Skip to content

cmd-sign: add support for signing OCI images #4301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 9, 2025
Merged

cmd-sign: add support for signing OCI images #4301

merged 2 commits into from
Sep 9, 2025

Conversation

jlebon
Copy link
Member

@jlebon jlebon commented Sep 8, 2025

This adds a new cosa sign --oci command to sign OCI container images. This is part of the effort to move FCOS to a container-native build flow, where we now produce non-encapsulated container images.

The new command works by sending a request to Robosignatory to sign the image manifest digest. Robosignatory returns a detached signature, which we then merge with the original payload to create a cleartext signed message that can be understood by containers/image.

This is a short-term solution until we can move to Sigstore.

Part of coreos/fedora-coreos-tracker#1969.

@jlebon
cmd-sign: make --s3 switch optional
a190948 
Prep for adding functionality that doesn't require it.
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new cosa sign --oci command for signing OCI container images, which is a significant step towards a container-native build flow. The implementation is comprehensive, covering payload creation, interaction with Robosignatory, and signature verification. My review focuses on improving the robustness and correctness of the new robosign_oci function. I've identified a few potential issues related to deterministic file naming, S3 object handling, and image reference parsing, and have provided specific suggestions to address them. I've also included a minor suggestion to improve code style.

dustymabe
dustymabe reviewed Sep 8, 2025
View reviewed changes
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initial questions. Thanks for working on this!

@dustymabe dustymabe mentioned this pull request Sep 8, 2025
Merged
@jlebon jlebon force-pushed the pr/robosign-oci branch 2 times, most recently from 5c23931 to 584d63c Compare September 9, 2025 01:38
dustymabe
dustymabe reviewed Sep 9, 2025
View reviewed changes
dustymabe
dustymabe reviewed Sep 9, 2025
View reviewed changes
src/cmd-sign
"public keys to use for signature verification",
default="/etc/pki/rpm-gpg")
robosig.add_argument("--s3-sigstore", help="bucket and prefix to S3 sigstore")
robosig.add_argument("--manifest-list-digest", metavar="ALGO:DIGEST",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit interested to see the update to coreos/fedora-coreos-pipeline#1211 for this one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, will update soon!

dustymabe
dustymabe previously approved these changes Sep 9, 2025
View reviewed changes
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jbtrystram
jbtrystram previously approved these changes Sep 9, 2025
View reviewed changes
Copy link
Member

@jbtrystram jbtrystram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jlebon
cmd-sign: add support for signing OCI images
bc3b733 
This adds a new `cosa sign --oci` command to sign OCI container images.
This is part of the effort to move FCOS to a container-native build
flow, where we now produce non-encapsulated container images.

The new command works by sending a request to Robosignatory to sign
the image manifest digest. Robosignatory returns a detached signature,
which we then merge with the original payload to create a cleartext
signed message that can be understood by containers/image.

This is a short-term solution until we can move to Sigstore.

Part of coreos/fedora-coreos-tracker#1969.
@jlebon jlebon dismissed stale reviews from jbtrystram and dustymabe via bc3b733 September 9, 2025 15:27
@jlebon
Copy link
Member Author

jlebon commented Sep 9, 2025

I just fixed the typo. Merging since CI was green.

@jlebon jlebon merged commit 4ec5990 into coreos:main Sep 9, 2025
1 of 6 checks passed
@jlebon jlebon deleted the pr/robosign-oci branch September 9, 2025 15:28
@jlebon jlebon mentioned this pull request Sep 11, 2025
Closed
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe dustymabe left review comments

@jbtrystram jbtrystram jbtrystram left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jlebon @dustymabe @jbtrystram