Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add melange sign command, slightly refactor and make public the signing methods #607

Merged
merged 1 commit into from
Aug 16, 2023

Conversation

joshrwolf
Copy link
Contributor

@joshrwolf joshrwolf commented Aug 16, 2023

Adds a melange sign ... command to (re-)sign apks with the provided key.

This also slightly refactors the emit signature section of the PackageBuild to reuse the signing method.

The refactor includes:

  • handle the control data + signing in memory
  • hoist the signing into build.EmitSignature(...) to reuse the content digest for the various ApkSigner implementations

Sample:

❯ tar tvf packages/aarch64/kubelet-latest-0-r0.apk
-rwxrwxrwx  0 root   root      512 Dec 31  1969 .SIGN.RSA.local-melange.rsa.pub
-rw-r--r--  0 root   root      333 Aug 16 12:26 .PKGINFO
drwxr-xr-x  0 root   root        0 Aug 16 12:26 usr
drwxr-xr-x  0 root   root        0 Aug 16 12:26 usr/bin
lrwxr-xr-x  0 root   root        0 Aug 16 12:26 usr/bin/kubelet -> kubelet-1.28
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var/lib
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var/lib/db
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var/lib/db/sbom
-rw-r--r--  0 root   root     1188 Aug 16 12:26 var/lib/db/sbom/kubelet-latest-0-r0.spdx.json

➜ melange sign packages/aarch64/*.apk -k something-else.rsa

➜ tar tvf packages/aarch64/kubelet-latest-0-r0.apk
-rwxrwxrwx  0 root   root      512 Dec 31  1969 .SIGN.RSA.something-else.rsa.pub
-rw-r--r--  0 root   root      333 Aug 16 12:26 .PKGINFO
drwxr-xr-x  0 root   root        0 Aug 16 12:26 usr
drwxr-xr-x  0 root   root        0 Aug 16 12:26 usr/bin
lrwxr-xr-x  0 root   root        0 Aug 16 12:26 usr/bin/kubelet -> kubelet-1.28
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var/lib
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var/lib/db
drwxr-xr-x  0 root   root        0 Aug 16 12:26 var/lib/db/sbom
-rw-r--r--  0 root   root     1188 Aug 16 12:26 var/lib/db/sbom/kubelet-latest-0-r0.spdx.json

@joshrwolf joshrwolf force-pushed the sign-cli branch 3 times, most recently from 617c4d7 to ba2147d Compare August 16, 2023 17:58
@joshrwolf joshrwolf marked this pull request as ready for review August 16, 2023 17:59
@joshrwolf joshrwolf requested a review from a team as a code owner August 16, 2023 17:59
@joshrwolf joshrwolf requested review from kaniini and removed request for a team August 16, 2023 17:59
methods

Signed-off-by: Josh Wolf <josh@wolfs.io>
@kaniini kaniini merged commit 5bc0d8d into chainguard-dev:main Aug 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants