Update CI images

... from containers/automation_images#416

That requires updating tests to also work with rust-podman-sequoia 0.2.0:
ueno/podman-sequoia@d41fefa changed
how the error is reported.

Signed-off-by: Miloslav Trmač <[email protected]>

Author: mtrmac

.cirrus.yml

@@ -21,7 +21,7 @@ env:
     SCRIPT_BASE: "./contrib/cirrus"
 
     # Google-cloud VM Images
-    IMAGE_SUFFIX: "c20250721t181111z-f42f41d13"
+    IMAGE_SUFFIX: "c20250910t092246z-f42f41d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
 
     # Container FQIN's

integration/copy_test.go

@@ -776,9 +776,10 @@ func (s *copySuite) TestCopySignatures() {
 	// Verify that mis-signed images are rejected
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack")
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack")
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	// "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest)
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest)
 
 	// Verify that signed identity is verified.
@@ -791,7 +792,8 @@ func (s *copySuite) TestCopySignatures() {
 
 	// Verify that cosigning requirements are enforced
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	// "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)
 
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "--sign-by", "[email protected]", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
@@ -836,7 +838,8 @@ func (s *copySuite) TestCopyDirSignatures() {
 	// Verify that correct images are accepted
 	assertSkopeoSucceeds(t, "", "--policy", policy, "copy", topDirDest+"/restricted/official", topDirDest+"/dest")
 	// ... and that mis-signed images are rejected.
-	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*",
+	// "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
+	assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|Missing key:).*",
 		"--policy", policy, "copy", topDirDest+"/restricted/personal", topDirDest+"/dest")
 
 	// Verify that the signed identity is verified.

systemtest/050-signing.bats

@@ -136,6 +136,8 @@ END_PUSH
     # Done pushing. Now try to fetch. From here on we use the --policy option.
     # The table below lists the paths to fetch, and the expected errors (or
     # none, if we expect them to pass).
+    #
+    # "Invalid GPG signature" is reported by the gpgme mechanism; "Missing key: $fingerprint" by Sequoia.
     while read path expected_error; do
         expected_rc=
         if [[ -n $expected_error ]]; then
@@ -154,7 +156,7 @@ END_PUSH
         fi
     done <<END_TESTS
 /myns/alice:signed
-/myns/bob:signedbyalice    (Invalid GPG signature|.* not found)
+/myns/bob:signedbyalice    (Invalid GPG signature|Missing key:)
 /myns/alice:unsigned       Signature for identity \\\\\\\\"localhost:5000/myns/alice:signed\\\\\\\\" is not accepted
 /myns/carol:latest         Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
 /open/forall:latest