Add support for Fulcio and Rekor, and --sign-by-sigstore=param-file #1849
Conversation
|
@vrothberg PTAL. @rhatdan FYI. |
|
Awesome work @mtrmac |
docs/skopeo-copy.1.md
Outdated
| @@ -93,6 +93,11 @@ Do not copy signatures, if any, from _source-image_. Necessary when copying a si | |||
|
|
|||
| Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_ | |||
|
|
|||
| **--sign-by-sigstore** _param-file_ | |||
|
|
|||
| Add a sigstore signature based on further optinos specified in a containers sigstore signing parameter file _param-file_. | |||
There was a problem hiding this comment.
| Add a sigstore signature based on further optinos specified in a containers sigstore signing parameter file _param-file_. | |
| Add a sigstore signature based on further options specified in a container's sigstore signing parameter file _param-file_. |
There was a problem hiding this comment.
Thanks, fixed the options typo.
WRT the other part, this is not “a parameter file owned by / related to a container”, it’s “a signing parameter file defined by the GitHub.com/containers organization” (i.e. not a cosign-defined parameter file).
I fully appreciate that a “containers sigstore signing parameter file” is a horrible mouthful that desperately needs replacing; what would be a better name? Compare a tiny bit more discussion in containers/image#1787 . Ultimately the name for this concept is decided by the man page in that other PR, and this one would follow the lead.
There was a problem hiding this comment.
Oh, that's entertaining. Thanks for the explanation. I'll try another whack at it.
There was a problem hiding this comment.
“entertaining”. Seriously, I would love to replace that name.
docs/skopeo-sync.1.md
Outdated
| @@ -76,6 +76,11 @@ Print usage statement. | |||
|
|
|||
| Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_ | |||
|
|
|||
| **--sign-by-sigstore** _param-file_ | |||
|
|
|||
| Add a sigstore signature based on further optinos specified in a containers sigstore signing parameter file _param-file_. | |||
There was a problem hiding this comment.
| Add a sigstore signature based on further optinos specified in a containers sigstore signing parameter file _param-file_. | |
| Add a sigstore signature based on further options specified in a container's sigstore signing parameter file _param-file_. |
|
Couple doc nits, otherwise LGTM. |
mtrmac
force-pushed
the
sign-by-sigstore
branch
from
ba11697 to
99f1b74
Compare
Ugh, I didn’t realize this is +170K lines. That’s just profoundly sad. |
docs/skopeo-copy.1.md
Outdated
| @@ -93,6 +93,11 @@ Do not copy signatures, if any, from _source-image_. Necessary when copying a si | |||
|
|
|||
| Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_ | |||
|
|
|||
| **--sign-by-sigstore** _param-file_ | |||
|
|
|||
| Add a sigstore signature based on further options specified in a containers sigstore signing parameter file _param-file_. | |||
There was a problem hiding this comment.
Perhaps?
| Add a sigstore signature based on further options specified in a containers sigstore signing parameter file _param-file_. | |
| Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_. |
99f1b74 to
431e328
Compare
mtrmac
force-pushed
the
sign-by-sigstore
branch
2 times, most recently
from
0ffba91 to
c6cc9b5
Compare
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(skopeo copy) and (skopeo sync) now support --sign-by-sigstore=param-file, using the containers-sigstore-signing-params.yaml(5) file format. That notably adds support for Fulcio and Rekor signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac
force-pushed
the
sign-by-sigstore
branch
from
c6cc9b5 to
bb1ac89
Compare
|
Now based on a merged c/image feature, ready for review and possible merging. |
|
LGTM |
|
@rhatdan what is this auto-merge thing you enabled? |
|
I probably did it by accident, all I wanted to do was prevent force push to main. |
skopeo copyandskopeo syncnow support--sign-by-sigstore=param-file,using the
containers-sigstore-signing-params.yaml(5)file format.That notably adds support for Fulcio and Rekor signing.
Depends on unmerged containers/image#1787 ; see that PR for documentation of the YAML file format, as well as example files.
Interoperability with
cosigntested manually, similarly to those examples. Integration tests to come later, tracked in #1704 .(Yes, this is costly in binary size. On macOS, the binary goes from 27 MB to 33 MB. That can almost certainly be brought down by not using the official client packages, at the cost of replicating (the relevant subset of) their functionality.)