Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for OCI Image signing (spec v1.0) #158

Merged
merged 8 commits into from
Nov 24, 2022

Conversation

Xynnn007
Copy link
Member

Summary

This PR helps to implement OCI Image Signing due to #125.

But please notice that this PR only uses the OCI Spec v1.0 (instead of v1.1, which brings referrer mechinism)

Release Note

  • Added push related functions for ClientCapabilities and related impls
  • Fixed a bug when converting sigstore::ClientConfig into oci_distribution::ClientConfig
  • Fixed a bug when parsing a private key file RSA was not considered.
  • Added some Debug, ToString, Eq, PartialEq macros and functions to enums and structs of crypto mod.
  • Refactored SimpleSigning as a sub module for payloads
  • Added OCI Image signing support together with some unit tests and examples.
  • Changed signature field of SignatureLayer into an Option, which helps when we meet a SignatureLayer that is to be signed.
  • Added a switch of http/https when access a registry for examples/cosign/verify

Documentation

Please see the examples/cosign/sign/README.md for the guide of OCI Image Signing.

@Xynnn007
Copy link
Member Author

The Clippy CI error is not caused by this PR. It can be fixed in another PR.

@lukehinds
Copy link
Member

lukehinds commented Nov 12, 2022

awesome, will take a look early next week @Xynnn007 !

What's the reasoning behind 1.0 support over 1.1?

@Xynnn007
Copy link
Member Author

Xynnn007 commented Nov 12, 2022

What's the reasoning behind 1.0 support over 1.1?

The reason may be three I think:

  • It is still in rc stage.
  • I did not find related spec in sigstore/cosign to apply cosign signing to v1.1 registry
  • upstream oci-distribution is not ready for referrers api of v1.1 spec

For first: #125 (comment).
I've read some of the specs in opencontainers/images and opencontainers/distribution-spec. I think that v1.1 spec is still in rc stage, as https://github.com/opencontainers/image-spec/releases shows.

For second, I checked code and spec in sigstore/cosign roughly, and did not find the guide that defines how we store signatures in an oci registry v1.1. If any please tell me the link please. If not, I think we should make a new spec to apply the in-coming registry if v1.1 spec with referrer API. And I'd like to join the discussion of the spec :-)

For third, https://github.com/krustlet/oci-distribution still needs to be developed.

Besides, current implementation may have extensibility to support v2 spec, s.t. might not need much refactor.

@lukehinds
Copy link
Member

makes sense.

@imjasonh is a good source for OCI specs

@Xynnn007
Copy link
Member Author

makes sense.

@imjasonh is a good source for OCI specs

Thanks for introducing!

For second, I checked code and spec in sigstore/cosign roughly, and did not find the guide that defines how we store signatures in an oci registry v1.1. If any please tell me the link please. If not, I think we should make a new spec to apply the in-coming registry if v1.1 spec with referrer API. And I'd like to join the discussion of the spec :-)

Got it here sigstore/cosign#1397. But as @imjasonh mentioned, the work for golang version is going on upsteam google/go-containerregistry#1455. Maybe the work on the rust side should also start. Let me propose an issue first ;-).

FYI oras-project/rust-oci-client#51

Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic job! 👏

Overall LGTM, I left some minor comments

src/cosign/client.rs Outdated Show resolved Hide resolved
src/cosign/constraint.rs Outdated Show resolved Hide resolved
src/cosign/mod.rs Outdated Show resolved Hide resolved
src/cosign/payload/simple_signing.rs Outdated Show resolved Hide resolved
@@ -235,5 +235,4 @@ pub mod fulcio;
pub mod oauth;
pub mod registry;
pub mod rekor;
pub mod simple_signing;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reminder: because of this and other refactors the public API changed, hence we will have to do a minor release

@Xynnn007 Xynnn007 force-pushed the feat-cosign-signing branch 2 times, most recently from c81113e to 7e7d203 Compare November 16, 2022 04:11
@Xynnn007
Copy link
Member Author

BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI?

Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes you've made!

src/cosign/mod.rs Outdated Show resolved Hide resolved
@flavio
Copy link
Member

flavio commented Nov 16, 2022

BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI?

I would be fine making the test-trigger a default feature, like we're doing with oci-distribution

This would ensure these tests are run also inside of GitHub's CI

Before the From trait of sigstore::ClientConfig does not
spicify the `protocol` field of the resulted
oci_distribution::ClientConfig.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This interface helps to convert a SigStoreKeyPair
to SigStoreSigner due to the given SigningScheme

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Add Debug, Eq, PartialEq, ToString traits and macros
for crypto structs and enums, which will is helpful
for tests

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
push function helps to push image manifest, layers
to the target registry

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
SimpleSigning is a kind of signed payload. To bring
it out aims to support more potential different
payload formats.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
Copy link
Member Author

BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI?

I would be fine making the test-trigger a default feature, like we're doing with oci-distribution

This would ensure these tests are run also inside of GitHub's CI

Agreed, and have fixed it

@Xynnn007
Copy link
Member Author

Another significant problem I meet:
Given that upstream oci_distribution has not support OCI Image Configuration, I use an empty json here to fill the Configuration. https://github.com/sigstore/sigstore-rs/pull/158/files#diff-3974fb3df6df5c9e9da01fb27e58de8f8681f4c14898cf0d4dfe2e08e638f9d0R34

I have tried with test registry, but no error had occurred. I wonder whether it is ok now?

And we surely need to fix it then, though.

cc @imjasonh

flavio
flavio previously approved these changes Nov 16, 2022
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for having incorporated all the feedback.

LGTM

@lukehinds
Copy link
Member

lukehinds commented Nov 18, 2022

This looks good to me, but I am not able to test this as registries typically need auth

Do we need to code in auth mechanisms in this or a follow up patch?

docker login
Authenticating with existing credentials...
Login Succeeded

cargo run --example sign -- \
    --key cosign.key \
    --image lukehinds/cosign-test:latest \
    --signing-scheme ECDSA_P256_SHA256_ASN1 \
    --password p6ssw0rd \
    --http \
    --annotations a=1

Image signing failed: Cannot fetch manifest of docker.io/lukehinds/cosign-test:latest: Not authorized: url http://registry-1.docker.io/v2/lukehinds/cosign-test/manifests/latest

@Xynnn007
Copy link
Member Author

Xynnn007 commented Nov 18, 2022

Do we need to code in auth mechanisms in this or a follow up patch?

I can add something to support BasicAuth in this pr.

For upstream oci_distribution does not support identity token now, we cannot automatically use identity token in ~/.docker/config.json. We can promote it in the future, when the upstream supports identity token.

@Xynnn007
Copy link
Member Author

Hi @lukehinds I've added some code to retrieve credential to access a registry, which will help the command that you'd tried. Still, is it proper to include in this PR? If not, I can split it into another.

src/registry/auth.rs Outdated Show resolved Hide resolved
Cargo.toml Outdated Show resolved Hide resolved
Close sigstore#125

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Now use --http parameter can let the verification
use HTTP instead of HTTPS. This is helpful when
doing tests with local registry.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I would like to merge it

@@ -57,18 +59,24 @@ anyhow = { version = "1.0", features = ["backtrace"] }
assert-json-diff = "2.0.2"
chrono = "0.4.20"
clap = { version = "4.0.8", features = ["derive"] }
docker_credential = { git = "https://github.com/Xynnn007/docker_credential", rev = "f350805"}
openssl = "0.10.38"
rstest = "0.15.0"
tempfile = "3.3.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please file a PR against the upstream project.

@flavio flavio merged commit 453b91a into sigstore:main Nov 24, 2022
@flavio flavio mentioned this pull request Nov 24, 2022
flavio added a commit to flavio/sigstore-rs that referenced this pull request Nov 24, 2022
Fixes
=====

* Fix typo in cosign/mod.rs doc comment by @danbev in sigstore#148
* Fix typo in KeyPair trait doc comment by @danbev in sigstore#149
* Update cached requirement from 0.39.0 to 0.40.0 by @dependabot in sigstore#154
* Fix typos in PublicKeyVerifier doc comments by @danbev in sigstore#155
* Fix: CI error for auto deref by @Xynnn007 in sigstore#160
* Fix typo and grammar in signature_layers.rs by @danbev in sigstore#161
* Remove unused imports in examples/rekor by @danbev in sigstore#162
* Update link to verification example by @danbev in sigstore#156
* Fix typos in from_encrypted_pem doc comments by @danbev in sigstore#164
* Fix typos in doc comments by @danbev in sigstore#163
* Update path to fulcio-cert in verify example by @danbev in sigstore#168

Enhancements
============

* Add getter functions for LogEntry fields by @lkatalin in sigstore#147
* Add TreeSize alias to Rekor by @avery-blanchard in sigstore#151
* Updates for parsing hashedrekord LogEntry by @lkatalin in sigstore#152
* Add certificate based verification by @flavio in sigstore#159
* Add support for OCI Image signing (spec v1.0) by @Xynnn007 in sigstore#158
Contributors
============

* Avery Blanchard (@avery-blanchardmade)
* Daniel Bevenius (@danbev)
* Flavio Castelli (@flavio)
* Lily Sturmann (@lkatalin)
* Xynnn (@Xynnn007)

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@Xynnn007 Xynnn007 deleted the feat-cosign-signing branch November 25, 2022 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants