Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

koji_hub: add fwupd to list of secure-boot packages

Browse source 
Turns out fwupd needs to also be signed right for secure-boot, so we
should add it to the list of packages in koji that needs the secure-boot
permission. This should prevent provenpackagers from building it and
pushing out an inoperative one.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2020-11-24 14:48:31 -08:00
parent 2e345b2789
commit 72bc88bfc3
1 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

14
roles/koji_hub/templates/hub.conf.j2
View file

@ -93,12 +93,12 @@ Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag
[policy]
tag =
user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign :: allow
user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign :: allow
user bodhi && tag *-override && package kernel shim grub2 pesign :: allow
has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign :: allow
has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign :: allow
has_perm secure-boot && package kernel shim grub2 pesign :: allow
user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign fwupd :: allow
user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign fwupd :: allow
user bodhi && tag *-override && package kernel shim grub2 pesign fwupd :: allow
has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd :: allow
has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd :: allow
has_perm secure-boot && package kernel shim grub2 pesign fwupd :: allow
# CoreOS continuous builds, https://pagure.io/releng/issue/8165
operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow
operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow
@ -110,7 +110,7 @@ tag =
operation tag && tag eln* && has_perm eln :: allow
operation untag && fromtag eln* && has_perm eln :: allow
# deny tagging secureboot packages that are not related to coreos-continuous and eln
package kernel shim grub2 pesign :: deny
package kernel shim grub2 pesign fwupd :: deny
# Allow people to tag stuff into infra-candidate if they're infra
tag *-infra-candidate && has_perm infra :: allow
tag *-infra-candidate :: deny