InKJY1uqOt141ffs ++6XJe2wVvA2xLr0ZphlcyF0EHZX8tMWLCYdQJdLMps2hl5oFpi7ccdM1GpE/Kwt5 +pEBqsJ6vP59BsbmciYmNkYKvFIKJcasImglQP6nrQiBwjTd7fYXpMDeO0yNtklaZ +IZlbNvxOe1TqbRzfVFk3oSBbEaFzPAx/W0uU1evZynpu2PcIvOuadScc9j0jMzt8 +0wknTD5AqhD/fkfZlwRouQINBFdpGN0BEADfqvO6AkGOWf+lcQZfWBMSMpzneCCS +JvQvD65VrFt0CCbSlJv1pc3GwLlL2dMulIxQGg0JMTjfPZcCYqrnOcWe0gedETRV +nOucY7zWmohR7L70YWwh46FlAPifY6bIIYGYTHyI9w1adS9K4tAJW/XS0WrvZ5KA +l7htrAzUAsMhag9y9jtQJVPLErGJta3jZJASs8PZWWmLYZE+oy1R3W52w/HqGQHS +8BPgo4oL+lrjPmjAwouhhNETTq9W2xmCe18EJodOjNKdF5ODOq1LOkPNHIaIdG0s +sY3qbifcRLVDvSmb8++4WRYl1HLy2vpsTQ31mZ3KyRKR6cP61ivTZy8idwD+Qt1t +3uKTCGNZj96OCob8ZeZsak6enuFZleVbLty1eULIw/IZuq8g6E+/V7mbFo4vkXMN +q4YrX0Q3XEzB8Cdxd5vsnz7Uga35j44gwJ+BUsCyaRUyGzLqhUWHJS73Vy3IxHfX +Rj7TQUBFYDKbOS9oKearmvTb1SQzH7NM5jQUFzXeJQE03jetRneNQ5hkh9UhUr64 +gtRnnKXTimXkczEMU9eDSTgQoaebdPnWEnzoStS5ln03zH+CNTQF9qjcpYBrJ2mZ +wnxO9OP/45KQL4hPAi2+hGkq2yjuIzeCkFJabAc7sF6lwJqH82XtiIIR+AGTM8QC +Eno0eqAytg8YawARAQABiQIlBBgBCAAPBQJXaRjdAhsMBQkcMgSAAAoJEJ4YqiZ9 +2420AuIP/1PYZDKFLv//+iY6Z9xGz4zHL+9nWND/Kll3xHeuWjYGZ2nmcovSnEW4 +0eiMn1c6KMgs/CCR4+9bm7MdgaF73pjM4xzHBIBetLLkcKQIrniX2Fq+WgscJfFx ++0ha7Xb2TTpSy8PRiYHowVUaMPwyqSsAUwrSenLuwyiKr+EW4Wzo+YM2w9a86yw1 +GfWuiyk0Z4sGoPoPEjmD4y6Xlf8kIfuZeb+joHd6W1nMf7cxDkNLQqX6sWvs62Tv +Lsx2jApPKD2PyTyyxItJKc6NXFVM+Uww323ZYVWMkz+VKalHRiv6xzGqArhpAIH6 +fn+1WjjqkrrLU4I7smjlulZCy/NZLOKqQYaqM+7BgC2mOPMb5CM99cg4SrK86dFr +3Cf22+OTmC6/Wb5Gu4PzTzkYIJDnt3BJQYjJlp4zyOHluN6notrWagLIB06oX+jQ +pxGySHW++Cha/JCUb0mfeHIJKvRor3v7YaSJoFIo//rz6XJ9WVZfsKnOte/3s9m7 +qkEvLArbe2o7pUJ2mxZZw/nAk/Y39FYAMvgMA9f+uv18O7u+ojYjS6DlrmNuIEg/ +mp8FqVxVNdIS2capSF4+eOn3a4kcF0018xbTLA2AwQ2o9eF5G9qTdSVrN865VPCd +KWr9ByCKAwVHsaSgVSJE/dse4f1toqeEHHbWk682U4RqOWZR4bA0 +=3/jE +-----END PGP PUBLIC KEY BLOCK----- + +pub ed25519 2019-06-21 [C] + C9C370B246B09F6DBCFC744C34401015D1D2D386 +uid [ultimate] Aleksa Sarai <cyp...@cyphar.com> +sub ed25519 2022-09-30 [S] [expires: 2024-09-29] +sub cv25519 2022-09-30 [E] [expires: 2024-09-29] +sub ed25519 2022-09-30 [A] [expires: 2024-09-29] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar + +mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz +QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTJw3CyRrCfbbz8dEw0QBAV0dLThgUC +XQzCHwIbAQAKCRA0QBAV0dLThvUpAP9SwyOijLqEBz1A9pTqRAB0l/r+ABq+iUmH +UjMHO34LZAD/biRuAadaxIYJtmn7nKA55doyN2fQXhjArqypJ1SQywi4MwRdDMJS +FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4 +BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS +04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b +8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0 +QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS +y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw +x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG +SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru +YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL +FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD +cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e +qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk +uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M +wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx +za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ +KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo +FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG +AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9 +o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ +FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51 +DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH +uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+ +q25gaH2I9QQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpLAhsCBQkD +wmcAAIEJEDRAEBXR0tOGdiAEGRYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUC +Yza6SwAKCRAol/rSt+lEb9obAQC8ij4yJTU7ZcAtTx2ZMjj8EoruGb3ku6VpRyx1 ++pyQQgD/QgQ7X1G7xtwuVpY0kHYga1yoKLA2ycT8F8PrVtF7pAMWkgD9EWe1E77C +BVd//i3ib+h9ikCeJ+gaxc6aU24ZBcN2tfUBAJmCmYQ0VEbXyvCqkdJEQ4qk5Y9C +2V4w83dj4a5RYKUGuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM +OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmFiEEycNwskawn228/HRMNEAQ +FdHS04YFAmM2umACGwwFCQPCZwAACgkQNEAQFdHS04bkuwEA7AEL+iSPlA8/YILp +0sFMzmtRqTDMqx2BY8K5wEk9fusA/jAhbeJw57bZYvK4MghfUa9tRocyII84UmOA +cgDbPPIFuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD +TF2SQwwqM4+nYbeIfgQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpu +AhsgBQkDwmcAAAoJEDRAEBXR0tOGB8UA/0wf8uECKMmXGQ4DNi+ei2E9Ft6GL8qw +UGjwM/EKH2RoAP9HNRRKBjDxs/AZ3pBx1Q8hnHELLo0kXPc+3BG6Pht5BA== +=KN4V +-----END PGP PUBLIC KEY BLOCK----- + +pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18] + C2428CD75720FACDCF76B6EA17DE5ECB75A1100E +uid [ultimate] Kir Kolyshkin <kolysh...@gmail.com> +sub rsa2048 2020-04-28 [E] [expires: 2025-04-18] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=kolyshkin + +mQENBF6ou34BCACow4f1kUqw0varU4pq+C91xhYeNb/0sGyFKCvYfiLY74yG8EXW +rZ8n06AYDHzPv9oubkUhnFk/u25kXQVgLB6Z5SKRBCiFq1QZirXeNJ8Iss8AwDBV +ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9 +2IknlaZg2oGpQe6weVmXmEhxERapG/y+/Vo6t8UfhSv0gEeM00/yWhBJKSYPtzMg +SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu +DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g +PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ +F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F +t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW +JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3 +wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt +Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0 +1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k +p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z +s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik +6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38 +oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc +yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h +8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F +AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R +uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT +iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r +5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4 +S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au +2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ== +=GkpD +-----END PGP PUBLIC KEY BLOCK----- + +pub rsa3072 2019-07-25 [SC] [expires: 2023-11-02] + C020EA876CE4E06C7AB95AEF49524C6F9F638F1A +uid [ultimate] Akihiro Suda <akihiro.suda...@hco.ntt.co.jp> +uid [ultimate] Akihiro Suda <suda.ky...@gmail.com> +sub rsa3072 2019-07-25 [E] [expires: 2023-11-02] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=AkihiroSuda + +mQGNBF06GR8BDADEpCHv9HzGbqzQ2RAqTWBGHUNsiHD89NVmbXx4nw56odXf5mAK +QHxyh9tKkt0BIaKMLcxcU6+GXP5iSLdHnQvnxxbR0gW3CJ8bIWPUflE4hjv8QLbc +5CSpqa3d7/tsntVYNLPFs6B0acTXB4YLK+u2aC42US6by5zO4KS+8/7RyXhdkYGY +wy6dCU1ysnuG4QstxlObKJUtxcW/9vQkF/ZdqaqLf6HHL/kMasWUxWG1uvf+V/MO +BRKu7zBW290XDE5Dd9DomyX4q2kqoWQBkpvkJlVsKWpW+AXnBizbVD+pX90VEQmk +Tvnr6U9OiArS6m2yVwZlu836l2yo3tX2tsgTNn8gtZugO4Qb3iZnDUexqgCwnLBx +dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO +9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA +3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA +aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCYYDT5gUJCAkhxwAKCRBJUkxvn2OP +GiHnC/wOqAvEcRmpKjqx4QUNkE34oGwiPgV5vyDlQElvBzyazQEcIdt9xaIE+4IS +7L7L6Q7WOGxWCvmRZ58E32m4RB1F8L7XQW0l3f6jESYLGPb6XDloux5poJzGxaGK +9gd6ItNmjOCmt08Icv0ZVTvKv20ej71aepllE5UaM9p5AlEwLkzQxPoGpB7E1Sdy +citRg6YEqTY+i5IeZ5xMthWXcushyLRRvm43DwbPsuZHVC1yMfo5VrF9JE65BdE9 +dIsCrZDnde/jUm4pAAwyAKSLLRVgj4xVP0XIdO2nVXDBWp9z4gUt/gMjuutO1a2U +Xw+XhkirUb2C++L0KvVBMbU303Q+xV/iaYjAuFjNy94HZms0iTBTB4qFHT4ClYHi +mNwTgfwRclpywkHzDi8496hsyzoVCeHSsu+ScDE1qAw6zrxASZXevYhhB2aBLr1s +d58WsYA37iXTEO4Hxm5V0Wh110hlCGFwcN8vWNhMCdIj7JN8nWZQNLZyppN7bCDu +FX8cE260I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB +CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM +b59jjxoFAmGA0+YFCQgJIccACgkQSVJMb59jjxoMJwwAgZxXa8DPoUWeazt5TIVX +omVcsor2J75CqPKlOjvSVXSnCzkBM1kYN2RwVjNivuIEUWPDOohvUvJxllkm7dxd +g+XfLL3/luB4B+R06n78339K0pu4+n5eDIF0UiNbfuGocqFtVBXuC0uj7ZWPJnZe +tdbspisggJ8Q2Im7mQPQRQZ1Q1qBlogxpeeDzyGkrLRusryfd8LwPz7/8I59pkwG +hkNm0+JbaDJ1NtFElX+XvPaOxfCB3ut94CUjac0DdkQNDX+i2ruZNAsIjEuxQbuT +UAc1ouv+R126SBqVdkRLtRw+d0DmAR7PiL37C8KjQa6s+H46jzhLDQ0a3frZdo2w +c1Sony8C60w9q8wpGjJjjelTimsEW8aa7e17xMVgZrawAOAPDuGvbRMGl6fla9T2 +ZYTF6QDzoeqB4VgL441yJm0c2/c6L8gz8ehCNGyqxtfFX+8OO4W3+p4a/mKP8MLz +9l04g71QkuAi3bF7bbrsWmagMXJJJWTHbizDLaytI/6nuQGNBF06GR8BDACxpQ9c +y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+ +786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6 +ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4 +iEw7RLq9LssTyjeuRVN23X+ojD4Mp3jQnPA+cjLF718KpCsw5r+tGZ98/5GZevmH +Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF +bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL +gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1 +vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA +AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJhgNRTBQkICSI0 +AAoJEElSTG+fY48a3YML/3snhGBx/Xd0EcK0pzyvyivZwavlGsQPAF2c1Rj7Lr1i +eUrp6CZ/yW7/oAvlk6Ngc0SoWba/pgnz7bVQEc21JTY86M1bRLLh3fmYCx8YFbsR +43zVr2bxDledzKV3bIuWStWbljHECuNTT91907pc3r4jv+jN4ZaXVUQ9pXj0DrV+ +MTJVCo7nrEXiq6q1WqaUAV9dMQE3rWGFa2u45QCZGLckOu3cuSCU8CVxSScmxgII +bUBu17xDzQnDkdcEQzzkZtDOrwF76dPdlrW69PXtC9oElRJbGCERivqlrpKDagXI +h4eZYfcFb2gc0qZjblvfVHiot65WM9bUsSAUAEfskYqIGLshzV9MrxFYQYvgt3ym +Qs7D8ORJiphjaOvDeqVyGdPm/rN5SVMVGYpJX6EkZkHinV/kRChtuLAD7NQ3YH5O +5l+Ehze9Nm4laEXQC/tme9B1XH0PUBJk1x8NeoVrYCTnypVFfRw37mC9XBu5TF6U +ix7vx45U/EvZrqmkDrEFOQ== +=4+1P +-----END PGP PUBLIC KEY BLOCK----- + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/script/keyring_addkey.sh new/runc-1.1.7/script/keyring_addkey.sh --- old/runc-1.1.6/script/keyring_addkey.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/runc-1.1.7/script/keyring_addkey.sh 2023-04-26 23:49:01.000000000 +0200 @@ -0,0 +1,37 @@ +#!/bin/bash +# Copyright (C) 2023 SUSE LLC. +# Copyright (C) 2023 Open Containers Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -Eeuxo pipefail + +root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" +keyring_file="$root/runc.keyring" + +function bail() { + echo "$@" >&2 + exit 1 +} + +[[ "$#" -eq 2 ]] || bail "usage: $0 <github-handle> <keyid>" + +github_handle="${1}" +gpg_keyid="${2}" + +cat >>"$keyring_file" <<EOF +$(gpg --list-keys "$gpg_keyid") + +$(gpg --armor --comment="github=$github_handle" --export --export-options=export-minimal,export-clean "$gpg_keyid") + +EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/script/keyring_validate.sh new/runc-1.1.7/script/keyring_validate.sh --- old/runc-1.1.6/script/keyring_validate.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/runc-1.1.7/script/keyring_validate.sh 2023-04-26 23:49:01.000000000 +0200 @@ -0,0 +1,108 @@ +#!/bin/bash +# Copyright (C) 2023 SUSE LLC. +# Copyright (C) 2023 Open Containers Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -Eeuo pipefail + +project="runc" +root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" + +function log() { + echo "[*]" "$@" >&2 +} + +function bail() { + log "$@" + exit 1 +} + +# Temporary GPG keyring for messing around with. +tmp_gpgdir="$(mktemp -d --tmpdir "$project-validate-tmpkeyring.XXXXXX")" +trap 'rm -r "$tmp_gpgdir"' EXIT + +# Get the set of MAINTAINERS. +readarray -t maintainers < <(sed -E 's|.* <.*> \(@?(.*)\)$|\1|' <"$root/MAINTAINERS") +echo "------------------------------------------------------------" +echo "$project maintainers:" +printf " * %s\n" "${maintainers[@]}" +echo "------------------------------------------------------------" + +# Create a dummy gpg keyring from the set of MAINTAINERS. +while IFS="" read -r username || [ -n "$username" ]; do + curl -sSL "https://github.com/$username.gpg"; | + gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" --import +done < <(printf '%s\n' "${maintainers[@]}") + +# Make sure all of the keys in the keyring have a github=... comment. +awk <"$root/$project.keyring" ' + /^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { key_idx++; in_pgp=1; has_comment=0; } + + # PGP comments are never broken up over several lines, and we only have one + # comment entry in our keyring file anyway. + in_pgp && /^Comment:.* github=\w+.*/ { has_comment=1 } + + /^-----END PGP PUBLIC KEY BLOCK-----$/ { + if (!has_comment) { + print "[!] Key", key_idx, "in '$project'.keyring is missing a github= comment." + exit 1 + } + } +' + +echo "------------------------------------------------------------" +echo "$project release managers:" +sed -En "s|^Comment:.* github=(\w+).*| * \1|p" <"$root/$project.keyring" | sort -u +echo "------------------------------------------------------------" +gpg --no-default-keyring --keyring="$tmp_gpgdir/keyring" \ + --import --import-options=show-only <"$root/$project.keyring" +echo "------------------------------------------------------------" + +# Check that each entry in the kering is actually a maintainer's key. +while IFS="" read -d $'\0' -r block || [ -n "$block" ]; do + username="$(sed -En "s|^Comment:.* github=(\w+).*|\1|p" <<<"$block")" + + # FIXME: This is to work around codespell thinking that f-p-r is a + # misspelling of some other word, and the lack of support for inline + # ignores in codespell. + fprfield="f""p""r" + + # Check the username is actually a maintainer. This is just a sanity check, + # since you can put whatever you like in the Comment field. + [ -f "$tmp_gpgdir/$username.keyring" ] || bail "User $username in runc.keyring is not a maintainer!" + grep "(@$username)$" "$root/MAINTAINERS" >/dev/null || bail "User $username in runc.keyring is not a maintainer!" + + # Check that the key in the block actually matches a known key for that + # maintainer. Note that a block can contain multiple keys, so we need to + # check all of them. Since we have to handle multiple keys anyway, we'll + # also verify all of the subkeys (this is simpler to implement anyway since + # the --with-colons format outputs fingerprints for both primary and + # subkeys in the same way). + # + # Fingerprints have a field 1 of $fprfield and field 10 containing the + # fingerprint. See <https://github.com/gpg/gnupg/blob/master/doc/DETAILS> + # for more details. + while IFS="" read -r key || [ -n "$key" ]; do + gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" \ + --list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null || + bail "(Sub?)Key $key in $project.keyring is NOT actually one of $username's keys!" + log "Successfully verified $username's (sub?)key $key is legitimate." + done < <(gpg --no-default-keyring \ + --import --import-options=show-only --with-colons <<<"$block" | + grep "^$fprfield:" | cut -d: -f10) +done < <(awk <"$root/$project.keyring" ' + /^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { in_block=1 } + in_block { print } + /^-----END PGP PUBLIC KEY BLOCK-----$/ { in_block=0; printf("\0"); } +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.6/script/release_sign.sh new/runc-1.1.7/script/release_sign.sh --- old/runc-1.1.6/script/release_sign.sh 2023-04-11 20:35:21.000000000 +0200 +++ new/runc-1.1.7/script/release_sign.sh 2023-04-26 23:49:01.000000000 +0200 @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (C) 2017 SUSE LLC. -# Copyright (C) 2017-2021 Open Containers Authors +# Copyright (C) 2017-2023 SUSE LLC. +# Copyright (C) 2017-2023 Open Containers Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -e +set -Eeuo pipefail project="runc" root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")" @@ -28,15 +28,21 @@ # Log something to stderr. function log() { - echo "[*] $*" >&2 + echo "[*]" "$@" >&2 } # Log something to stderr and then exit with 0. -function bail() { +function quit() { log "$@" exit 0 } +# Log something to stderr and then exit with 1. +function bail() { + log "$@" + exit 1 +} + # Conduct a sanity-check to make sure that GPG provided with the given # arguments can sign something. Inability to sign things is not a fatal error. function gpg_cansign() { @@ -86,17 +92,47 @@ log " key: ${keyid:-DEFAULT}" log " hash: $hashcmd" -# Make explicit what we're doing. -set -x - # Set up the gpgflags. gpgflags=() [[ "$keyid" ]] && gpgflags=(--default-key "$keyid") -gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step." +gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step." + +# Make explicit what we're doing. +set -x + +# Check that the keyid is actually in the $project.keyring by signing a piece +# of dummy text then verifying it against the list of keys in that keyring. +tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")" +trap 'rm -r "$tmp_gpgdir"' EXIT + +tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring") +gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring" + +tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring") +gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099 +gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A + +gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" | + gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!" + +# Make sure the signer is okay with the list of keys in the keyring (once this +# release is signed, distributions will trust this keyring). +cat >&2 <<EOF +== PLEASE VERIFY THE FOLLOWING KEYS == + +The sources for this release will contain the following signing keys as +"trusted", meaning that distributions may trust the keys to sign future +releases. Please make sure that only authorised users' keys are listed. + +$(gpg "${tmp_runc_gpgflags[@]}" --list-keys) + +[ Press ENTER to continue. ] +EOF +read -r # Only needed for local signing -- change the owner since by default it's built # inside a container which means it'll have the wrong owner and permissions. -[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir" +[ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir" # Sign everything. for bin in "$releasedir/$project".*; do @@ -106,3 +142,18 @@ gpg "${gpgflags[@]}" --clear-sign --armor \ --output "$releasedir/$project.$hashcmd"{.tmp,} && mv "$releasedir/$project.$hashcmd"{.tmp,} + +# Verify that all the signatures and shasum are correct. +pushd "$releasedir" + +# Verify project-signed detached signatures. +find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify -- + +# Verify shasum. +"$hashcmd" -c "$project.$hashcmd" +gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd" + +# Verify seccomp tarball. +gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc + +popd ++++++ runc.keyring ++++++ --- /var/tmp/diff_new_pack.tv0m0L/_old 2023-04-28 16:22:54.913851546 +0200 +++ /var/tmp/diff_new_pack.tv0m0L/_new 2023-04-28 16:22:54.917851570 +0200 @@ -5,6 +5,7 @@ sub rsa4096 2016-06-21 [E] [expires: 2031-06-18] -----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8 ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0 @@ -68,3 +69,154 @@ =3/jE -----END PGP PUBLIC KEY BLOCK----- +pub ed25519 2019-06-21 [C] + C9C370B246B09F6DBCFC744C34401015D1D2D386 +uid [ultimate] Aleksa Sarai <cyp...@cyphar.com> +sub ed25519 2022-09-30 [S] [expires: 2024-09-29] +sub cv25519 2022-09-30 [E] [expires: 2024-09-29] +sub ed25519 2022-09-30 [A] [expires: 2024-09-29] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=cyphar + +mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz +QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTJw3CyRrCfbbz8dEw0QBAV0dLThgUC +XQzCHwIbAQAKCRA0QBAV0dLThvUpAP9SwyOijLqEBz1A9pTqRAB0l/r+ABq+iUmH +UjMHO34LZAD/biRuAadaxIYJtmn7nKA55doyN2fQXhjArqypJ1SQywi4MwRdDMJS +FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4 +BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS +04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b +8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0 +QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS +y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw +x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG +SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru +YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL +FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD +cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e +qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk +uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M +wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx +za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ +KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo +FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG +AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9 +o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ +FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51 +DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH +uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+ +q25gaH2I9QQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpLAhsCBQkD +wmcAAIEJEDRAEBXR0tOGdiAEGRYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUC +Yza6SwAKCRAol/rSt+lEb9obAQC8ij4yJTU7ZcAtTx2ZMjj8EoruGb3ku6VpRyx1 ++pyQQgD/QgQ7X1G7xtwuVpY0kHYga1yoKLA2ycT8F8PrVtF7pAMWkgD9EWe1E77C +BVd//i3ib+h9ikCeJ+gaxc6aU24ZBcN2tfUBAJmCmYQ0VEbXyvCqkdJEQ4qk5Y9C +2V4w83dj4a5RYKUGuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM +OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmFiEEycNwskawn228/HRMNEAQ +FdHS04YFAmM2umACGwwFCQPCZwAACgkQNEAQFdHS04bkuwEA7AEL+iSPlA8/YILp +0sFMzmtRqTDMqx2BY8K5wEk9fusA/jAhbeJw57bZYvK4MghfUa9tRocyII84UmOA +cgDbPPIFuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD +TF2SQwwqM4+nYbeIfgQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpu +AhsgBQkDwmcAAAoJEDRAEBXR0tOGB8UA/0wf8uECKMmXGQ4DNi+ei2E9Ft6GL8qw +UGjwM/EKH2RoAP9HNRRKBjDxs/AZ3pBx1Q8hnHELLo0kXPc+3BG6Pht5BA== +=KN4V +-----END PGP PUBLIC KEY BLOCK----- + +pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18] + C2428CD75720FACDCF76B6EA17DE5ECB75A1100E +uid [ultimate] Kir Kolyshkin <kolysh...@gmail.com> +sub rsa2048 2020-04-28 [E] [expires: 2025-04-18] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=kolyshkin + +mQENBF6ou34BCACow4f1kUqw0varU4pq+C91xhYeNb/0sGyFKCvYfiLY74yG8EXW +rZ8n06AYDHzPv9oubkUhnFk/u25kXQVgLB6Z5SKRBCiFq1QZirXeNJ8Iss8AwDBV +ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9 +2IknlaZg2oGpQe6weVmXmEhxERapG/y+/Vo6t8UfhSv0gEeM00/yWhBJKSYPtzMg +SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu +DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g +PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ +F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F +t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW +JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3 +wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt +Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0 +1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k +p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z +s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik +6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38 +oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc +yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h +8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F +AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R +uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT +iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r +5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4 +S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au +2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ== +=GkpD +-----END PGP PUBLIC KEY BLOCK----- + +pub rsa3072 2019-07-25 [SC] [expires: 2023-11-02] + C020EA876CE4E06C7AB95AEF49524C6F9F638F1A +uid [ultimate] Akihiro Suda <akihiro.suda...@hco.ntt.co.jp> +uid [ultimate] Akihiro Suda <suda.ky...@gmail.com> +sub rsa3072 2019-07-25 [E] [expires: 2023-11-02] + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: github=AkihiroSuda + +mQGNBF06GR8BDADEpCHv9HzGbqzQ2RAqTWBGHUNsiHD89NVmbXx4nw56odXf5mAK +QHxyh9tKkt0BIaKMLcxcU6+GXP5iSLdHnQvnxxbR0gW3CJ8bIWPUflE4hjv8QLbc +5CSpqa3d7/tsntVYNLPFs6B0acTXB4YLK+u2aC42US6by5zO4KS+8/7RyXhdkYGY +wy6dCU1ysnuG4QstxlObKJUtxcW/9vQkF/ZdqaqLf6HHL/kMasWUxWG1uvf+V/MO +BRKu7zBW290XDE5Dd9DomyX4q2kqoWQBkpvkJlVsKWpW+AXnBizbVD+pX90VEQmk +Tvnr6U9OiArS6m2yVwZlu836l2yo3tX2tsgTNn8gtZugO4Qb3iZnDUexqgCwnLBx +dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO +9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA +3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA +aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCYYDT5gUJCAkhxwAKCRBJUkxvn2OP +GiHnC/wOqAvEcRmpKjqx4QUNkE34oGwiPgV5vyDlQElvBzyazQEcIdt9xaIE+4IS +7L7L6Q7WOGxWCvmRZ58E32m4RB1F8L7XQW0l3f6jESYLGPb6XDloux5poJzGxaGK +9gd6ItNmjOCmt08Icv0ZVTvKv20ej71aepllE5UaM9p5AlEwLkzQxPoGpB7E1Sdy +citRg6YEqTY+i5IeZ5xMthWXcushyLRRvm43DwbPsuZHVC1yMfo5VrF9JE65BdE9 +dIsCrZDnde/jUm4pAAwyAKSLLRVgj4xVP0XIdO2nVXDBWp9z4gUt/gMjuutO1a2U +Xw+XhkirUb2C++L0KvVBMbU303Q+xV/iaYjAuFjNy94HZms0iTBTB4qFHT4ClYHi +mNwTgfwRclpywkHzDi8496hsyzoVCeHSsu+ScDE1qAw6zrxASZXevYhhB2aBLr1s +d58WsYA37iXTEO4Hxm5V0Wh110hlCGFwcN8vWNhMCdIj7JN8nWZQNLZyppN7bCDu +FX8cE260I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB +CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM +b59jjxoFAmGA0+YFCQgJIccACgkQSVJMb59jjxoMJwwAgZxXa8DPoUWeazt5TIVX +omVcsor2J75CqPKlOjvSVXSnCzkBM1kYN2RwVjNivuIEUWPDOohvUvJxllkm7dxd +g+XfLL3/luB4B+R06n78339K0pu4+n5eDIF0UiNbfuGocqFtVBXuC0uj7ZWPJnZe +tdbspisggJ8Q2Im7mQPQRQZ1Q1qBlogxpeeDzyGkrLRusryfd8LwPz7/8I59pkwG +hkNm0+JbaDJ1NtFElX+XvPaOxfCB3ut94CUjac0DdkQNDX+i2ruZNAsIjEuxQbuT +UAc1ouv+R126SBqVdkRLtRw+d0DmAR7PiL37C8KjQa6s+H46jzhLDQ0a3frZdo2w +c1Sony8C60w9q8wpGjJjjelTimsEW8aa7e17xMVgZrawAOAPDuGvbRMGl6fla9T2 +ZYTF6QDzoeqB4VgL441yJm0c2/c6L8gz8ehCNGyqxtfFX+8OO4W3+p4a/mKP8MLz +9l04g71QkuAi3bF7bbrsWmagMXJJJWTHbizDLaytI/6nuQGNBF06GR8BDACxpQ9c +y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+ +786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6 +ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4 +iEw7RLq9LssTyjeuRVN23X+ojD4Mp3jQnPA+cjLF718KpCsw5r+tGZ98/5GZevmH +Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF +bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL +gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1 +vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA +AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJhgNRTBQkICSI0 +AAoJEElSTG+fY48a3YML/3snhGBx/Xd0EcK0pzyvyivZwavlGsQPAF2c1Rj7Lr1i +eUrp6CZ/yW7/oAvlk6Ngc0SoWba/pgnz7bVQEc21JTY86M1bRLLh3fmYCx8YFbsR +43zVr2bxDledzKV3bIuWStWbljHECuNTT91907pc3r4jv+jN4ZaXVUQ9pXj0DrV+ +MTJVCo7nrEXiq6q1WqaUAV9dMQE3rWGFa2u45QCZGLckOu3cuSCU8CVxSScmxgII +bUBu17xDzQnDkdcEQzzkZtDOrwF76dPdlrW69PXtC9oElRJbGCERivqlrpKDagXI +h4eZYfcFb2gc0qZjblvfVHiot65WM9bUsSAUAEfskYqIGLshzV9MrxFYQYvgt3ym +Qs7D8ORJiphjaOvDeqVyGdPm/rN5SVMVGYpJX6EkZkHinV/kRChtuLAD7NQ3YH5O +5l+Ehze9Nm4laEXQC/tme9B1XH0PUBJk1x8NeoVrYCTnypVFfRw37mC9XBu5TF6U +ix7vx45U/EvZrqmkDrEFOQ== +=4+1P +-----END PGP PUBLIC KEY BLOCK----- + +
