From 72bc88bfc3ecd904f8a353d32b484575589f65b4 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 24 Nov 2020 14:48:31 -0800 Subject: [PATCH] koji_hub: add fwupd to list of secure-boot packages Turns out fwupd needs to also be signed right for secure-boot, so we should add it to the list of packages in koji that needs the secure-boot permission. This should prevent provenpackagers from building it and pushing out an inoperative one. Signed-off-by: Kevin Fenzi --- roles/koji_hub/templates/hub.conf.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 4816dba4f0..b09a851532 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -93,12 +93,12 @@ Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag [policy] tag = - user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign :: allow - user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign :: allow - user bodhi && tag *-override && package kernel shim grub2 pesign :: allow - has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign :: allow - has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign :: allow - has_perm secure-boot && package kernel shim grub2 pesign :: allow + user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign fwupd :: allow + user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign fwupd :: allow + user bodhi && tag *-override && package kernel shim grub2 pesign fwupd :: allow + has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd :: allow + has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd :: allow + has_perm secure-boot && package kernel shim grub2 pesign fwupd :: allow # CoreOS continuous builds, https://pagure.io/releng/issue/8165 operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow @@ -110,7 +110,7 @@ tag = operation tag && tag eln* && has_perm eln :: allow operation untag && fromtag eln* && has_perm eln :: allow # deny tagging secureboot packages that are not related to coreos-continuous and eln - package kernel shim grub2 pesign :: deny + package kernel shim grub2 pesign fwupd :: deny # Allow people to tag stuff into infra-candidate if they're infra tag *-infra-candidate && has_perm infra :: allow tag *-infra-candidate :: deny