-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support podman image sign #2040
Conversation
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cmd/podman/sign.go
Outdated
}, | ||
} | ||
|
||
signDescription = "Create a signature for an image which can be used later to verify it" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a signature file ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to support --latest. Should we support --all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps: "Create a signature file that can be used later to verify the image"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
now --latest is the default, only need to add --all?
} | ||
defer runtime.Shutdown(false) | ||
|
||
signby := c.String("sign-by") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we default this to the current user? Can we figure out the default signature of the current user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Atomic set this default in a config file /etc/atomic.conf
. Does it need to be added to some config file here?
the value of sign-by flag should be a keyring generated using gpg, rather than $USER, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a default signer in gpg?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably be username
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gpgconf --list-options gpg | grep default-key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also found the gpg command to generate the key pair without user interaction. But cannot avoid user interaction if I want to execute podman image sign command in the test file 🤔
} | ||
|
||
systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext()) | ||
registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need a hidden registriesdirpath option to do tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I need! But still wondering how to write the test for this. What sign-by value should I put there, or I may need to run gpg command to generate some key first. 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I think you will need to do this. Was their any atomic test for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, I can't find test for sign in atomic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, I can't find atomic test for this
Have to update commands.md and bash completions. |
/retest |
@QiWang19 Could you answer the last few questions. We can add tests later. Want to get this into V1.0. |
@rhatdan 👌 , can we also consider |
Generate a signature claim for an image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/). Signed-off-by: Qi Wang <qiwan@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
verified it works with rootless mode.
Could you split the commit message line (max 80 columns)?
logrus.Errorf("error creating sigstore file: %v", err) | ||
continue | ||
} | ||
err = ioutil.WriteFile(sigStoreDir+"/"+sigFilename, newSig, 0644) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's use filepath.Join
here
return errors.Wrapf(err, "error creating new signature") | ||
} | ||
|
||
sigStoreDir = fmt.Sprintf("%s/%s", sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here, let's use filepath.Join
# SYNOPSIS | ||
**podman image sign** | ||
[**-h**|**--help**] | ||
[**-d**, **--directory**] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you show the long form of the option first please?
`[--help|-h]
**-h** **--help** | ||
Print usage statement. | ||
|
||
**-d** **--directory** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto long form first, short form second.
configuration files in /etc/containers/registries.d/. When you sign | ||
an image, podman will use those configuration files to determine | ||
where to write the signature based on the the name of the originating | ||
registry or a default storage value unless overriden with the -d |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/-d/--directory/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing bash completions and tests aren't looking happy atm.
Ok I am going to merge and then we can fix the issues in sumplimental PR's |
/lgtm |
podman image sign [-d, --directory] [--sign-by] IMAGE
Generate signatures claim for the image using user keyring (--sign-by). The signature file will be stored in simple json format under the default or the given directory (--directory or yaml file in /etc/containers/registries.d/).
Signed-off-by: Qi Wang qiwan@redhat.com