Sigstore sign #15108
Sigstore sign #15108
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Draft:
|
|
This implements the |
mtrmac
force-pushed
the
sigstore-sign
branch
2 times, most recently
from
0009b84 to
893e630
Compare
htpasswd is no longer included in docker.io/library/distribution after 2.7.0, per distribution/distribution-library-image#107 , and we want to upgrade to a recent version. At least system tests currently execute htpasswd from the OS, so it seems that it is likely to be available. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
This now includes (via a merge commit) #15122, so that tests can run. After the registry update PR is merged is merged, this can be rebased on top — or, I guess, merged as is. |
mtrmac
force-pushed
the
sigstore-sign
branch
2 times, most recently
from
3bcb3d4 to
8d21c66
Compare
... instead of hard-coding a copy of the value. Notably this makes hack/podman_registry actually support the documented -i option. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... primarily so that it can support OCI artifacts. 2.8 already seems to exist in the repo. This requires changing WaitContainerReady to also check stderr (ultimately because docker/distribution was updated to a more recent sirupsen/logrus, which logs by default to stderr instead of stdout). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to get containers/common#1106 . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
AFAICS it is not used anywhere. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... because it is documented to be ignored. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Allow creating sigstore signatures via --sign-by-sigstore-private-key . Like existing --sign-by, it does not work remote (in this case because we would have to copy the private key to the server). - Allow passing a passphrase (which is mandatory for sigstore private keys) via --sign-passphrase-file; if it is not provided, prompt interactively. - Also, use that passphrase for --sign-by as well, allowing non-interactive GPG use. (But --sign-passphrase-file can only be used with _one of_ --sign-by and --sign-by-sigstore-private-key.) Note that unlike the existing code, (podman build) does not yet implement sigstore (I'm not sure why it needs to, it seems not to push images?) because Buildah does not expose the feature yet. Also, (podman image sign) was not extended to support sigstore. The test for this follows existing (podman image sign) tests and doesn't work rootless; that could be improved by exposing a registries.d override option. The test for push is getting large; I didn't want to start yet another registry container, but that would be an alternative. In the future, Ginkgo's Ordered/BeforeAll would allow starting a registry once and using it for two tests. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
Ready for review, see #15108 (comment) about whether it should be merged. |
I am good to merge as is. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| @@ -0,0 +1,11 @@ | |||
| -----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- | |||
There was a problem hiding this comment.
Do we really want to commit private keys for testing? IMO keys should be automatically generated before the tests and we should not used fixed ones.
There was a problem hiding this comment.
The format for this is cosign-specific. Right now, to generate this, we would need to install cosign during tests.
Eventually Skopeo will be taught to generate the key pair, and/or we might accept keys in more standardized formats, but that doesn’t exist yet.
(To be explicit, this key pair was generated specifically for the tests and has no other use.)
There was a problem hiding this comment.
I am fine with this, looks like we already have other private keys committed anyway.
My main concern is that we are testing this one key and not random generated keys like normal users would do.
| @@ -225,7 +225,7 @@ func (p *PodmanTest) WaitContainerReady(id string, expStr string, timeout int, s | |||
| return false | |||
| } | |||
|
|
|||
| if strings.Contains(s.OutputToString(), expStr) { | |||
| if strings.Contains(s.OutputToString(), expStr) || strings.Contains(s.ErrorToString(), expStr) { | |||
There was a problem hiding this comment.
This looks a bit weird, why are we matching stderr for a successful case. Should it be a different commit ?
There was a problem hiding this comment.
Never mind I think reason for this is specified in the commit Update the registry server we test against from 2.6 to 2.8 .
There was a problem hiding this comment.
Yes, that’s the reason. WaitContainerReady is most commonly used for the registry, so I took this fairly lazy route.
Alternatively, we could add an option whether to check stderr to this function, or maybe a specialized “start a registry and wait until ready” helper.
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
--sign-by-sigstore-private-key. Like existing--sign-by, it does not work remote (in this case because we would have to copy the private key to the server).--sign-passphrase-file; if it is not provided, prompt interactively.--sign-byas well, allowing non-interactive GPG use. (But--sign-passphrase-filecan only be used with one of--sign-byand--sign-by-sigstore-private-key.)Note that unlike the existing code,
podman builddoes not yet implement sigstore (I'm not sure why it needs to, it seems not to push images?) because Buildah does not expose the feature yet.Also,
podman image signwas not extended to support sigstore.See individual commit messages for details.
Does this PR introduce a user-facing change?