Switch to use native go opengpg instead of cgo #274
Comments
|
cc @smarterclayton && @pweil- |
|
/cc @mtrmac (who's on PTO I guess) |
|
|
@mtrmac on the other hand, it means the cross-compilation of skopeo and everything that imports @smarterclayton FYI |
|
The oc client has to run on windows and darwin, and there is a very high
bar to include anything cgo related. At a glance, none of the things you
mentioned sound like things most OpenShift end users care about. I'm 100%
fine with those features living in a skopeo command line, but if we are
going to have simple signing in the `oc` binary we need to strip out the
chaff. What is the bare minimum that a Windows user needs to correctly
sign an image? If we can't come up with a use case, then we just won't add
this to the openshift binary.
…On Wed, Dec 14, 2016 at 5:00 AM, Michal Fojtik ***@***.***> wrote:
@mtrmac <https://github.com/mtrmac> on the other hand, it means the
cross-compilation of skopeo and everything that imports containers/image
will not work or require CGO dependency.
@smarterclayton <https://github.com/smarterclayton> FYI
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#274 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p3AuVDt85vms7aI2m5Csd5EAYVoiks5rH75ZgaJpZM4LLoCl>
.
|
|
Why are detached signatures not enough for the "sign image" use case? The
only thing openshift needs is detached signatures.
On Wed, Dec 14, 2016 at 9:08 AM, Clayton Coleman <ccoleman@redhat.com>
wrote:
… The oc client has to run on windows and darwin, and there is a very high
bar to include anything cgo related. At a glance, none of the things you
mentioned sound like things most OpenShift end users care about. I'm 100%
fine with those features living in a skopeo command line, but if we are
going to have simple signing in the `oc` binary we need to strip out the
chaff. What is the bare minimum that a Windows user needs to correctly
sign an image? If we can't come up with a use case, then we just won't add
this to the openshift binary.
On Wed, Dec 14, 2016 at 5:00 AM, Michal Fojtik ***@***.***>
wrote:
> @mtrmac <https://github.com/mtrmac> on the other hand, it means the
> cross-compilation of skopeo and everything that imports containers/image
> will not work or require CGO dependency.
>
> @smarterclayton <https://github.com/smarterclayton> FYI
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#274 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ABG_p3AuVDt85vms7aI2m5Csd5EAYVoiks5rH75ZgaJpZM4LLoCl>
> .
>
|
|
can we have native opengpg as plugin and similar libgpgme? IOW. the users won't have nice features like keychain, but they can supply passphrase via readline/--passphrase. |
|
Seems like we should be able to support both, opengpg, with less functionality. |
|
@mtrmac will https://godoc.org/golang.org/x/crypto/openpgp/clearsign be enough? (a very naive PoC: https://github.com/containers/image/compare/master...mfojtik:openpgp?expand=1) |
|
@smarterclayton @pweil- what are the other possibilities when we decide to not add One option is to go via Kubernetes ImagePolicy and build the web server as external component the Kube admission will send a webhook to (or implement the same inside the OpenShift ImagePolicy controller). |
That depends on whether we expect the user to have a $GNUPGHOME or and equivalent existing key store, or whether we are inventing something from scratch.
This seems to somehow mix the concept of use cases and implementations. |
The signature blob is not only a cryptographic signature, it also includes image identity (to prevent an attacker substituting a vulnerable 5.9 image for the desired 7.2.3 image), and may include other data (like information about ancestry to allow signing base images and verifying such signatures). That “signature blob” is separate from the image and detached in that sense; but it is not a “detached signature” in the OpenPGP sense. With an OpenPGP detached signature, we would have
(where “detached” means that 2 and 3 are separate files and 2 is unmodified). Having an OpenPGP detached signature means having to carry around 2 blobs for every signature, which have to be kept in sync, and that's just a pointless hassle when the OpenPGP RFC provides a perfectly good file format which allows us to use a single blob. If I had to make a choice, I’d rather implement the single-blob format in Go than change the signature format to use a 2-blob combination: the former inconveniences us, the latter all users. (But I am still hoping that neither will be necessary.) |
Well, OpenPGP is a RFC and of course there can be separate implementations (if not |
No, the current implementation does not use armoring. But, it prompted me to look into There still isn't a corresponding signing function but that could be constructed reasonably enough (a subset of
This was probably not intended to, but just to make sure, note that this does not do any cryptographic signature verification! |
|
@mtrmac I can try to use ReadMessage with the signature fixture and see how far I can get. In theory, we just need to be able to "verify" the signature in OpenShift admission (we don't need to create/sign short term). So if we can have an example where we can just use the |
|
@mtrmac however, I think we will still need to refactor the |
Playing with it now, kr, err := openpgp.ReadKeyRing(krFile)
m, err := openpgp.ReadMessage(input, kr, nil, nil)
body, err := ioutil.ReadAll(m.UnverifiedBody)
if m.IsSigned && m.SignedBy != nil && m.SignatureError == nil {
fmt.Printf("Body: %s", body)
}is a start for doing the right thing, at least to the extent that a corrupt blob and an unsigned PGP data are rejected, but it would take a fair amount of review to be sure that everything necessary has been handled (looking at known tests in
I have no idea what that “low-level” qualifier means. AFAICT either we commit to implementing and maintaining that, or not. (I categorically refuse to have a “for demonstration only, use at your own risk” code in the repo.) |
|
Non- |
|
Containers have introduced new libraries for adding support of storage drivers, which requires installing btrfs-tools and libdevmapper-dev. How do we build skopeo without installing these C dependencies? |
Unless containers/storage has its own build configuration (@nalind?), |
|
Prior to this enhancement for adding storage in skopeo-0.1.18, the copy on different storage drivers was already working (I have verified it on aufs/vfs/devicemapper storage drivers). Also, since we are already using docker at the backend and it handles these things, why are we registering the storage drivers in the Known transports? Unfortunately, I couldn't find any release notes related to these, which could describe why are we using them. Is this specific to OCI images? |
|
The storage drivers within docker, or within containers/storage, and the transport drivers in containers/image, are quite different things. For transport drivers, think primarily network/IPC protocols, i.e. ways to connect to completely distinct software suites which “deal with” container images, and to allow transferring images between them. The docker daemon image store, with its storage drivers and whatnot, is just one such “software suite”; containers/storage is another; an external docker/distribution server is yet another. All of these are independent, e.g. the The containers/storage back-end is registered in |
|
Okay.. Thanks @mtrmac for the description. That makes it clear to me now..
If we do this, we would not be able to take advantage of this feature then? |
Sure — optional, not removed. Either using a new build tag, or perhaps depending on the |
So, finally if I understood it correctly, (I am little ignorant about these)
Since I am getting an error for only btrfs and devicemapper C libraries, using build tag 'exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp' builds and runs successfully. (containers_image_openpgp for gpgme). If we are not using the containers/storage project separately apart from skopeo and if we don't have any containers/storage project users, then is it okay to build and run using these build tags? Or am I still missing anything? Note: We are using ubuntu/centos systems right now |
AFAIK the two are not interchangeable. They are similar, but they don’t access the same underlying store, nor can the docker daemon be configured to use the containers/storage store.
CRI-O is one notable user AFAIK.
Sure, whatever works for you. BTW you might be interested in #343 , perhaps there is a major use case you share with @hferentschik which really should be documented? |
|
So I am running into compilation issues as well, especially with container/storage. Reading this thread I am wondering whether I need it tough and whether I somehow should be able to skip its use (at compile time). What I am after is to cache/sync the images of a Docker daemon onto the file system, either in OSTree or OCI. I also need to then at some stage load these images back into a Docker daemon. See also containers/image#155. The important thing for me is that the CLI I am building (Minishift) is cross platform, so I need to be able to compile containers/image (and if needed containers/storage) cross platform. |
|
(FWIW the way containers/image#290 makes the |
Requiring
libgpgmeandlibassuanmakes cross-compilation of skopeo (and the library) hard on non-linux OS (linux/mac/etc..)What is it reason to use CGO dependency instead of native go openpgp?
The text was updated successfully, but these errors were encountered: