Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add buildtags to avoid fulcio and rekor dependencies #2180

Merged
merged 2 commits into from
Dec 1, 2023

Conversation

siretart
Copy link
Contributor

@siretart siretart commented Nov 9, 2023

For situations where Fulcio and Rekor operations are not required,
this commit provides buildtags to avoid those dependencies.

Signed-off-by: Reinhard Tartler siretart@gmail.com

@siretart
Copy link
Contributor Author

siretart commented Nov 9, 2023

cc: @rhatdan -- as discussed at kubecon

func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option {
return func(s *internal.SigstoreSigner) error {
return fmt.Errorf("Fulcio disabled at compile time")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not capitalize errors.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are all project names.


func WithRekor(rekorURL *url.URL) signerInternal.Option {
return func(s *signerInternal.SigstoreSigner) error {
return fmt.Errorf("Rekor disabled at build time")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No capitals

func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
interactiveOutput io.Writer) internal.Option {
return func(s *internal.SigstoreSigner) error {
return fmt.Errorf("Fulcio disabled at compile time")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No caps


func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
return func(s *internal.SigstoreSigner) error {
return fmt.Errorf("Fulcio disabled at compile time")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No caps

@rhatdan
Copy link
Member

rhatdan commented Nov 9, 2023

LGTM other then nits.
@mtrmac @vrothberg PTAL

Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m fine with conditionalizing this, but note that this does not actually remove those dependencies as documented: Both Fulcio and Rekor are required by the signature verification paths.

So, is this actually useful for your goals? If it is, fine, it’s just that the build tag documentation needs to be clear that this only disables the signing path, not verification.

(Removing/conditionalizing that code from the verification paths would require a pretty good unit test coverage, so that would be rather more work.)

signature/sigstore/fulcio/no_fulcio.go Outdated Show resolved Hide resolved
@siretart
Copy link
Contributor Author

@mtrmac thanks for pointing our my oversight. The issue at core is that I don't have neither sigstore/rekor nor sigstore/fulcio available in Debian. I looked at packagig them, but they are just too "heavy" and I can't afford the time to package them one-by-one.

I've updated the PR to disable the verificaion paths as well. Can you please elaborate on:

(Removing/conditionalizing that code from the verification paths would require a pretty good unit test coverage, so that would be rather more work.)

What's wrong with just removing those unit tests?

For situations where Fulcio and Rekor operations are not required,
this commit provides buildtags to avoid those dependencies.

Signed-off-by: Reinhard Tartler <siretart@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@gmail.com>
@mtrmac
Copy link
Collaborator

mtrmac commented Nov 13, 2023

The policy enforcement / signature verification code is a critical security mechanism; so I think it should be tested. It’s fine not to support features, and to fail closed; but then we should have tests that the code does fail closed.

I appreciate that the added implementation is trivial, but still… quite a bit of policy_eval_sigstore.go will remain reachable, so wholesale removing the tests is not ideal.

It‘s also somewhat a matter of not relaxing expectations: “the policy enforcement package code must have good test coverage”, and keeping that true will help reinforce that for other future features.

@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label Nov 13, 2023
@rhatdan
Copy link
Member

rhatdan commented Nov 29, 2023

@siretart Any update

@siretart
Copy link
Contributor Author

@rhatdan I've uploaded a very similar patch to this PR to debian, and it seems to work great. I think I understand why @mtrmac is asking to not disable the test fully, but I don't (currently) have enough time available to actually do the requested changes; right now, I'm focusing on packaging the newly required depedencies for podman 4.8.

I personally think we can get away without having the full testsuite run with and without that buildflag, given that it is purely about disabling functionality (and not altering behavior). But then, I can only make this call for the debian package, not upstream.

@rhatdan rhatdan merged commit 671ab94 into containers:main Dec 1, 2023
9 checks passed
atmosphere-ci bot pushed a commit to vexxhost/atmosphere that referenced this pull request Apr 21, 2024
…1114)

This PR contains the following updates:



Package
Change
Age
Adoption
Passing
Confidence




github.com/containers/image/v5
v5.29.2 -> v5.30.0








WarningSome dependencies could not be looked up. Check the warning logs for more information.


Release Notes

containers/image (github.com/containers/image/v5)
v5.30.0
Compare Source
What's Changed
A fair number of improvements when working with zstd and zstd:chunked-compressed images.
Note that make install now installs policy.json and registries.d/default.yaml.

Refuse compression to zstd when using schema1 by @​mtrmac in containers/image#2196
Don't expose local account details in oci-archive tar files by @​mtrmac in containers/image#2202
Trigger a conversion to OCI when compressing to Zstd by @​mtrmac in containers/image#2204
Add buildtags to avoid fulcio and rekor dependencies by @​siretart in containers/image#2180
copy: do not fail if digest mismatches by @​giuseppe in containers/image#1980
Moving policy.json and default.yaml from containers/skopeo by @​rahilarious in containers/image#2215
Embrace codespell: config, workflow (to alert when new typos added) and get typos fixed by @​yarikoptic in containers/image#2214
Fix raspberry pi zero cpu variant recognition by @​lstolcman in containers/image#2086
storage: validate images converted to zstd:chunked by @​giuseppe in containers/image#2243
Make blob reuse choices manifest-format-sensitive, and allow conversions when writing to format-agnostic transports by @​mtrmac in containers/image#2213
Edit the manifest when pushing uncompressed data from c/storage by @​mtrmac in containers/image#2273
Random storage-related cleanups by @​mtrmac in containers/image#2287
Improve storage transport documentation, primarily about locking by @​mtrmac in containers/image#2291
Fix c/storage destination with partial pulls by @​mtrmac in containers/image#2288
Fix manifest updates when we match a layer by TOC digest by @​mtrmac in containers/image#2294
Cleanly fail when trying to obtain a DiffID of a non-OCI image by @​mtrmac in containers/image#2295
Beautify TOC-related parts of storageImageSource by @​mtrmac in containers/image#2296
storage: use the new ApplyStagedLayer interface by @​giuseppe in containers/image#2301
Also annotate image instances using zstd:chunked as using zstd by @​mtrmac in containers/image#2302
Support editing ArtifactType, preserve it in lists by @​nalind in containers/image#2304
Provide data to correctly report throughput on partial pulls by @​mtrmac in containers/image#2308
Add validation error to digesting reader by @​saschagrunert in containers/image#2312
Fix handling of errors when fetching layers by URLs by @​mtrmac in containers/image#2310
Improve handling of zstd vs. zstd:chunked matching by @​mtrmac in containers/image#2317

New Contributors

@​rahilarious made their first contribution in containers/image#2215
@​yarikoptic made their first contribution in containers/image#2214
@​lstolcman made their first contribution in containers/image#2086
@​bainsy88 made their first contribution in containers/image#2260

Full Changelog: containers/image@v5.29.2...v5.30.0


Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.


 If you want to rebase/retry this PR, check this box


This PR has been generated by Mend Renovate. View repository job log here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature A request for, or a PR adding, new functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants