Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow signing local image without registry access #3841

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow signing local image without registry access #3841

wants to merge 1 commit into from

Conversation

bkabrda
Copy link
Contributor

@bkabrda bkabrda commented Aug 20, 2024

Summary

This PR attempts to address #3832 - it will allow generating local signature for an image (when --upload=false) by using --output-signature/--output-artifact/--output-payload even when the remote registry is not accessible or the image hasn't yet been pushed there. Details are in the linked issue.

I only implemented this for the case the image is passed in by digest right now - it's easier to do and the code says we're going to eventually disable referencing images by tag, so I don't think it's strictly necessary there (but let me know if you think otherwise).

Verification of such signature requires the --insecure-tlog-verify (a.k.a. --private-infrastructure) flag, which seems a little weird to me, but I think that's not something that I introduced by this PR. After some investigation, I think this is caused by the fact that the locally written files don't seem to represent a full bundle (like the one that can be generated with signing a blob or the one that gets pushed as an OCI artifact with --upload=true) and hence the locally created fakeOCISignatures object can't be used correctly in the VerifyBundle function in pkg/cosign/verify.go. I think maybe a better way to solve all of this would be to rather allow writing out full bundles for images, like we allow for sign-blob?

Release Note

  • Enabled signing local images without access to registry

Documentation

I think the release note should be fine, but please correct me if I'm wrong.

@bkabrda
Allow signing local image without registry access
b6fac96 
Signed-off-by: Slavek Kabrda <bkabrda@redhat.com>
@codecov Codecov
Copy link

codecov bot commented Aug 20, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 16 lines in your changes missing coverage. Please review.

Project coverage is 36.67%. Comparing base (2ef6022) to head (b6fac96).
Report is 198 commits behind head on main.

Files Patch % Lines
cmd/cosign/cli/sign/sign.go 0.00% 16 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3841      +/-   ##
==========================================
- Coverage   40.10%   36.67%   -3.43%     
==========================================
  Files         155      203      +48     
  Lines       10044    12787    +2743     
==========================================
+ Hits         4028     4690     +662     
- Misses       5530     7514    +1984     
- Partials      486      583      +97

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bkabrda