-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Add tests for PQC key handling in osbuild
-
To Do
-
image-builder-2
-
100% To Do, 0% In Progress, 0% Done
-
False
Background
RHEL packages, starting from 9.7 and 10.1, are signed with multiple keys, an RSA and a PQC (post-quantum cryptography) key. Newer versions of rpmkeys support verifying the new, PQC key.
Any version of rpmkeys that can read PQC keys requires that the package verification succeeds for both the RSA and the PQC key.
As of this writing:
- the version of rpmkeys in RHEL 10.1 supports PQC keys.
- the version of rpmkeys in RHEL 9.7 does not support PQC keys.
- some packages in both 9.7 and 10.1 are signed with PQC keys.
- an alternative version of rpmkeys is packaged in RHEL 9.7 that supports PQC keys (pqrm).
Problem: Building RHEL 9.7 on 10.1
- When osbuild builds the build pipeline (the build root), it uses the host rpm and rpmkeys (RHEL 10.1) to install and verify packages from RHEL 9.7 (the target distribution).
- When osbuild builds the any other pipeline (any root tree like os or anaconda-tree), it uses the rpm and rpmkeys from the RHEL 9.7 build root to install and verify packages.
If we omit the PQC keys from the repository configurations for RHEL 9.7, rpmkeys from the host will fail to verify packages installed for the build root. Any package installed in the build root that is signed with a PQC key will fail verification because the host (RHEL 10.1) rpmkeys tool detects the signature but doesn't have the key to verify.
If we include the PQC keys in the repository configurations for RHEL 9.7, rpmkeys from the host will successfully import the keys and verify any packages signed with those keys. However, rpmkeys from the build root will fail to import the PQC key from the repository configurations.
Solutions
The org.osbuild.rpm stage has been updated with two new options:
- rpmkeys.bin_path: Configures the path to the rpmkeys binary. This allows us to install and use pqrpmkeys (from pqrpm) when necessary.
- rpmkeys.ignore_import_failures: Ignores any errors when importing keys to the database.
These options allow us to include the PQC keys in the RHEL 9.7 repository configurations, and configure the rpm stages for a RHEL 9.7 build as follows:
- In the build pipeline, set rpmkeys.ignore_import_failures = true.
- On a RHEL 10.1 host, this should have no effect. No keys should fail to import.
- On a RHEL 9.7 host, importing the PQC keys will fail. Package verification will succeed because rpmkeys will ignore the PQC signatures.
- Include the pqrpm package in the build root.
- In the os (and other) pipelines, set rpmkeys.bin_path = "/usr/lib/pqrpm/bin/rpmkeys". This will use the pqrpm binaries from the build root to both import the PQC keys and verify any packages signed by them.
This allows us to generate host-independent RHEL 9.7 manifests. In other words, we don't need to generate manifests differently when running on a RHEL 9.7 or 10.1 host.
Tasks
Add tests to osbuild that cover the above issues and their solutions.
- Build a RHEL 9.7 manifest on RHEL 10.1 with the solution described above.
- Build a RHEL 9.7 manifest on RHEL 9.7 with the solution described above.
- Build a RHEL 9.7 manifest on Fedora 43 with the solution described above.
- Build a RHEL 10.1 manifest on Fedora 43 with the solution described above.
3 and 4 are less critical, but important to verify.
