Add signing metadata during push to API

[aweiteka]

The OpenShift API ImageSignature object provides storage for useful metadata. Skopeo should write this data if possible.

• imageIdentity: <image_reference>
• created:
• issuedBy:
• issuedTo: # what's the difference?

To clarify to the end user that this information is not verified, populate the SignatureCondition object with the following fields:

• type: "Complete"
• status: "Unknown"
• lastProbeTime:
• reason: "Initial signing request"
• message: <???>

[aweiteka]

cc @stefwalter

[mtrmac]

AFAIK OpenShift explicitly prohibits updating these fields, per https://github.com/openshift/origin/pull/9181/files#diff-338f8de5c2e444ebed64ed7ac61109e4R111 and https://github.com/openshift/origin/pull/8371/files#diff-338f8de5c2e444ebed64ed7ac61109e4R101 . So at the moment there is nothing for skopeo to do. (The original design was that OpenShift would populate these fields from the received blob. We can of course change/renegotiate that. Just clarifying that this won’t happen this week.)

(

• issuedBy is ~nonsense (it says which CA signed the key)
• issuedTo = the key owner

)

[aweiteka]

The original design was that OpenShift would populate these fields from the received blob

That's disappointing. The data isn't in the blob! So we cannot POST any arbitrarily data to the ImageSignature object?

[mtrmac]

imageIdentity is in the blob directly; for issuedTo the blob gives us the fingerprint but not the real name. issuedBy doesn’t have clear semantics with GPG, and is not in the blob. The verification status data of course isn’t in the blob.

[mtrmac]

@aweiteka Given openshift/origin#13585 , is (some variant of) this still necessary?

[aweiteka]

Given openshift/origin#13585 , is (some variant of) this still necessary?

No. Closing.