From 03eaf402e7605eee4c9b5102ab2cf937abde5687 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 9 Nov 2023 16:10:26 +0000 Subject: [PATCH] Add buildtags to avoid fulcio and rekor dependencies For situations where Fulcio and Rekor operations are not required, this commit provides buildtags to avoid those dependencies. Signed-off-by: Reinhard Tartler --- README.md | 2 ++ signature/sigstore/fulcio/fulcio.go | 3 ++ signature/sigstore/fulcio/no_fulcio.go | 45 ++++++++++++++++++++++++++ signature/sigstore/rekor/no_rekor.go | 17 ++++++++++ signature/sigstore/rekor/rekor.go | 3 ++ 5 files changed, 70 insertions(+) create mode 100644 signature/sigstore/fulcio/no_fulcio.go create mode 100644 signature/sigstore/rekor/no_rekor.go diff --git a/README.md b/README.md index 034665bf14..7628ef5290 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,8 @@ the primary downside is that creating new signatures with the Golang-only implem - `containers_image_ostree`: Import `ostree:` transport in `github.com/containers/image/transports/alltransports`. This builds the library requiring the `libostree` development libraries. Otherwise a stub which reports that the transport is not supported gets used. The `github.com/containers/image/ostree` package is completely disabled and impossible to import when this build tag is not in use. - `containers_image_storage_stub`: Don’t import the `containers-storage:` transport in `github.com/containers/image/transports/alltransports`, to decrease the amount of required dependencies. Use a stub which reports that the transport is not supported instead. +- `containers_image_fulcio_stub`: Don't import sigstore/fulcio code, all fulcio operations will return an error code +- `containers_image_rekor_stub`: Don't import sigstore/reckor code, all rekor operations will return an error code ## [Contributing](CONTRIBUTING.md) diff --git a/signature/sigstore/fulcio/fulcio.go b/signature/sigstore/fulcio/fulcio.go index 0e6746abb3..4ba98b9865 100644 --- a/signature/sigstore/fulcio/fulcio.go +++ b/signature/sigstore/fulcio/fulcio.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + package fulcio import ( diff --git a/signature/sigstore/fulcio/no_fulcio.go b/signature/sigstore/fulcio/no_fulcio.go new file mode 100644 index 0000000000..ec901154b6 --- /dev/null +++ b/signature/sigstore/fulcio/no_fulcio.go @@ -0,0 +1,45 @@ +//go:build containers_image_fulcio_stub +// +build containers_image_fulcio_stub + +package fulcio + +import ( + "fmt" + "io" + "net/url" + + "github.com/containers/image/v5/signature/sigstore/internal" +) + +func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option { + return func(s *internal.SigstoreSigner) error { + return fmt.Errorf("Fulcio disabled at compile time") + } +} + +// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate +// based on an OIDC ID token obtained using a device authorization grant (RFC 8628). +// +// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file). +func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, + interactiveOutput io.Writer) internal.Option { + return func(s *internal.SigstoreSigner) error { + return fmt.Errorf("Fulcio disabled at compile time") + } +} + +// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate +// based on an interactively-obtained OIDC ID token. +// The token is obtained +// - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer, +// to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process; +// either or both may be impossible in a container or a remote VM). +// - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text. +// +// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file). +func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, + interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option { + return func(s *internal.SigstoreSigner) error { + return fmt.Errorf("Fulcio disabled at compile time") + } +} diff --git a/signature/sigstore/rekor/no_rekor.go b/signature/sigstore/rekor/no_rekor.go new file mode 100644 index 0000000000..8957a87331 --- /dev/null +++ b/signature/sigstore/rekor/no_rekor.go @@ -0,0 +1,17 @@ +//go:build containers_image_rekor_stub +// +build containers_image_rekor_stub + +package rekor + +import ( + "fmt" + "net/url" + + signerInternal "github.com/containers/image/v5/signature/sigstore/internal" +) + +func WithRekor(rekorURL *url.URL) signerInternal.Option { + return func(s *signerInternal.SigstoreSigner) error { + return fmt.Errorf("Rekor disabled at build time") + } +} diff --git a/signature/sigstore/rekor/rekor.go b/signature/sigstore/rekor/rekor.go index 0236f0aabb..f8ba6dc3fa 100644 --- a/signature/sigstore/rekor/rekor.go +++ b/signature/sigstore/rekor/rekor.go @@ -1,3 +1,6 @@ +//go:build !containers_image_rekor_stub +// +build !containers_image_rekor_stub + package rekor import (