-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for OCI Image signing (spec v1.0) #158
Conversation
882f8e1
to
76edbb2
Compare
The |
awesome, will take a look early next week @Xynnn007 ! What's the reasoning behind 1.0 support over 1.1? |
The reason may be three I think:
For first: #125 (comment). For second, I checked code and spec in For third, https://github.com/krustlet/oci-distribution still needs to be developed. Besides, current implementation may have extensibility to support v2 spec, s.t. might not need much refactor. |
makes sense. @imjasonh is a good source for OCI specs |
Thanks for introducing!
Got it here sigstore/cosign#1397. But as @imjasonh mentioned, the work for golang version is going on upsteam google/go-containerregistry#1455. Maybe the work on the rust side should also start. Let me propose an issue first ;-). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fantastic job! 👏
Overall LGTM, I left some minor comments
@@ -235,5 +235,4 @@ pub mod fulcio; | |||
pub mod oauth; | |||
pub mod registry; | |||
pub mod rekor; | |||
pub mod simple_signing; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reminder: because of this and other refactors the public API changed, hence we will have to do a minor release
c81113e
to
7e7d203
Compare
BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes you've made!
I would be fine making the This would ensure these tests are run also inside of GitHub's CI |
Before the From trait of sigstore::ClientConfig does not spicify the `protocol` field of the resulted oci_distribution::ClientConfig. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This interface helps to convert a SigStoreKeyPair to SigStoreSigner due to the given SigningScheme Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Add Debug, Eq, PartialEq, ToString traits and macros for crypto structs and enums, which will is helpful for tests Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
push function helps to push image manifest, layers to the target registry Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
SimpleSigning is a kind of signed payload. To bring it out aims to support more potential different payload formats. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
7e7d203
to
ff9df41
Compare
Agreed, and have fixed it |
Another significant problem I meet: I have tried with test registry, but no error had occurred. I wonder whether it is ok now? And we surely need to fix it then, though. cc @imjasonh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for having incorporated all the feedback.
LGTM
This looks good to me, but I am not able to test this as registries typically need auth Do we need to code in auth mechanisms in this or a follow up patch? docker login
Authenticating with existing credentials...
Login Succeeded
cargo run --example sign -- \
--key cosign.key \
--image lukehinds/cosign-test:latest \
--signing-scheme ECDSA_P256_SHA256_ASN1 \
--password p6ssw0rd \
--http \
--annotations a=1
Image signing failed: Cannot fetch manifest of docker.io/lukehinds/cosign-test:latest: Not authorized: url http://registry-1.docker.io/v2/lukehinds/cosign-test/manifests/latest |
I can add something to support For upstream |
Hi @lukehinds I've added some code to retrieve credential to access a registry, which will help the command that you'd tried. Still, is it proper to include in this PR? If not, I can split it into another. |
375ddd1
to
1c340dd
Compare
Close sigstore#125 Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Now use --http parameter can let the verification use HTTP instead of HTTPS. This is helpful when doing tests with local registry. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
1c340dd
to
36629c2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I would like to merge it
@@ -57,18 +59,24 @@ anyhow = { version = "1.0", features = ["backtrace"] } | |||
assert-json-diff = "2.0.2" | |||
chrono = "0.4.20" | |||
clap = { version = "4.0.8", features = ["derive"] } | |||
docker_credential = { git = "https://github.com/Xynnn007/docker_credential", rev = "f350805"} | |||
openssl = "0.10.38" | |||
rstest = "0.15.0" | |||
tempfile = "3.3.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please file a PR against the upstream project.
Fixes ===== * Fix typo in cosign/mod.rs doc comment by @danbev in sigstore#148 * Fix typo in KeyPair trait doc comment by @danbev in sigstore#149 * Update cached requirement from 0.39.0 to 0.40.0 by @dependabot in sigstore#154 * Fix typos in PublicKeyVerifier doc comments by @danbev in sigstore#155 * Fix: CI error for auto deref by @Xynnn007 in sigstore#160 * Fix typo and grammar in signature_layers.rs by @danbev in sigstore#161 * Remove unused imports in examples/rekor by @danbev in sigstore#162 * Update link to verification example by @danbev in sigstore#156 * Fix typos in from_encrypted_pem doc comments by @danbev in sigstore#164 * Fix typos in doc comments by @danbev in sigstore#163 * Update path to fulcio-cert in verify example by @danbev in sigstore#168 Enhancements ============ * Add getter functions for LogEntry fields by @lkatalin in sigstore#147 * Add TreeSize alias to Rekor by @avery-blanchard in sigstore#151 * Updates for parsing hashedrekord LogEntry by @lkatalin in sigstore#152 * Add certificate based verification by @flavio in sigstore#159 * Add support for OCI Image signing (spec v1.0) by @Xynnn007 in sigstore#158 Contributors ============ * Avery Blanchard (@avery-blanchardmade) * Daniel Bevenius (@danbev) * Flavio Castelli (@flavio) * Lily Sturmann (@lkatalin) * Xynnn (@Xynnn007) Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Summary
This PR helps to implement OCI Image Signing due to #125.
But please notice that this PR only uses the OCI Spec
v1.0
(instead ofv1.1
, which brings referrer mechinism)Release Note
push
related functions forClientCapabilities
and related implssigstore::ClientConfig
intooci_distribution::ClientConfig
Debug
,ToString
,Eq
,PartialEq
macros and functions toenum
s andstruct
s ofcrypto
mod.SimpleSigning
as a sub module for payloadssignature
field ofSignatureLayer
into anOption
, which helps when we meet aSignatureLayer
that is to be signed.http/https
when access a registry forexamples/cosign/verify
Documentation
Please see the
examples/cosign/sign/README.md
for the guide of OCI Image Signing.