mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
Merge pull request #3838 from cyphar/1.1-release-gpgkeys
[1.1] release: add runc.keyring file
This commit is contained in:
@@ -11,6 +11,12 @@ env:
|
||||
GO_VERSION: 1.19.x
|
||||
|
||||
jobs:
|
||||
keyring:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: check runc.keyring
|
||||
run: make validate-keyring
|
||||
|
||||
lint:
|
||||
runs-on: ubuntu-20.04
|
||||
|
||||
@@ -160,9 +160,12 @@ verify-dependencies: vendor
|
||||
|| (echo -e "git status:\n $$(git status -- go.mod go.sum vendor/)\nerror: vendor/, go.mod and/or go.sum not up to date. Run \"make vendor\" to update"; exit 1) \
|
||||
&& echo "all vendor files are up to date."
|
||||
|
||||
validate-keyring:
|
||||
script/keyring_validate.sh
|
||||
|
||||
.PHONY: runc all recvtty sd-helper seccompagent static releaseall release \
|
||||
localrelease dbuild lint man runcimage \
|
||||
test localtest unittest localunittest integration localintegration \
|
||||
rootlessintegration localrootlessintegration shell install install-bash \
|
||||
install-man clean cfmt shfmt localshfmt shellcheck \
|
||||
vendor verify-changelog verify-dependencies
|
||||
vendor verify-changelog verify-dependencies validate-keyring
|
||||
|
||||
@@ -15,6 +15,8 @@
|
||||
|
||||
You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
|
||||
|
||||
All releases are signed by one of the keys listed in the [`runc.keyring` file in the root of this repository](runc.keyring).
|
||||
|
||||
## Security
|
||||
|
||||
The reporting process and disclosure communications are outlined [here](https://github.com/opencontainers/org/blob/master/SECURITY.md).
|
||||
|
||||
+221
@@ -0,0 +1,221 @@
|
||||
pub rsa4096 2016-06-21 [SC] [expires: 2031-06-18]
|
||||
5F36C6C61B5460124A75F5A69E18AA267DDB8DB4
|
||||
uid [ultimate] Aleksa Sarai <asarai@suse.com>
|
||||
uid [ultimate] Aleksa Sarai <asarai@suse.de>
|
||||
sub rsa4096 2016-06-21 [E] [expires: 2031-06-18]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: github=cyphar
|
||||
|
||||
mQINBFdpGN0BEADMEmLpnUel7OI2SM8f88i7w0iRgJd4kOvF1z673+zWCgaw9QW8
|
||||
ha7wAm/+3isas9IqlvGx61i6hbO7TFwcYi472VHhs4HP8jMtWytHHkjc3O9xlMc0
|
||||
CfekjIpoR1CffYtCvkLr8/f74jHNRfqsmZ1Oxa9GjbhgDnbw4Baztp6WctzMXyOJ
|
||||
j5bJuSfQTcgFbIeQ27zx7gNjbnHyEP5TEm1/CeoWpGPpZLJPiKHdI/TBCyFexHJ0
|
||||
IlabKc4DC43RZyh0Btuf+FiX9K2NkoCC7l5nQdde8B6YG7SA6xEhwhQ73bSs7A56
|
||||
rlZxfIFmLCB/81FyXk5eH0Eu9Lbwj69YQ81EdkLnLAyP3ZB+MRGuiWVD88Jr1He2
|
||||
25m3dxTVzaP0TAV4LqdbuqTwr2wagu9MZQ5XXDiaEuiPwTrO10xlmivOjRaWxoWA
|
||||
E0I3fOdrzqfg9XK6g1pG23v2WhHFIejqVCXrf5oPcCd62lGeh0ghEdNN89ikXbka
|
||||
1PJRiWI3uDQ6STSKa+6uC5eUM7tK/ymqS8JYSQf4d3eIaC2H403psPt5kbq1bHdx
|
||||
nRPX2eh/t1QzR1dhPxzai4CzLERIYJ9iD4nGiSscwy0P44AgyeuywSg4qXzr9Sfe
|
||||
igOj+6lfJb3iZRN3dKLTRAKWvo7yfdi/UOycodlaQyW8v0yXAx7Yh1NgJQARAQAB
|
||||
tB1BbGVrc2EgU2FyYWkgPGFzYXJhaUBzdXNlLmRlPokCPQQTAQgAJwUCV2kY3QIb
|
||||
AwUJHDIEgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCeGKomfduNtGecEACZ
|
||||
JLVdeKHKsSUqTLOjbC6t9uKfKlNpu+iQ2/TS9YazLWXoFEc8f/uWB8BpHcJBFrqz
|
||||
j+mI34ShEkbbNJArxR76njnAtPF+73GiD0dAjRDWz8YtQgSg5UhYm6O2Si/EM4I8
|
||||
TDzflyjaZltCkDe2U+2T8dTkYxqOi11IuCukPBNe0moxGKvLGPWEqZQMPCfBgllD
|
||||
lv2Toiry2Fp1bkBlT6hk0C684rfAwzPQuH0BBv8vgfgroRMJg/qfZb64lhMCXaPr
|
||||
rCtVHP+F1bVXKZCBCt7ETTtcteUEKaFmGgDGpXGnIqPL5iWLK5u8DQL/1lGcinj9
|
||||
QdD9IUNqsrsNAbdyMMqQvZKQwIVDgFMXrCwSRymOi6cppN7eF0VyFN7YsATttRGx
|
||||
CZBoSMhVW6VVxuJFGaQWFXWthVGVEd2jkvny1TX8Nm8KBHC2G/wNVU3pKrCPhMCt
|
||||
rYc8xWZ+6uisQ6XWs8H4nyBOVN6RvhIqqXJL1nvViOSFMLSDyFgPA16368krgxYE
|
||||
pVDvie04aDjKZj2/0LSogNQPqZxs8uKIjLZ1NYQQmCQ8Dx9/nshg1wbyDD/c///M
|
||||
EmVFmZhlNLZ8tV/iTlwfD/4vjbeaAQTVanhPFRbUtmL/iuz5f0gH0b0xc+mc+yQ1
|
||||
egjBwMuKr+h7jbSXIWoFGZLrqT3WswTg0Khk6oEL57QeQWxla3NhIFNhcmFpIDxh
|
||||
c2FyYWlAc3VzZS5jb20+iQI9BBMBCAAnBQJXaRngAhsDBQkcMgSABQsJCAcCBhUI
|
||||
CQoLAgQWAgMBAh4BAheAAAoJEJ4YqiZ924202mIQAIjGrikF7OPBCbV5Oo4oC0QQ
|
||||
7HcG+DM9cN6UcFO+rzWQxZ/atEpiULa4O3YKoGOkSV5WAjUpaY5Rf7Obt3EjgrwE
|
||||
PhtGvOpC6kkkTV43RmmK06CxHiZPrUJBwcpbW1rf2JZx7PPBMbZfsmWdVZc+LjzC
|
||||
D3KtJ7xhzT0mi+zN5ONNHody6sDQO6n0mN+bRVxiVdcxwjYHfJYGobI6aaKyupvl
|
||||
+xCGK4ekzNCVzaxudzqmbFE6qk+cWcvcA8HpggA63rCvCLfK1embNOtqzKAcJh1o
|
||||
cJvrtpe18qBvd4yXFWEqQBW6IoDLvdzaLY7eNMI97UDInciz/GUtbxhqbs1lAOBz
|
||||
V1y9fi0+NIIq1qmhbLxpUFC2BWsZRuWEqYWdr4FFJCuYEEXX6KXM7d9CSdWlErCU
|
||||
mqKYsx6X4E7Iy1yupYbIqXRea9wBr8aPoFk+gLdNbCWAE4o7InKJY1uqOt141ffs
|
||||
+6XJe2wVvA2xLr0ZphlcyF0EHZX8tMWLCYdQJdLMps2hl5oFpi7ccdM1GpE/Kwt5
|
||||
pEBqsJ6vP59BsbmciYmNkYKvFIKJcasImglQP6nrQiBwjTd7fYXpMDeO0yNtklaZ
|
||||
IZlbNvxOe1TqbRzfVFk3oSBbEaFzPAx/W0uU1evZynpu2PcIvOuadScc9j0jMzt8
|
||||
0wknTD5AqhD/fkfZlwRouQINBFdpGN0BEADfqvO6AkGOWf+lcQZfWBMSMpzneCCS
|
||||
JvQvD65VrFt0CCbSlJv1pc3GwLlL2dMulIxQGg0JMTjfPZcCYqrnOcWe0gedETRV
|
||||
nOucY7zWmohR7L70YWwh46FlAPifY6bIIYGYTHyI9w1adS9K4tAJW/XS0WrvZ5KA
|
||||
l7htrAzUAsMhag9y9jtQJVPLErGJta3jZJASs8PZWWmLYZE+oy1R3W52w/HqGQHS
|
||||
8BPgo4oL+lrjPmjAwouhhNETTq9W2xmCe18EJodOjNKdF5ODOq1LOkPNHIaIdG0s
|
||||
sY3qbifcRLVDvSmb8++4WRYl1HLy2vpsTQ31mZ3KyRKR6cP61ivTZy8idwD+Qt1t
|
||||
3uKTCGNZj96OCob8ZeZsak6enuFZleVbLty1eULIw/IZuq8g6E+/V7mbFo4vkXMN
|
||||
q4YrX0Q3XEzB8Cdxd5vsnz7Uga35j44gwJ+BUsCyaRUyGzLqhUWHJS73Vy3IxHfX
|
||||
Rj7TQUBFYDKbOS9oKearmvTb1SQzH7NM5jQUFzXeJQE03jetRneNQ5hkh9UhUr64
|
||||
gtRnnKXTimXkczEMU9eDSTgQoaebdPnWEnzoStS5ln03zH+CNTQF9qjcpYBrJ2mZ
|
||||
wnxO9OP/45KQL4hPAi2+hGkq2yjuIzeCkFJabAc7sF6lwJqH82XtiIIR+AGTM8QC
|
||||
Eno0eqAytg8YawARAQABiQIlBBgBCAAPBQJXaRjdAhsMBQkcMgSAAAoJEJ4YqiZ9
|
||||
2420AuIP/1PYZDKFLv//+iY6Z9xGz4zHL+9nWND/Kll3xHeuWjYGZ2nmcovSnEW4
|
||||
0eiMn1c6KMgs/CCR4+9bm7MdgaF73pjM4xzHBIBetLLkcKQIrniX2Fq+WgscJfFx
|
||||
+0ha7Xb2TTpSy8PRiYHowVUaMPwyqSsAUwrSenLuwyiKr+EW4Wzo+YM2w9a86yw1
|
||||
GfWuiyk0Z4sGoPoPEjmD4y6Xlf8kIfuZeb+joHd6W1nMf7cxDkNLQqX6sWvs62Tv
|
||||
Lsx2jApPKD2PyTyyxItJKc6NXFVM+Uww323ZYVWMkz+VKalHRiv6xzGqArhpAIH6
|
||||
fn+1WjjqkrrLU4I7smjlulZCy/NZLOKqQYaqM+7BgC2mOPMb5CM99cg4SrK86dFr
|
||||
3Cf22+OTmC6/Wb5Gu4PzTzkYIJDnt3BJQYjJlp4zyOHluN6notrWagLIB06oX+jQ
|
||||
pxGySHW++Cha/JCUb0mfeHIJKvRor3v7YaSJoFIo//rz6XJ9WVZfsKnOte/3s9m7
|
||||
qkEvLArbe2o7pUJ2mxZZw/nAk/Y39FYAMvgMA9f+uv18O7u+ojYjS6DlrmNuIEg/
|
||||
mp8FqVxVNdIS2capSF4+eOn3a4kcF0018xbTLA2AwQ2o9eF5G9qTdSVrN865VPCd
|
||||
KWr9ByCKAwVHsaSgVSJE/dse4f1toqeEHHbWk682U4RqOWZR4bA0
|
||||
=3/jE
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
pub ed25519 2019-06-21 [C]
|
||||
C9C370B246B09F6DBCFC744C34401015D1D2D386
|
||||
uid [ultimate] Aleksa Sarai <cyphar@cyphar.com>
|
||||
sub ed25519 2022-09-30 [S] [expires: 2024-09-29]
|
||||
sub cv25519 2022-09-30 [E] [expires: 2024-09-29]
|
||||
sub ed25519 2022-09-30 [A] [expires: 2024-09-29]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: github=cyphar
|
||||
|
||||
mDMEXQxvLxYJKwYBBAHaRw8BAQdArRQoZs9YzYtQIiPA1qdvUT8Q0wbPZyRV65Tz
|
||||
QNTIZla0IEFsZWtzYSBTYXJhaSA8Y3lwaGFyQGN5cGhhci5jb20+iJAEExYIADgF
|
||||
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTJw3CyRrCfbbz8dEw0QBAV0dLThgUC
|
||||
XQzCHwIbAQAKCRA0QBAV0dLThvUpAP9SwyOijLqEBz1A9pTqRAB0l/r+ABq+iUmH
|
||||
UjMHO34LZAD/biRuAadaxIYJtmn7nKA55doyN2fQXhjArqypJ1SQywi4MwRdDMJS
|
||||
FgkrBgEEAdpHDwEBB0B2IGusH7LuDH3hNT6JYM30S7G92FGogA6a9WQzKRlqvIh4
|
||||
BCgWCgAgFiEEycNwskawn228/HRMNEAQFdHS04YFAmM2ukUCHQEACgkQNEAQFdHS
|
||||
04ZTQAEAjAT0fXVJHdRL6UMCxDYsgjG+QyH1mr7gKgbPvB8A5LgBAN4QDqCxIY3b
|
||||
8+X4Ud3C9yLfkbcsdgctU3fO/jHpKVIIiO8EGBYIACAWIQTJw3CyRrCfbbz8dEw0
|
||||
QBAV0dLThgUCXQzCUgIbAgCBCRA0QBAV0dLThnYgBBkWCAAdFiEEsWZunbXxPIMS
|
||||
y32KnZS5YyG50BIFAl0MwlIACgkQnZS5YyG50BLusQD/aPjX4NhlSYgzNV2x31aw
|
||||
x5AxTp+18xoQDwaU123grDgA/2B73RiaTO2boRK5UETxx6awdsA51hZubxo4LyxG
|
||||
SP8IW5gA/2JWrDg+7cSQrS71gHmtqvz0se+D7zmWdcnN8O3LoUZeAQDW3Pkq0cru
|
||||
YVbsXiTwzenLPUJrjGBAVaoFmYqFUelFDLg4BF0MwmoSCisGAQQBl1UBBQEBB0BL
|
||||
FI5mD555F7t6dovnw4DW19nkG/g/Vd5Zb/7qhMLWagMBCAeIeAQoFgoAIBYhBMnD
|
||||
cLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOGgPkA/1Z69M4e
|
||||
qU3ZM7czYOHKAbNHiRuAqzc6o90WBJLhgFJmAQCcKmpnnnTpbnGoXgkcRSr2y1wk
|
||||
uId1oVRwfRbN9h94Doh4BBgWCAAgFiEEycNwskawn228/HRMNEAQFdHS04YFAl0M
|
||||
wmoCGwwACgkQNEAQFdHS04aZWgD/d0gCCB7ytnRB9RBtns9RRrtGXOIrzzWKw+zx
|
||||
za6Y2zgBANoj7CUeH0MygzZkgMrCmKPNnMxEnHJaTuYZA4yBixkIuDMEXQzCjRYJ
|
||||
KwYBBAHaRw8BAQdAAiFh7AD1u/UhjVbGJkRflPhjHBKIsAuP4pkI/qjavwaIeAQo
|
||||
FgoAIBYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpFAh0BAAoJEDRAEBXR0tOG
|
||||
AUgA/2ZDB3tCRBON1WjLBESkHZmNtplYcV03u/oshA/MVCzpAQDGusGcv/rf1ZI9
|
||||
o7lcWozXFlQDOM7eoT4avvWOVcsaD4h4BBgWCAAgFiEEycNwskawn228/HRMNEAQ
|
||||
FdHS04YFAl0Mwo0CGyAACgkQNEAQFdHS04ajxQEAsZf1yDORUVYicREc/7z0U+51
|
||||
DJzeAexeJTYM+N+x13EA/0Ex+o7qQ7dZLGDn7x4LSbd39C+++suHsEaE4XwlX6cH
|
||||
uDMEYza6SxYJKwYBBAHaRw8BAQdAE3s7dZQFuImQX2tWshIdGjeUKZc7rlMcrZ6+
|
||||
q25gaH2I9QQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpLAhsCBQkD
|
||||
wmcAAIEJEDRAEBXR0tOGdiAEGRYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUC
|
||||
Yza6SwAKCRAol/rSt+lEb9obAQC8ij4yJTU7ZcAtTx2ZMjj8EoruGb3ku6VpRyx1
|
||||
+pyQQgD/QgQ7X1G7xtwuVpY0kHYga1yoKLA2ycT8F8PrVtF7pAMWkgD9EWe1E77C
|
||||
BVd//i3ib+h9ikCeJ+gaxc6aU24ZBcN2tfUBAJmCmYQ0VEbXyvCqkdJEQ4qk5Y9C
|
||||
2V4w83dj4a5RYKUGuDgEYza6YBIKKwYBBAGXVQEFAQEHQKECW5Y7nUGCka0/WcCM
|
||||
OerRY95Pm2DQVL76QzvhXD8tAwEIB4h+BBgWCgAmFiEEycNwskawn228/HRMNEAQ
|
||||
FdHS04YFAmM2umACGwwFCQPCZwAACgkQNEAQFdHS04bkuwEA7AEL+iSPlA8/YILp
|
||||
0sFMzmtRqTDMqx2BY8K5wEk9fusA/jAhbeJw57bZYvK4MghfUa9tRocyII84UmOA
|
||||
cgDbPPIFuDMEYza6bhYJKwYBBAHaRw8BAQdAgHXd0yf6MPXJZCZ3TFz8xLymyPsD
|
||||
TF2SQwwqM4+nYbeIfgQYFgoAJhYhBMnDcLJGsJ9tvPx0TDRAEBXR0tOGBQJjNrpu
|
||||
AhsgBQkDwmcAAAoJEDRAEBXR0tOGB8UA/0wf8uECKMmXGQ4DNi+ei2E9Ft6GL8qw
|
||||
UGjwM/EKH2RoAP9HNRRKBjDxs/AZ3pBx1Q8hnHELLo0kXPc+3BG6Pht5BA==
|
||||
=KN4V
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
pub rsa2048 2020-04-28 [SC] [expires: 2025-04-18]
|
||||
C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
|
||||
uid [ultimate] Kir Kolyshkin <kolyshkin@gmail.com>
|
||||
sub rsa2048 2020-04-28 [E] [expires: 2025-04-18]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: github=kolyshkin
|
||||
|
||||
mQENBF6ou34BCACow4f1kUqw0varU4pq+C91xhYeNb/0sGyFKCvYfiLY74yG8EXW
|
||||
rZ8n06AYDHzPv9oubkUhnFk/u25kXQVgLB6Z5SKRBCiFq1QZirXeNJ8Iss8AwDBV
|
||||
ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9
|
||||
2IknlaZg2oGpQe6weVmXmEhxERapG/y+/Vo6t8UfhSv0gEeM00/yWhBJKSYPtzMg
|
||||
SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu
|
||||
DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g
|
||||
PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW
|
||||
AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ
|
||||
F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F
|
||||
t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW
|
||||
JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3
|
||||
wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt
|
||||
Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0
|
||||
1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k
|
||||
p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z
|
||||
s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik
|
||||
6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38
|
||||
oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc
|
||||
yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h
|
||||
8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F
|
||||
AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R
|
||||
uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT
|
||||
iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r
|
||||
5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4
|
||||
S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au
|
||||
2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ==
|
||||
=GkpD
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
pub rsa3072 2019-07-25 [SC] [expires: 2023-11-02]
|
||||
C020EA876CE4E06C7AB95AEF49524C6F9F638F1A
|
||||
uid [ultimate] Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
||||
uid [ultimate] Akihiro Suda <suda.kyoto@gmail.com>
|
||||
sub rsa3072 2019-07-25 [E] [expires: 2023-11-02]
|
||||
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: github=AkihiroSuda
|
||||
|
||||
mQGNBF06GR8BDADEpCHv9HzGbqzQ2RAqTWBGHUNsiHD89NVmbXx4nw56odXf5mAK
|
||||
QHxyh9tKkt0BIaKMLcxcU6+GXP5iSLdHnQvnxxbR0gW3CJ8bIWPUflE4hjv8QLbc
|
||||
5CSpqa3d7/tsntVYNLPFs6B0acTXB4YLK+u2aC42US6by5zO4KS+8/7RyXhdkYGY
|
||||
wy6dCU1ysnuG4QstxlObKJUtxcW/9vQkF/ZdqaqLf6HHL/kMasWUxWG1uvf+V/MO
|
||||
BRKu7zBW290XDE5Dd9DomyX4q2kqoWQBkpvkJlVsKWpW+AXnBizbVD+pX90VEQmk
|
||||
Tvnr6U9OiArS6m2yVwZlu836l2yo3tX2tsgTNn8gtZugO4Qb3iZnDUexqgCwnLBx
|
||||
dsyq4W565jNRV/HWRUMR+LDIS1KiEalzDoID3aUXRHHLUQG0oqX8jqFJUqp1P9pO
|
||||
9nezuUDg8SsaBg8O4tyv/CZq/FeF3RMMc2EHTiO8HTERqmRMxUFZv3bkgA4GnjnA
|
||||
3wsZhLXQq+UaIJUAEQEAAbQsQWtpaGlybyBTdWRhIDxha2loaXJvLnN1ZGEuY3pA
|
||||
aGNvLm50dC5jby5qcD6JAdQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgEC
|
||||
F4AWIQTAIOqHbOTgbHq5Wu9JUkxvn2OPGgUCYYDT5gUJCAkhxwAKCRBJUkxvn2OP
|
||||
GiHnC/wOqAvEcRmpKjqx4QUNkE34oGwiPgV5vyDlQElvBzyazQEcIdt9xaIE+4IS
|
||||
7L7L6Q7WOGxWCvmRZ58E32m4RB1F8L7XQW0l3f6jESYLGPb6XDloux5poJzGxaGK
|
||||
9gd6ItNmjOCmt08Icv0ZVTvKv20ej71aepllE5UaM9p5AlEwLkzQxPoGpB7E1Sdy
|
||||
citRg6YEqTY+i5IeZ5xMthWXcushyLRRvm43DwbPsuZHVC1yMfo5VrF9JE65BdE9
|
||||
dIsCrZDnde/jUm4pAAwyAKSLLRVgj4xVP0XIdO2nVXDBWp9z4gUt/gMjuutO1a2U
|
||||
Xw+XhkirUb2C++L0KvVBMbU303Q+xV/iaYjAuFjNy94HZms0iTBTB4qFHT4ClYHi
|
||||
mNwTgfwRclpywkHzDi8496hsyzoVCeHSsu+ScDE1qAw6zrxASZXevYhhB2aBLr1s
|
||||
d58WsYA37iXTEO4Hxm5V0Wh110hlCGFwcN8vWNhMCdIj7JN8nWZQNLZyppN7bCDu
|
||||
FX8cE260I0FraWhpcm8gU3VkYSA8c3VkYS5reW90b0BnbWFpbC5jb20+iQHUBBMB
|
||||
CgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEwCDqh2zk4Gx6uVrvSVJM
|
||||
b59jjxoFAmGA0+YFCQgJIccACgkQSVJMb59jjxoMJwwAgZxXa8DPoUWeazt5TIVX
|
||||
omVcsor2J75CqPKlOjvSVXSnCzkBM1kYN2RwVjNivuIEUWPDOohvUvJxllkm7dxd
|
||||
g+XfLL3/luB4B+R06n78339K0pu4+n5eDIF0UiNbfuGocqFtVBXuC0uj7ZWPJnZe
|
||||
tdbspisggJ8Q2Im7mQPQRQZ1Q1qBlogxpeeDzyGkrLRusryfd8LwPz7/8I59pkwG
|
||||
hkNm0+JbaDJ1NtFElX+XvPaOxfCB3ut94CUjac0DdkQNDX+i2ruZNAsIjEuxQbuT
|
||||
UAc1ouv+R126SBqVdkRLtRw+d0DmAR7PiL37C8KjQa6s+H46jzhLDQ0a3frZdo2w
|
||||
c1Sony8C60w9q8wpGjJjjelTimsEW8aa7e17xMVgZrawAOAPDuGvbRMGl6fla9T2
|
||||
ZYTF6QDzoeqB4VgL441yJm0c2/c6L8gz8ehCNGyqxtfFX+8OO4W3+p4a/mKP8MLz
|
||||
9l04g71QkuAi3bF7bbrsWmagMXJJJWTHbizDLaytI/6nuQGNBF06GR8BDACxpQ9c
|
||||
y72+/WZGon+CToNj+a24PiduyExfFv26E0D77ACS6UAC5jz71mSuLbHiauQ3MHj+
|
||||
786z4m4St8+HjDL9YrAe19MobxWsLHAFvBJ8UHfZdkLzBkIKPHz7TUqlhvFR13b6
|
||||
ZAZVZk975hgCT3LpzA1miHBY2E5WDpVa3pe94xshVHL3iVf9Jv1a4hmM+eu0gxX4
|
||||
iEw7RLq9LssTyjeuRVN23X+ojD4Mp3jQnPA+cjLF718KpCsw5r+tGZ98/5GZevmH
|
||||
Qf6sg0b/k6/vkVveopeeH28zb/nnVuhgGSxcbiZUrFC9EfhX4/6NNFRhE300AjeF
|
||||
bP7SoXx3qRhr993BDSP32r44hy+kYLhZP5K5oXivcITJZuGcJh49P4QuYGrnODIL
|
||||
gEhedWeePcJXFcEz09teizlWKGzd+EA3uwYd/bQelflwXkGuCLaoNv4qcH3oJDp1
|
||||
vYI0zT7hGvnz3thRLg3SOWFq5cBhnfNGXPLsoNZBzWGn2cm5MJYSKjIM470AEQEA
|
||||
AYkBvAQYAQoAJgIbDBYhBMAg6ods5OBserla70lSTG+fY48aBQJhgNRTBQkICSI0
|
||||
AAoJEElSTG+fY48a3YML/3snhGBx/Xd0EcK0pzyvyivZwavlGsQPAF2c1Rj7Lr1i
|
||||
eUrp6CZ/yW7/oAvlk6Ngc0SoWba/pgnz7bVQEc21JTY86M1bRLLh3fmYCx8YFbsR
|
||||
43zVr2bxDledzKV3bIuWStWbljHECuNTT91907pc3r4jv+jN4ZaXVUQ9pXj0DrV+
|
||||
MTJVCo7nrEXiq6q1WqaUAV9dMQE3rWGFa2u45QCZGLckOu3cuSCU8CVxSScmxgII
|
||||
bUBu17xDzQnDkdcEQzzkZtDOrwF76dPdlrW69PXtC9oElRJbGCERivqlrpKDagXI
|
||||
h4eZYfcFb2gc0qZjblvfVHiot65WM9bUsSAUAEfskYqIGLshzV9MrxFYQYvgt3ym
|
||||
Qs7D8ORJiphjaOvDeqVyGdPm/rN5SVMVGYpJX6EkZkHinV/kRChtuLAD7NQ3YH5O
|
||||
5l+Ehze9Nm4laEXQC/tme9B1XH0PUBJk1x8NeoVrYCTnypVFfRw37mC9XBu5TF6U
|
||||
ix7vx45U/EvZrqmkDrEFOQ==
|
||||
=4+1P
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
Executable
+37
@@ -0,0 +1,37 @@
|
||||
#!/bin/bash
|
||||
# Copyright (C) 2023 SUSE LLC.
|
||||
# Copyright (C) 2023 Open Containers Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -Eeuxo pipefail
|
||||
|
||||
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
|
||||
keyring_file="$root/runc.keyring"
|
||||
|
||||
function bail() {
|
||||
echo "$@" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
[[ "$#" -eq 2 ]] || bail "usage: $0 <github-handle> <keyid>"
|
||||
|
||||
github_handle="${1}"
|
||||
gpg_keyid="${2}"
|
||||
|
||||
cat >>"$keyring_file" <<EOF
|
||||
$(gpg --list-keys "$gpg_keyid")
|
||||
|
||||
$(gpg --armor --comment="github=$github_handle" --export --export-options=export-minimal,export-clean "$gpg_keyid")
|
||||
|
||||
EOF
|
||||
Executable
+108
@@ -0,0 +1,108 @@
|
||||
#!/bin/bash
|
||||
# Copyright (C) 2023 SUSE LLC.
|
||||
# Copyright (C) 2023 Open Containers Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -Eeuo pipefail
|
||||
|
||||
project="runc"
|
||||
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
|
||||
|
||||
function log() {
|
||||
echo "[*]" "$@" >&2
|
||||
}
|
||||
|
||||
function bail() {
|
||||
log "$@"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Temporary GPG keyring for messing around with.
|
||||
tmp_gpgdir="$(mktemp -d --tmpdir "$project-validate-tmpkeyring.XXXXXX")"
|
||||
trap 'rm -r "$tmp_gpgdir"' EXIT
|
||||
|
||||
# Get the set of MAINTAINERS.
|
||||
readarray -t maintainers < <(sed -E 's|.* <.*> \(@?(.*)\)$|\1|' <"$root/MAINTAINERS")
|
||||
echo "------------------------------------------------------------"
|
||||
echo "$project maintainers:"
|
||||
printf " * %s\n" "${maintainers[@]}"
|
||||
echo "------------------------------------------------------------"
|
||||
|
||||
# Create a dummy gpg keyring from the set of MAINTAINERS.
|
||||
while IFS="" read -r username || [ -n "$username" ]; do
|
||||
curl -sSL "https://github.com/$username.gpg" |
|
||||
gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" --import
|
||||
done < <(printf '%s\n' "${maintainers[@]}")
|
||||
|
||||
# Make sure all of the keys in the keyring have a github=... comment.
|
||||
awk <"$root/$project.keyring" '
|
||||
/^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { key_idx++; in_pgp=1; has_comment=0; }
|
||||
|
||||
# PGP comments are never broken up over several lines, and we only have one
|
||||
# comment entry in our keyring file anyway.
|
||||
in_pgp && /^Comment:.* github=\w+.*/ { has_comment=1 }
|
||||
|
||||
/^-----END PGP PUBLIC KEY BLOCK-----$/ {
|
||||
if (!has_comment) {
|
||||
print "[!] Key", key_idx, "in '$project'.keyring is missing a github= comment."
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
'
|
||||
|
||||
echo "------------------------------------------------------------"
|
||||
echo "$project release managers:"
|
||||
sed -En "s|^Comment:.* github=(\w+).*| * \1|p" <"$root/$project.keyring" | sort -u
|
||||
echo "------------------------------------------------------------"
|
||||
gpg --no-default-keyring --keyring="$tmp_gpgdir/keyring" \
|
||||
--import --import-options=show-only <"$root/$project.keyring"
|
||||
echo "------------------------------------------------------------"
|
||||
|
||||
# Check that each entry in the kering is actually a maintainer's key.
|
||||
while IFS="" read -d $'\0' -r block || [ -n "$block" ]; do
|
||||
username="$(sed -En "s|^Comment:.* github=(\w+).*|\1|p" <<<"$block")"
|
||||
|
||||
# FIXME: This is to work around codespell thinking that f-p-r is a
|
||||
# misspelling of some other word, and the lack of support for inline
|
||||
# ignores in codespell.
|
||||
fprfield="f""p""r"
|
||||
|
||||
# Check the username is actually a maintainer. This is just a sanity check,
|
||||
# since you can put whatever you like in the Comment field.
|
||||
[ -f "$tmp_gpgdir/$username.keyring" ] || bail "User $username in runc.keyring is not a maintainer!"
|
||||
grep "(@$username)$" "$root/MAINTAINERS" >/dev/null || bail "User $username in runc.keyring is not a maintainer!"
|
||||
|
||||
# Check that the key in the block actually matches a known key for that
|
||||
# maintainer. Note that a block can contain multiple keys, so we need to
|
||||
# check all of them. Since we have to handle multiple keys anyway, we'll
|
||||
# also verify all of the subkeys (this is simpler to implement anyway since
|
||||
# the --with-colons format outputs fingerprints for both primary and
|
||||
# subkeys in the same way).
|
||||
#
|
||||
# Fingerprints have a field 1 of $fprfield and field 10 containing the
|
||||
# fingerprint. See <https://github.com/gpg/gnupg/blob/master/doc/DETAILS>
|
||||
# for more details.
|
||||
while IFS="" read -r key || [ -n "$key" ]; do
|
||||
gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" \
|
||||
--list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null ||
|
||||
bail "(Sub?)Key $key in $project.keyring is NOT actually one of $username's keys!"
|
||||
log "Successfully verified $username's (sub?)key $key is legitimate."
|
||||
done < <(gpg --no-default-keyring \
|
||||
--import --import-options=show-only --with-colons <<<"$block" |
|
||||
grep "^$fprfield:" | cut -d: -f10)
|
||||
done < <(awk <"$root/$project.keyring" '
|
||||
/^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { in_block=1 }
|
||||
in_block { print }
|
||||
/^-----END PGP PUBLIC KEY BLOCK-----$/ { in_block=0; printf("\0"); }
|
||||
')
|
||||
+61
-10
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
# Copyright (C) 2017 SUSE LLC.
|
||||
# Copyright (C) 2017-2021 Open Containers Authors
|
||||
# Copyright (C) 2017-2023 SUSE LLC.
|
||||
# Copyright (C) 2017-2023 Open Containers Authors
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -14,7 +14,7 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -e
|
||||
set -Eeuo pipefail
|
||||
|
||||
project="runc"
|
||||
root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
|
||||
@@ -28,15 +28,21 @@ function usage() {
|
||||
|
||||
# Log something to stderr.
|
||||
function log() {
|
||||
echo "[*] $*" >&2
|
||||
echo "[*]" "$@" >&2
|
||||
}
|
||||
|
||||
# Log something to stderr and then exit with 0.
|
||||
function bail() {
|
||||
function quit() {
|
||||
log "$@"
|
||||
exit 0
|
||||
}
|
||||
|
||||
# Log something to stderr and then exit with 1.
|
||||
function bail() {
|
||||
log "$@"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Conduct a sanity-check to make sure that GPG provided with the given
|
||||
# arguments can sign something. Inability to sign things is not a fatal error.
|
||||
function gpg_cansign() {
|
||||
@@ -86,17 +92,47 @@ log "signing $project release in '$releasedir'"
|
||||
log " key: ${keyid:-DEFAULT}"
|
||||
log " hash: $hashcmd"
|
||||
|
||||
# Make explicit what we're doing.
|
||||
set -x
|
||||
|
||||
# Set up the gpgflags.
|
||||
gpgflags=()
|
||||
[[ "$keyid" ]] && gpgflags=(--default-key "$keyid")
|
||||
gpg_cansign "${gpgflags[@]}" || bail "Could not find suitable GPG key, skipping signing step."
|
||||
gpg_cansign "${gpgflags[@]}" || quit "Could not find suitable GPG key, skipping signing step."
|
||||
|
||||
# Make explicit what we're doing.
|
||||
set -x
|
||||
|
||||
# Check that the keyid is actually in the $project.keyring by signing a piece
|
||||
# of dummy text then verifying it against the list of keys in that keyring.
|
||||
tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
|
||||
trap 'rm -r "$tmp_gpgdir"' EXIT
|
||||
|
||||
tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
|
||||
gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
|
||||
|
||||
tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
|
||||
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
|
||||
gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A
|
||||
|
||||
gpg "${gpgflags[@]}" --clear-sign <<<"[This is test text used for $project release scripts. $(date --rfc-email)]" |
|
||||
gpg "${tmp_runc_gpgflags[@]}" --verify || bail "Signing key ${keyid:-DEFAULT} is not in trusted $project.keyring list!"
|
||||
|
||||
# Make sure the signer is okay with the list of keys in the keyring (once this
|
||||
# release is signed, distributions will trust this keyring).
|
||||
cat >&2 <<EOF
|
||||
== PLEASE VERIFY THE FOLLOWING KEYS ==
|
||||
|
||||
The sources for this release will contain the following signing keys as
|
||||
"trusted", meaning that distributions may trust the keys to sign future
|
||||
releases. Please make sure that only authorised users' keys are listed.
|
||||
|
||||
$(gpg "${tmp_runc_gpgflags[@]}" --list-keys)
|
||||
|
||||
[ Press ENTER to continue. ]
|
||||
EOF
|
||||
read -r
|
||||
|
||||
# Only needed for local signing -- change the owner since by default it's built
|
||||
# inside a container which means it'll have the wrong owner and permissions.
|
||||
[ -w "$releasedir" ] || sudo chown -R "$USER:$GROUP" "$releasedir"
|
||||
[ -w "$releasedir" ] || sudo chown -R "$(id -u):$(id -g)" "$releasedir"
|
||||
|
||||
# Sign everything.
|
||||
for bin in "$releasedir/$project".*; do
|
||||
@@ -106,3 +142,18 @@ done
|
||||
gpg "${gpgflags[@]}" --clear-sign --armor \
|
||||
--output "$releasedir/$project.$hashcmd"{.tmp,} &&
|
||||
mv "$releasedir/$project.$hashcmd"{.tmp,}
|
||||
|
||||
# Verify that all the signatures and shasum are correct.
|
||||
pushd "$releasedir"
|
||||
|
||||
# Verify project-signed detached signatures.
|
||||
find . -name "$project.*.asc" -print0 | xargs -0 -L1 gpg "${tmp_runc_gpgflags[@]}" --verify --
|
||||
|
||||
# Verify shasum.
|
||||
"$hashcmd" -c "$project.$hashcmd"
|
||||
gpg "${tmp_runc_gpgflags[@]}" --verify "$project.$hashcmd"
|
||||
|
||||
# Verify seccomp tarball.
|
||||
gpg "${tmp_seccomp_gpgflags[@]}" --verify libseccomp*.asc
|
||||
|
||||
popd
|
||||
|
||||
Reference in New Issue
Block a user