From 2f005b67f4324ff0eca587523a6d72cc83bfed22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Tue, 15 Jul 2025 18:54:33 +0200
Subject: [PATCH] Exercise containers_image_sequoia in CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This build tag replaces the backend for _verification_
of GPG signatures, to use Sequoia-PGP instead of GNUPG.

Do Rawhide builds with Sequoia; the podman-sequoia package exists
in F43 and later, so we can't do it in earlier versions.

This way we cover both variants (+ containers_image_openpgp
in the podman-remote client, at least that it builds).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 .cirrus.yml                         | 22 ++++++++++++++++++++++
 Makefile                            |  2 ++
 contrib/cirrus/runner.sh            |  5 +++--
 contrib/cirrus/setup_environment.sh |  4 ++--
 4 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 50676192b6..ba92d0fffe 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -95,6 +95,7 @@ validate-source_task:
         image_name: "${FEDORA_CACHE_IMAGE_NAME}"  # from stdenvars
     env:
         TEST_FLAVOR: validate-source
+        TEST_BUILD_TAGS: ""
     # NOTE: The default way Cirrus-CI clones is *NOT* compatible with
     #       environment expectations in contrib/cirrus/lib.sh.  Specifically
     #       the 'origin' remote must be defined, and all remote branches/tags
@@ -151,11 +152,13 @@ build_task:
         # Ref: https://cirrus-ci.org/guide/writing-tasks/#matrix-modification
         - env: &stdenvars
               DISTRO_NV: ${FEDORA_NAME}
+              TEST_BUILD_TAGS: ""
               # Not used here, is used in other tasks
               VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
         - env:
               DISTRO_NV: ${PRIOR_FEDORA_NAME}
+              TEST_BUILD_TAGS: ""
               VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
               CI_DESIRED_DATABASE: boltdb
@@ -163,11 +166,13 @@ build_task:
         - env:
               <<: *stdenvars
               DISTRO_NV: ${RAWHIDE_NAME}
+              TEST_BUILD_TAGS: "containers_image_sequoia"
               VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
               CI_DESIRED_STORAGE: composefs
               CTR_FQIN: ""
         - env:
               DISTRO_NV: ${DEBIAN_NAME}
+              TEST_BUILD_TAGS: ""
               VM_IMAGE_NAME: ${DEBIAN_CACHE_IMAGE_NAME}
     env:
         TEST_FLAVOR: build
@@ -209,6 +214,7 @@ build_aarch64_task:
         VM_IMAGE_NAME: ${FEDORA_AARCH64_AMI}
         CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
         TEST_FLAVOR: build
+        TEST_BUILD_TAGS: ""
     clone_script: *full_clone
     # TODO: Rename to "ci-sanity" and move into task that runs in parallel to build
     prebuild_script: *prebuild
@@ -236,6 +242,7 @@ alt_build_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: "altbuild"
+        TEST_BUILD_TAGS: ""
     gce_instance: *fastvm
     matrix:
       - env:
@@ -402,6 +409,7 @@ bindings_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: bindings
+        TEST_BUILD_TAGS: ""
     # N/B: This script depends on ${DISTRO_NV} being defined for the task.
     clone_script: &get_gosrc |
         cd /tmp
@@ -443,6 +451,7 @@ swagger_task:
         GCPJSON: ENCRYPTED[927dc01e755eaddb4242b0845cf86c9098d1e3dffac38c70aefb1487fd8b4fe6dd6ae627b3bffafaba70e2c63172664e]
         GCPNAME: ENCRYPTED[c145e9c16b6fb88d476944a454bf4c1ccc84bb4ecaca73bdd28bdacef0dfa7959ebc8171a27b2e4064d66093b2cdba49]
         GCPPROJECT: 'libpod-218412'
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
@@ -536,6 +545,7 @@ docker-py_test_task:
         <<: *stdenvars
         TEST_FLAVOR: docker-py
         TEST_ENVIRON: container
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
@@ -568,6 +578,7 @@ unit_test_task:
     gce_instance: *standardvm
     env:
         TEST_FLAVOR: unit
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
@@ -630,6 +641,7 @@ apiv2_test_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: apiv2
+        TEST_BUILD_TAGS: ""
     matrix:
       - env:
           PRIV_NAME: root
@@ -664,6 +676,7 @@ compose_test_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: compose_v2
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
@@ -736,6 +749,7 @@ container_integration_test_task:
     env:
         TEST_FLAVOR: int
         TEST_ENVIRON: container
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
@@ -780,6 +794,7 @@ podman_machine_task:
     env:
       EC2_INST_TYPE: "m5zn.metal"  # Bare-metal instance is required
       TEST_FLAVOR: "machine-linux"
+      TEST_BUILD_TAGS: ""
       PRIV_NAME: "rootless"  # intended use-case
       DISTRO_NV: "${FEDORA_NAME}"
       VM_IMAGE_NAME: "${FEDORA_AMI}"
@@ -799,6 +814,7 @@ podman_machine_aarch64_task:
     timeout_in: 30m
     env:
         TEST_FLAVOR: "machine-linux"
+        TEST_BUILD_TAGS: ""
         EC2_INST_TYPE: c6g.metal
         PRIV_NAME: "rootless"  # intended use-case
         DISTRO_NV: "${FEDORA_AARCH64_NAME}"
@@ -954,6 +970,7 @@ local_system_test_aarch64_task: &local_system_test_task_aarch64
     env:
         <<: *stdenvars_aarch64
         TEST_FLAVOR: sys
+        TEST_BUILD_TAGS: ""
         DISTRO_NV: ${FEDORA_AARCH64_NAME}
     clone_script: *get_gosrc_aarch64
     setup_script: *setup
@@ -1031,6 +1048,7 @@ farm_test_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: farm
+        TEST_BUILD_TAGS: ""
         PRIV_NAME: rootless
     clone_script: *get_gosrc
     setup_script: *setup
@@ -1053,6 +1071,7 @@ buildah_bud_test_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: bud
+        TEST_BUILD_TAGS: ""
     matrix:
         - env:
             PODBIN_NAME: podman
@@ -1090,6 +1109,7 @@ upgrade_test_task:
     gce_instance: *standardvm
     env:
         TEST_FLAVOR: upgrade_test
+        TEST_BUILD_TAGS: ""
         DISTRO_NV: ${FEDORA_NAME}
         VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
         # Never force a DB, let the old version decide its default
@@ -1238,6 +1258,7 @@ release_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: release
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
@@ -1265,6 +1286,7 @@ release_test_task:
     env:
         <<: *stdenvars
         TEST_FLAVOR: release
+        TEST_BUILD_TAGS: ""
     clone_script: *get_gosrc
     setup_script: *setup
     main_script: *main
diff --git a/Makefile b/Makefile
index 1a4635dc5f..eb582abcdb 100644
--- a/Makefile
+++ b/Makefile
@@ -56,6 +56,7 @@ SYSTEMDDIR ?= ${LIBDIR}/systemd/system
 USERSYSTEMDDIR ?= ${LIBDIR}/systemd/user
 SYSTEMDGENERATORSDIR ?= ${LIBDIR}/systemd/system-generators
 USERSYSTEMDGENERATORSDIR ?= ${LIBDIR}/systemd/user-generators
+SEQUOIA_SONAME_DIR =
 REMOTETAGS ?= remote exclude_graphdriver_btrfs containers_image_openpgp
 BUILDTAGS ?= \
 	grpcnotrace \
@@ -131,6 +132,7 @@ LDFLAGS_PODMAN ?= \
 	-X $(LIBPOD)/config._installPrefix=$(PREFIX) \
 	-X $(LIBPOD)/config._etcDir=$(ETCDIR) \
 	-X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \
+	-X go.podman.io/image/v5/signature/internal/sequoia.sequoiaLibraryDir='"$(SEQUOIA_SONAME_DIR)"' \
 	-X go.podman.io/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\
 	$(EXTRA_LDFLAGS)
 LDFLAGS_PODMAN_STATIC ?= \
diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh
index d69067b025..acc664eab2 100755
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -213,7 +213,8 @@ function _run_build() {
     # Ensure always start from clean-slate with all vendor modules downloaded
     showrun make clean
     showrun make vendor
-    showrun make -j $(nproc) --output-sync=target podman-release  # includes podman, podman-remote, and docs
+    # shellcheck disable=SC2154
+    showrun make -j $(nproc) --output-sync=target podman-release EXTRA_BUILDTAGS="$TEST_BUILD_TAGS" # includes podman, podman-remote, and docs
 
     # There's no reason to validate-binaries across multiple linux platforms
     # shellcheck disable=SC2154
@@ -416,7 +417,7 @@ dotest() {
         die "The CI test TMPDIR is not on a tmpfs mount, we need tmpfs to make the tests faster"
     fi
 
-    showrun make ${localremote}${testsuite} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG \
+    showrun make ${localremote}${testsuite} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG EXTRA_BUILDTAGS="$TEST_BUILD_TAGS" \
         |& logformatter
 
     # FIXME: https://github.com/containers/podman/issues/22642
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index afe52f73cf..2b19eeaccc 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -422,11 +422,11 @@ case "$TEST_FLAVOR" in
                 die "Refusing to config. host-test in container";
             fi
             remove_packaged_podman_files
-            make install PREFIX=/usr ETCDIR=/etc
+            make install PREFIX=/usr ETCDIR=/etc EXTRA_BUILDTAGS="$TEST_BUILD_TAGS"
         elif [[ "$TEST_ENVIRON" == "container" ]]; then
             if ((CONTAINER)); then
                 remove_packaged_podman_files
-                make install PREFIX=/usr ETCDIR=/etc
+                make install PREFIX=/usr ETCDIR=/etc EXTRA_BUILDTAGS="$TEST_BUILD_TAGS"
             fi
         else
             die "Invalid value for \$TEST_ENVIRON=$TEST_ENVIRON"