Skip to content
This repository has been archived by the owner on Jul 7, 2021. It is now read-only.

[WIP] display image signature information #11

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WIP] display image signature information #11

wants to merge 1 commit into from

Conversation

thomasmckay
Copy link
Contributor

@thomasmckay thomasmckay commented Oct 17, 2017
edited

Notes for usage

Create a private key and export the public key for use during signature verification.

$ gpg2 --gen-key
gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg2 --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: examplekey
Email address: examplekey@example.com
You selected this USER-ID:
    "examplekey <examplekey@example.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 6514484210EAC0B3 marked as ultimately trusted
gpg: revocation certificate stored as '/home/thomasmckay/.gnupg/openpgp-revocs.d/DA4FC182D5C9E5496A0FFAA76514484210EAC0B3.rev'
public and secret key created and signed.

pub   rsa2048 2017-11-17 [SC] [expires: 2019-11-17]
      DA4FC182D5C9E5496A0FFAA76514484210EAC0B3
uid                      examplekey <examplekey@example.com>
sub   rsa2048 2017-11-17 [E] [expires: 2019-11-17]

$ gpg2 --armor --export --output examplekey.gpg examplekey@example.com

Use the atomic command to push an image with the signature.

$ sudo atomic push \
        --username=unused --password=`oc whoami -t` --insecure --type=atomic \
        --gnupghome=/home/thomasmckay/.gnupg --sign-by=examplekey@example.com \
        $REGISTRY/myproject/$IMAGENAME:$IMAGETAG

Note: Prior to atomic version 1.20.1, the --gnupghome option was not being honored. The workaround is to set GNUPGHOME.

$ sudo GNUPGHOME=/home/thomasmckay/.gnupg atomic push \
        --username=unused --password=`oc whoami -t` --insecure --type=atomic \
        --gnupghome=/home/thomasmckay/.gnupg --sign-by=examplekey@example.com \
        $REGISTRY/myproject/$IMAGENAME:$IMAGETAG

Now view the image signatures with the oc command. Note the Status is Unverified.

$ oc describe istag $IMAGENAME:$IMAGETAG
Image Name:		sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0
Docker Image:		172.30.1.1:5000/myproject/alpine@sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0
Name:			sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0
Created:		23 hours ago
Annotations:		image.openshift.io/dockerLayersOrder=ascending
			image.openshift.io/manifestBlobStored=true
			openshift.io/image.managed=true
Image Size:		2.571 MB
Image Signatures:
			Name:	sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0@81e4e51083bb9386be76b096e1e7886c
			Type:	atomic
			Status:	Unverified
Image Created:		13 days ago
Author:			<none>
Arch:			amd64
Command:		/bin/sh
Working Dir:		<none>
User:			<none>
Exposes Ports:		<none>
Docker Labels:		<none>
Environment:		PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Verify image signature using the oc adm command. A method to get the image reference is included for convenience.

$ oc get istag $IMAGENAME:$IMAGETAG -o template --template={{.image.metadata.name}}
sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0

$ oc adm verify-image-signature \
    sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0 \
    --expected-identity $REGISTRY/myproject/$IMAGENAME:$IMAGETAG \
    --public-key examplekey.gpg \
    --registry-url $REGISTRY --insecure=true \
    --save
image "sha256:f407f26057613b80d49e083630d543468026048def3c58c801518b4003631cd0" identity is now confirmed (signed by GPG key "3BFAE0077A29261E")

@thomasmckay thomasmckay mentioned this pull request Oct 17, 2017
Closed
petervo
petervo reviewed Oct 17, 2017
View reviewed changes
Copy link
Contributor

@petervo petervo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any dummy data we can add the fixtures so we can see this on the test page in this project?

views/image-listing.html Outdated
@@ -14,7 +15,7 @@
data-id="{{ imagestream.metadata.namespace + '/' + imagestream.metadata.name + ':' + tag.name }}"
ng-class="{open: imagestreamExpanded(imagestream, tag), last: $last, first: $first}">
<tr ng-click="imagestreamActivate(imagestream, tag, $event)" class="listing-ct-item registry-listing">
<td ng-click="imagestreamToggle(imagestream, tag, $event)" class="listing-ct-toggle">
<td ng-click="imagestreamToggle(imagestream, tag, $event, imageByTag(tag))" class="listing-ct-toggle">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change needed?

views/image-listing.html Outdated
@@ -61,6 +62,17 @@
</span>
</div>
</td>
<td>
<div class="row">
<span class="pficon pficon-ok" style="margin-right: 5px;"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should avoid styles like this and use classes instead.

images.js Outdated
};

/*
scope.imageSignatures = function imageSignatures(imagestream, tag) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably want to remove these commented out blocks

@martinpitt martinpitt mentioned this pull request Jan 30, 2018
Merged
@mvollmer
Copy link
Member

I think the container/kubernetes testImages failure might be genuine.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@petervo petervo petervo left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thomasmckay @mvollmer @petervo