Cross-distribution builds broken in some cases due to post-quantum cryptographic keys in combination with certain versions of RPM and cryptographic backends #413
Description
We've discovered an issue where image-builder is unable to build certain RHEL 10.1 image types on Fedora 43, RHEL 9.x, or CentOS Stream 9 systems. While not 'officially' supported to build cross-distribution it is still something we like to have working.
With the latest updates in RHEL 10.1 certain packages now contain signatures that are signed with the ML-DSA-87+Ed448/D246D6276AFEDF8F(2025-10-08) Red Hat, Inc. (release key 4) which can be found at: https://access.redhat.com/security/team/key this key is currently not included in the built-in repositories shipped with image-builder. To handle this we will be including the new key: osbuild/images#2097.
Aside from this we discovered that the default crypto-policies configuration (specifically for sequoia) would block verification of RPMs signed with this key even if the key is present in the built-in repositories. To remediate this I opened osbuild/osbuild#2288 which will be backported to RHEL and make it into Fedora.
All of this means that currently image-builder cannot build RHEL 10.1 on any host system but a future release can.
When these changes (updated osbuild, updated repository definitions) have landed it will be possible to build RHEL 10.1 on RHEL 9 and RHEL 10. However, building RHEL 9.7 or RHEL 10.1 on Fedora 43 will not yet be possible.
When image-builder builds artifacts it tries to do so with as few host dependencies as possible. However, image-builder does set up an initial minimal "buildroot" using executables from the host. When packages in this buildroot are signed with the aforementioned key the hosts rpm and rpm's cryptographic backend must be capable of importing and verifying this key to use it for signature verification.
On Fedora 43 RPM is not able to import the above key, we've considered not importing the above key on Fedora systems however RPM does not skip trying to verify the signature: https://issues.redhat.com/browse/RHEL-112730 even if the cryptographic backend does not support it.
On RHEL 9.x and CentOS 9.x RPM is also unable to import the key; thus we won't use this key to verify packages. In this case RPM correctly ignores the signature it cannot validate and thus these distributions do not suffer from the same issue as Fedora.
Workarounds are available if you have access to the internet during builds. image-builder can use a container to bootstrap from before it sets up the buildroot. This solves the host's RPM and crypto backend being unable to verify certain signatures. To use this one needs to point at a container containing the appropriate tooling for the distribution one wants to build. For RHEL you can use the UBI containers:
sudo IMAGE_BUILDER_EXPERIMENTAL=bootstrap=registry.access.redhat.com/ubi10:latest image-builder build --distro rhel-10.1 qcow2
Note that this is only available after the new repository definitions and osbuild are in place.