From fffd2a86e67c2fdd753f88ef9b3bcc8a57321dac Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Wed, 8 Jan 2025 09:30:13 -0800
Subject: [PATCH] modules/containers-signature-verify-skopeo:
 security.access.redhat.com key source
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Current outgoing docs are from 33130f41ca (OCPBUGS#19749: add
verification for unsigned containers, 2024-01-09, #68949) and they
recommend:

  $ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt

But in 2024-09, that content was moved to a new location (with a 301
redirect):

  $ curl -isL https://access.redhat.com/security/data/fd431d51.txt | grep -i 'HTTP\|Location\|PUBLIC'
  HTTP/2 301
  location: https://security.access.redhat.com/data/fd431d51.txt
  HTTP/1.1 200 OK
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  -----END PGP PUBLIC KEY BLOCK-----

And the currently-doc'ed command (which does not allow redirects) will
exit 0 (success) while downloading an empty file:

  $ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  $ echo $?
  0
  $ wc -l pub.key
  0 pub.key

This commit pivots to the new canonical location. And it adds the
-L/--location option to protect ourselves from future moves.

  $ man curl | grep -1 'moved to a different location'
       -L, --location
              (HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request
              on  the  new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the ini‐
---
 modules/containers-signature-verify-skopeo.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/containers-signature-verify-skopeo.adoc b/modules/containers-signature-verify-skopeo.adoc
index 52aa91f65487..7d3686770c7b 100644
--- a/modules/containers-signature-verify-skopeo.adoc
+++ b/modules/containers-signature-verify-skopeo.adoc
@@ -35,7 +35,7 @@ Pull From: quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f
 +
 [source,terminal]
 ----
-$ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt
+$ curl -Lo pub.key https://security.access.redhat.com/data/fd431d51.txt
 ----
 
 . Get the signature file for the specific release that you want to verify by running the following command: