Support podman image sign #2040
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
cmd/podman/sign.go
Outdated
| }, | ||
| } | ||
|
|
||
| signDescription = "Create a signature for an image which can be used later to verify it" |
There was a problem hiding this comment.
We need to support --latest. Should we support --all?
There was a problem hiding this comment.
perhaps: "Create a signature file that can be used later to verify the image"
There was a problem hiding this comment.
now --latest is the default, only need to add --all?
| } | ||
| defer runtime.Shutdown(false) | ||
|
|
||
| signby := c.String("sign-by") |
There was a problem hiding this comment.
Can we default this to the current user? Can we figure out the default signature of the current user?
There was a problem hiding this comment.
Atomic set this default in a config file /etc/atomic.conf. Does it need to be added to some config file here?
the value of sign-by flag should be a keyring generated using gpg, rather than $USER, right?
There was a problem hiding this comment.
Is there a default signer in gpg?
There was a problem hiding this comment.
gpgconf --list-options gpg | grep default-key
There was a problem hiding this comment.
I also found the gpg command to generate the key pair without user interaction. But cannot avoid user interaction if I want to execute podman image sign command in the test file 🤔
| } | ||
|
|
||
| systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext()) | ||
| registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath) |
There was a problem hiding this comment.
Do we need a hidden registriesdirpath option to do tests?
There was a problem hiding this comment.
yes, I need! But still wondering how to write the test for this. What sign-by value should I put there, or I may need to run gpg command to generate some key first. 😅
There was a problem hiding this comment.
Yes I think you will need to do this. Was their any atomic test for this?
There was a problem hiding this comment.
no, I can't find test for sign in atomic
There was a problem hiding this comment.
no, I can't find atomic test for this
|
Have to update commands.md and bash completions. |
|
/retest |
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@QiWang19 Could you answer the last few questions. We can add tests later. Want to get this into V1.0. |
|
@rhatdan 👌 , can we also consider |
Generate a signature claim for an image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/). Signed-off-by: Qi Wang <qiwan@redhat.com>
| logrus.Errorf("error creating sigstore file: %v", err) | ||
| continue | ||
| } | ||
| err = ioutil.WriteFile(sigStoreDir+"/"+sigFilename, newSig, 0644) |
| return errors.Wrapf(err, "error creating new signature") | ||
| } | ||
|
|
||
| sigStoreDir = fmt.Sprintf("%s/%s", sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1)) |
There was a problem hiding this comment.
same here, let's use filepath.Join
| # SYNOPSIS | ||
| **podman image sign** | ||
| [**-h**|**--help**] | ||
| [**-d**, **--directory**] |
There was a problem hiding this comment.
Can you show the long form of the option first please?
`[--help|-h]
| **-h** **--help** | ||
| Print usage statement. | ||
|
|
||
| **-d** **--directory** |
There was a problem hiding this comment.
ditto long form first, short form second.
| configuration files in /etc/containers/registries.d/. When you sign | ||
| an image, podman will use those configuration files to determine | ||
| where to write the signature based on the the name of the originating | ||
| registry or a default storage value unless overriden with the -d |
|
Ok I am going to merge and then we can fix the issues in sumplimental PR's |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
podman image sign [-d, --directory] [--sign-by] IMAGEGenerate signatures claim for the image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/).
Signed-off-by: Qi Wang qiwan@redhat.com