Skip to content

Add a check for postquantum GPG key to RHEL 9 content#14475

Draft
jan-cerny wants to merge 1 commit intoComplianceAsCode:masterfrom
jan-cerny:rhel9_pqc
Draft

Add a check for postquantum GPG key to RHEL 9 content#14475
jan-cerny wants to merge 1 commit intoComplianceAsCode:masterfrom
jan-cerny:rhel9_pqc

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Feb 27, 2026
edited
Loading

Description:

Add a check for PQC on RHEL 9.

Extracted from #14462.

Currently does not work.

TODO:

  • on RHEL 9.7 the key is shipped in a separate file /etc/pki/rpm-gpg/RPM-GPG-KEY-PQC-redhat-release whereas on RHEL 10.1 the key is a part of the common file /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
  • on RHEL 9.7 using the PQC signatures is optional and there is an entirely separate copy of RPM with PQ support that is not installed by default. IOW the users need to opt-in to use the key.
  • on RHEL 9.7 the sq command that we use in our RHEL 10 remediation to get the fingerprint isn't available

Rationale:

  • Rationale here. Replace this text. Don't use the italics format!

  • Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.

Review Hints:

  • Review hints here. Replace this text. Don't use the italics format!

  • Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.

  • Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.

@jan-cerny jan-cerny added this to the 0.1.81 milestone Feb 27, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 27, 2026
@openshift-ci
Copy link

openshift-ci bot commented Feb 27, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jan-cerny jan-cerny mentioned this pull request Feb 27, 2026
Merged
@jan-cerny
Check for PQC GPG key only on RHEL 9.7 and newer
ad49743 
The redhat-release RPM package in RHEL 9.6 and older won't contain
the postquantum OpenPGP key. This key will be present in RHEL 9.7
and newer. This extends the existing RHEL 10.1+ PQC version gating
to also cover RHEL 9.
@Mab879
Copy link
Member

Mab879 commented Mar 2, 2026

/packit build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879