From dbc5c9735cbe460127ef5bfbddf56c08dcfb4825 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Tue, 12 Nov 2024 13:35:22 -0500
Subject: [PATCH] fix: ignore gpg-pubkey package

This rpm is never signed. It delivers the public key used to validate
all other packages.

It is present in the sbom, but the container catalog gets confused when
it is present. As an unsigned rpm, it displays it as "excluded" from
security scans.

Rather than claim that it is signed, let's exclude it from the manifest
uploaded to pyxis.

Signed-off-by: Ralph Bean <rbean@redhat.com>
---
 pyxis/test_upload_rpm_data.py | 8 ++++++++
 pyxis/upload_rpm_data.py      | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/pyxis/test_upload_rpm_data.py b/pyxis/test_upload_rpm_data.py
index f7cea08..56c7aae 100644
--- a/pyxis/test_upload_rpm_data.py
+++ b/pyxis/test_upload_rpm_data.py
@@ -102,6 +102,14 @@
             }
         ]
     },
+    {  # with redhat namespace, but special gpg-pubkey rpm
+        "externalRefs": [
+            {
+                "referenceType": "purl",
+                "referenceLocator": "pkg:rpm/redhat/gpg-pubkey@abcd-efgh?arch=noarch",
+            }
+        ]
+    },
 ]
 
 
diff --git a/pyxis/upload_rpm_data.py b/pyxis/upload_rpm_data.py
index 1f1e725..6a4e216 100755
--- a/pyxis/upload_rpm_data.py
+++ b/pyxis/upload_rpm_data.py
@@ -32,6 +32,7 @@
 import pyxis
 
 LOGGER = logging.getLogger("upload_rpm_data")
+IGNORED_PACKAGES = ["gpg-pubkey"]
 
 
 def upload_container_rpm_data_with_retry(
@@ -237,6 +238,8 @@ def construct_rpm_items_and_content_sets(
             purl_dict = PackageURL.from_string(externalRef["referenceLocator"]).to_dict()
             if purl_dict["type"] != "rpm":
                 continue
+            if purl_dict["name"] in IGNORED_PACKAGES:
+                continue
             rpm_item = {
                 "name": purl_dict["name"],
                 "summary": purl_dict["name"],