From cba21646717e9fe815d8d2ef5d720f9ffb0745ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Wed, 10 Sep 2025 16:13:38 +0200
Subject: [PATCH] Update CI images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

... from https://github.com/containers/automation_images/pull/416

That requires updating tests to also work with rust-podman-sequoia 0.2.0:
https://github.com/ueno/podman-sequoia/commit/d41fefaa1fa35ee56c6a3aac0105232733460932 changed
how the error is reported.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 .cirrus.yml                 |  2 +-
 integration/copy_test.go    | 11 +++++++----
 systemtest/050-signing.bats |  4 +++-
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index aa99e87d..653a79ea 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -21,7 +21,7 @@ env:
     SCRIPT_BASE: "./contrib/cirrus"
 
     # Google-cloud VM Images
-    IMAGE_SUFFIX: "c20250721t181111z-f42f41d13"
+    IMAGE_SUFFIX: "c20250910t092246z-f42f41d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
 
     # Container FQIN's
diff --git a/integration/copy_test.go b/integration/copy_test.go
index 9a767e9e..1f57b6f2 100644
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
@@ -776,9 +776,10 @@ func (s *copySuite) TestCopySignatures() {
 	// Verify that mis-signed images are rejected
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack")
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack")
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	// "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest)
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest)
 
 	// Verify that signed identity is verified.
@@ -791,7 +792,8 @@ func (s *copySuite) TestCopySignatures() {
 
 	// Verify that cosigning requirements are enforced
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	// "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)
 
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
@@ -836,7 +838,8 @@ func (s *copySuite) TestCopyDirSignatures() {
 	// Verify that correct images are accepted
 	assertSkopeoSucceeds(t, "", "--policy", policy, "copy", topDirDest+"/restricted/official", topDirDest+"/dest")
 	// ... and that mis-signed images are rejected.
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	// "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--policy", policy, "copy", topDirDest+"/restricted/personal", topDirDest+"/dest")
 
 	// Verify that the signed identity is verified.
diff --git a/systemtest/050-signing.bats b/systemtest/050-signing.bats
index 2f12cb9b..88c6cfaf 100644
--- a/systemtest/050-signing.bats
+++ b/systemtest/050-signing.bats
@@ -136,6 +136,8 @@ END_PUSH
     # Done pushing. Now try to fetch. From here on we use the --policy option.
     # The table below lists the paths to fetch, and the expected errors (or
     # none, if we expect them to pass).
+    #
+    # "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
     while read path expected_error; do
         expected_rc=
         if [[ -n $expected_error ]]; then
@@ -154,7 +156,7 @@ END_PUSH
         fi
     done <<END_TESTS
 /myns/alice:signed
-/myns/bob:signedbyalice    (Invalid GPG signature|.* not found)
+/myns/bob:signedbyalice    (Invalid GPG signature|Missing key:)
 /myns/alice:unsigned       Signature for identity \\\\\\\\"localhost:5000/myns/alice:signed\\\\\\\\" is not accepted
 /myns/carol:latest         Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
 /open/forall:latest