From 93b2c8add81f2d6f83874ce53b080adbc4fe6826 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Feb 18 2023 18:45:08 +0000
Subject: Add f38/f39 ima certs


I'm not sure the directory ( /etc/pki/rpm-ima ) or the format is whats
destired here as I have not had time to play with IMA. Hopefully the
cert or the pem or the der are one the desired format here.

Happy to adjust with feedback from IMA users any of this.

CC: @pbrobinson @puiterwijk @fche

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

---

diff --git a/fedora-38-ima.cert b/fedora-38-ima.cert
new file mode 100644
index 0000000..e0d2819
--- /dev/null
+++ b/fedora-38-ima.cert
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpzCCASygAwIBAgIBKjAKBggqhkjOPQQDAzAbMRkwFwYDVQQDExBGZWRvcmEg
+MzggSU1BIENBMCAXDTIzMDIxODE4MDMxNloYDzIwNTMwMjE4MTgwMzE2WjAcMRow
+GAYDVQQDExFGZWRvcmEgMzggSU1BIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABI+RFc41GuD1tyN2P0U5C4H4z9xJbuAMinV18SJXVulVYt0DBKT+Xme5WZpQ
+dvPdkBaW1jCzSeI15T3oTIKjYL6jXjBcMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgw
+FoAU7MSMKFJGsKYZxjsInt2Dp7i3db8wKwYJYIZIAYb4QgENBB5JTUEgc2lnbmF0
+dXJlIHZlcmlmaWNhdGlvbiBrZXkwCgYIKoZIzj0EAwMDaQAwZgIxAKMa1pxV4PM9
+BSRqnYWpLg2bfunWRo2fsqn/HaI7qdLZZTUivtSWcTJFif7c5YHWggIxAIgZnzog
+XLA6WvFbmimjFNjQCKnxuvo/f2OzbK2JPj7XofpJrhf0frL2Cb1r7novgw==
+-----END CERTIFICATE-----
diff --git a/fedora-38-ima.der b/fedora-38-ima.der
new file mode 100644
index 0000000..238ae6c
Binary files /dev/null and b/fedora-38-ima.der differ
diff --git a/fedora-38-ima.pem b/fedora-38-ima.pem
new file mode 100644
index 0000000..e323fa2
--- /dev/null
+++ b/fedora-38-ima.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj5EVzjUa4PW3I3Y/RTkLgfjP3Elu
+4AyKdXXxIldW6VVi3QMEpP5eZ7lZmlB2892QFpbWMLNJ4jXlPehMgqNgvg==
+-----END PUBLIC KEY-----
diff --git a/fedora-39-ima.cert b/fedora-39-ima.cert
new file mode 100644
index 0000000..78c7bb4
--- /dev/null
+++ b/fedora-39-ima.cert
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBpjCCASygAwIBAgIBKjAKBggqhkjOPQQDAzAbMRkwFwYDVQQDExBGZWRvcmEg
+MzkgSU1BIENBMCAXDTIzMDIxODE4MDQxNloYDzIwNTMwMjE4MTgwNDE2WjAcMRow
+GAYDVQQDExFGZWRvcmEgMzkgSU1BIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABPVBlbhn8Lz9PLD0LqpySa9jgxZTdImp2xbyMes+L91MntWFKj5hR86He9kN
+87KphPuso6WdRPDLf4ouarSaNdGjXjBcMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgw
+FoAUpxQ+y2TQxMrznQx9xDhFRthT/1IwKwYJYIZIAYb4QgENBB5JTUEgc2lnbmF0
+dXJlIHZlcmlmaWNhdGlvbiBrZXkwCgYIKoZIzj0EAwMDaAAwZQIxALJAz24hm4Lu
+P9eFeAyCGKjWdqrBIAh2Ec7kUpkALqvfZHZhP/qhhqAxKEOO6v66ZgIwYObLdWmX
+TGN2JGRLY6KwcUoprXAECTYGX9HjGqv2/7xrt7hCSwqjpIr29XXOi2mv
+-----END CERTIFICATE-----
diff --git a/fedora-39-ima.der b/fedora-39-ima.der
new file mode 100644
index 0000000..0d13baa
Binary files /dev/null and b/fedora-39-ima.der differ
diff --git a/fedora-39-ima.pem b/fedora-39-ima.pem
new file mode 100644
index 0000000..2856eb1
--- /dev/null
+++ b/fedora-39-ima.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9UGVuGfwvP08sPQuqnJJr2ODFlN0
+ianbFvIx6z4v3Uye1YUqPmFHzod72Q3zsqmE+6yjpZ1E8Mt/ii5qtJo10Q==
+-----END PUBLIC KEY-----
diff --git a/fedora-repos.spec b/fedora-repos.spec
index 9fdda40..d8e41e0 100644
--- a/fedora-repos.spec
+++ b/fedora-repos.spec
@@ -4,7 +4,7 @@
 Summary:        Fedora package repositories
 Name:           fedora-repos
 Version:        39
-Release:        0.1%{?eln:.eln%{eln}}
+Release:        0.2%{?eln:.eln%{eln}}
 License:        MIT
 URL:            https://fedoraproject.org/
 
@@ -93,6 +93,14 @@ Source150:      RPM-GPG-KEY-fedora-iot-2019
 Source151:      fedora.conf
 Source152:      fedora-compose.conf
 
+# ima certs
+Source500:      fedora-38-ima.cert
+Source501:      fedora-38-ima.der
+Source502:      fedora-38-ima.pem
+Source503:      fedora-39-ima.cert
+Source504:      fedora-39-ima.der
+Source505:      fedora-39-ima.pem
+
 %description
 Fedora package repository files for yum and dnf along with gpg public keys.
 
@@ -192,6 +200,10 @@ done
 ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora
 popd
 
+# Install the ima keys
+install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-ima
+install -m 644 %{_sourcedir}/fedora*ima.* $RPM_BUILD_ROOT/etc/pki/rpm-ima/
+
 # Install repo files
 install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d
 for file in %{_sourcedir}/fedora*repo ; do
@@ -400,6 +412,7 @@ rm -f "$TMPRING"
 %files -n fedora-gpg-keys
 %dir /etc/pki/rpm-gpg
 /etc/pki/rpm-gpg/RPM-GPG-KEY-*
+/etc/pki/rpm-ima/fedora*ima*
 
 
 %files ostree
@@ -412,6 +425,9 @@ rm -f "$TMPRING"
 
 
 %changelog
+* Sat Feb 18 2023 Kevin Fenzi <kevin@scrye.com> - 39-0.2
+- Include IMA public certs.
+
 * Wed Feb 08 2023 Tomas Hrcka <thrcka@redhat.com> - 39-0.1
 - Setup for rawhide being F39