From c9110bfde461424325328e40f8400a1c29cfbb45 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Tue, 3 Mar 2026 11:23:20 +0100
Subject: [PATCH] ROX-33133: Enable post-quantum crypto-policies for fact

---
 konflux.Containerfile |  6 +++++-
 rpms.in.yaml          |  1 +
 rpms.lock.yaml        | 14 ++++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/konflux.Containerfile b/konflux.Containerfile
index d0e253c7..fbe96f09 100644
--- a/konflux.Containerfile
+++ b/konflux.Containerfile
@@ -43,7 +43,11 @@ LABEL \
     # We also set it to not inherit one from a base stage in case it's RHEL or UBI.
     release="1"
 
-RUN microdnf install -y openssl-libs && \
+RUN microdnf install -y \
+        crypto-policies-scripts \
+        openssl-libs && \
+    # Enable post-quantum cryptography key exchange for TLS.
+    update-crypto-policies --set DEFAULT:PQ && \
     microdnf clean all && \
     rpm --verbose -e --nodeps $( \
         rpm -qa 'curl' '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*' 'libyaml*' 'libarchive*' \
diff --git a/rpms.in.yaml b/rpms.in.yaml
index e5fe3dcc..d8db9d90 100644
--- a/rpms.in.yaml
+++ b/rpms.in.yaml
@@ -4,6 +4,7 @@
 packages:
 - cargo
 - clang
+- crypto-policies-scripts
 - libbpf-devel
 - openssl-libs
 - openssl-devel
diff --git a/rpms.lock.yaml b/rpms.lock.yaml
index a90e5563..0166028d 100644
--- a/rpms.lock.yaml
+++ b/rpms.lock.yaml
@@ -389,6 +389,13 @@ arches:
     name: crypto-policies
     evr: 20250905-1.git377cc42.el9_7
     sourcerpm: crypto-policies-20250905-1.git377cc42.el9_7.src.rpm
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/os/Packages/c/crypto-policies-scripts-20250905-1.git377cc42.el9_7.noarch.rpm
+    repoid: rhel-9-for-aarch64-baseos-rpms
+    size: 104676
+    checksum: sha256:5e0cbb9b384a94aebde15ab9a1c01b4dd33c52734e1bb559b43fb18b075295ab
+    name: crypto-policies-scripts
+    evr: 20250905-1.git377cc42.el9_7
+    sourcerpm: crypto-policies-20250905-1.git377cc42.el9_7.src.rpm
   - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/baseos/os/Packages/c/curl-7.76.1-35.el9_7.3.aarch64.rpm
     repoid: rhel-9-for-aarch64-baseos-rpms
     size: 295895
@@ -1695,6 +1702,13 @@ arches:
     name: crypto-policies
     evr: 20250905-1.git377cc42.el9_7
     sourcerpm: crypto-policies-20250905-1.git377cc42.el9_7.src.rpm
+  - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/c/crypto-policies-scripts-20250905-1.git377cc42.el9_7.noarch.rpm
+    repoid: rhel-9-for-x86_64-baseos-rpms
+    size: 104676
+    checksum: sha256:5e0cbb9b384a94aebde15ab9a1c01b4dd33c52734e1bb559b43fb18b075295ab
+    name: crypto-policies-scripts
+    evr: 20250905-1.git377cc42.el9_7
+    sourcerpm: crypto-policies-20250905-1.git377cc42.el9_7.src.rpm
   - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/Packages/c/curl-7.76.1-35.el9_7.3.x86_64.rpm
     repoid: rhel-9-for-x86_64-baseos-rpms
     size: 299410