[backend] support a rekorserver in the registry config

Container signatures are uploaded into the rekor if this is configured.
openSUSE · Jan 19, 2022 · 20052a5 · 20052a5
1 parent 416d3b2
commit 20052a5
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/src/backend/BSPublisher/Container.pm b/src/backend/BSPublisher/Container.pm
@@ -226,7 +226,7 @@ sub upload_all_containers {
 	  undef $gun unless defined $pubkey;
 	}
 	$have_some_trust = 1 if $gun;
-	do_local_uploads($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags);
+	do_local_uploads($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags, $registry->{'rekorserver'});
 	my $pullserver = $registry->{'server'};
 	undef $pullserver if $pullserver && $pullserver eq 'local:';
 	if ($pullserver) {
@@ -267,7 +267,7 @@ sub upload_all_containers {
     for my $repository (@{$old_container_repositories->{$regname} || []}) {
       next if $uploads{$repository};
       if ($registryserver eq 'local:') {
-        do_local_uploads($extrep, $projid, $repoid, $repository, undef, $containers, $pubkey, $signargs, $multicontainer, {});
+        do_local_uploads($extrep, $projid, $repoid, $repository, undef, $containers, $pubkey, $signargs, $multicontainer, {}, $registry->{'rekorserver'});
 	next;
       }
       my $containerdigests = '';
@@ -415,6 +415,7 @@ sub upload_to_registry {
     unlink($pubkeyfile);
     writestr($pubkeyfile, undef, $pubkey);
     push @opts, '--cosign', '-p', $pubkeyfile, '-G', $gun, @signargs;
+    push @opts, '--rekor', $registry->{'rekorserver'} if $registry->{'rekorserver'};
   }
   my @cmd = ("$INC[0]/bs_regpush", '--dest-creds', '-', @opts, '-F', $containerdigestfile, $registryserver, $repository, @uploadfiles);
   print "Uploading to registry: @cmd\n";
@@ -554,7 +555,7 @@ sub delete_container_repositories {
 }
 
 sub do_local_uploads {
-  my ($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags) = @_;
+  my ($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags, $rekorserver) = @_;
 
   my %todo;
   my @tempfiles;
@@ -579,7 +580,7 @@ sub do_local_uploads {
     }
   }
   eval {
-    BSPublisher::Registry::push_containers("$projid/$repoid", $repository, $gun, $multicontainer, \%todo, $pubkey, $signargs);
+    BSPublisher::Registry::push_containers("$projid/$repoid", $repository, $gun, $multicontainer, \%todo, $pubkey, $signargs, $rekorserver);
   };
   unlink($_) for @tempfiles;
   die($@) if $@;