Use Sequoia in RHEL 10 instead of GPG

[vojtapolasek]

Description:

• create a new rule package_sequoia-sq_installed
• enhance rule ensure_redhat_gpgkey_installed so that it uses the sq command instead of gpg n RHEL 10
• check for new PQC key in RHEL >= 10
• The build system ordering takes care that the sq package is installed so that it can be later used. So in case rule ensure_redhat_gpgkey_installed exists in the profile, the rule package_sequoia-sq_installed should be present in the profile as well.
• Modify all RHEL 10 profiles so that the new rule is there. This involved also exempting the rule from many other profiles which are based on the same control file (ANSSI, PCI-DSS, OSPP etc)

Rationale:

• There are two reasons for this change.
  • there is a new RPM release key in RHEL >= 10 and it needs to be checked that it exists
  • in case this key is shipped, the regular gpg command cannot handle it and it needs to be inspected with the sq command

Review Hints:

Test with Automatus. But ensure that the RHEL machine contains all three keys.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jan-cerny]

Should it be a new separate component file instead?

[vojtapolasek]

Probably yes, I did that in c79b55d

[jan-cerny]

In automatus tests, I'm still getting this fail. Is it expected? Is it the bug in Ansible?

"gpg: directory '/root/.gnupg' created\ngpg: WARNING: no command supplied.  Trying to guess what you mean ...\ngpg: /root/.        gnupg/trustdb.gpg: trustdb created\ngpg: packet(6) with unknown version 6\n"

[vojtapolasek]

This is caused by the Ansible rpm_key module.
Here is their issue: ansible/ansible#86157

[jan-cerny]

You have two options how to solve the failing static-checks reference test.

1. Add the rule to the control file and then deselect it in profile files in products where this shouldn't be present.
2. Add an ISM_O reference to the rule.yml file in package_sequoia-sq_installed.

[Mab879]

Option 2 will not work, you cannot mix control file references and in file references.

[vojtapolasek]

@jan-cerny I added the rule to all relevant RHEL 10 profiles.

[jan-cerny]

@vojtapolasek Unfortunately, the static-checks test still has problems with some references. See the test output https://artifacts.dev.testing-farm.io/992274c6-fdf8-4db5-821f-21487b721236/

[openshift-ci]

@vojtapolasek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	ac9f4e3	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jan-cerny]

@ComplianceAsCode/suse-maintainers @ComplianceAsCode/ubuntu-maintainers @ComplianceAsCode/oracle-maintainers Can you please review this? It shouldn't add anything to your product's profiles.

[vojtapolasek]

@jan-cerny I believe I solved all problems with missing references.

[mrkanon]

LGTM

[teacup-on-rockingchair]

LGTM 👍