--sigfile command line argument for image sign command.

Adds the --sigfile command line argument to allow users to define the signature file name. Replaces: containers#10975 Fixes: containers#10866 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan · Nov 11, 2021 · da09f36 · da09f36
1 parent 5f3ce25
commit da09f36
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 4 deletions.
diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go
@@ -48,6 +48,10 @@ func init() {
 	flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys")
 	_ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)
 	flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image")
+
+	sigFileFlagName := "sigfile"
+	flags.StringVar(&signOptions.SigFile, sigFileFlagName, "", "Path of the signature file.")
+	_ = signCommand.RegisterFlagCompletionFunc(sigFileFlagName, completion.AutocompleteDefault)
 }
 
 func sign(cmd *cobra.Command, args []string) error {

diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
@@ -361,6 +361,7 @@ Man pages for the %{name} commands
 Summary: Tests for %{name}
 
 Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: gnupg
 Requires: bats
 Requires: jq
 Requires: skopeo

diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md
@@ -32,6 +32,10 @@ Please refer to containers-certs.d(5) for details. (This option is not available
 
 Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore
 
+#### **--sigfile**=*path*
+
+Path of the signature file. Default is /var/lib/containers/sigstore/signature-#, where # is a unigue integer.
+
 #### **--sign-by**=*identity*
 
 Override the default identity of the signature.
@@ -41,6 +45,8 @@ Sign the busybox image with the identity of foo@bar.com with a user's keyring an
 
    sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
 
+   sudo podman image sign --sigfile=/tmp/foobar.sig --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
+
 ## RELATED CONFIGURATION
 
 The write (and read) location for signatures is defined in YAML-based

diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go
@@ -373,6 +373,7 @@ type SignOptions struct {
 	Directory string
 	SignBy    string
 	CertDir   string
+	SigFile   string
 	All       bool
 }
 

diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
@@ -759,11 +759,14 @@ func putSignature(manifestBlob []byte, mech signature.SigningMechanism, sigStore
 			return err
 		}
 	}
-	sigFilename, err := getSigFilename(signatureDir)
-	if err != nil {
-		return err
+	sigFileName := options.SigFile
+	if len(sigFileName) == 0 {
+		sigFileName, err = getSigFilename(signatureDir)
+		if err != nil {
+			return err
+		}
 	}
-	if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644); err != nil {
+	if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFileName), newSig, 0644); err != nil {
 		return err
 	}
 	return nil

diff --git a/test/system/011-image.bats b/test/system/011-image.bats
@@ -0,0 +1,61 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+    skip_if_remote "--sign-by does not work with podman-remote"
+
+    basic_setup
+
+    export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg
+    mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures
+
+    cat >$PODMAN_TMPDIR/keydetails <<EOF
+    %echo Generating a basic OpenPGP key
+    Key-Type: RSA
+    Key-Length: 2048
+    Subkey-Type: RSA
+    Subkey-Length: 2048
+    Name-Real: Foo
+    Name-Comment: Foo
+    Name-Email: foo@bar.com
+    Expire-Date: 0
+    %no-ask-passphrase
+    %no-protection
+    # Do a commit here, so that we can later print "done" :-)
+    %commit
+    %echo done
+EOF
+    GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails
+}
+
+function check_signature() {
+    local sigfile=$1
+    ls -laR $PODMAN_TMPDIR/signatures
+    run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN
+    local repodigest=${output/:/=}
+
+    local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}"
+    test -d $dir || die "Missing signature directory $dir"
+    test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'"
+
+    # Confirm good signature
+    run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile"
+    is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \
+       "gpg --verify $sigfile"
+}
+
+
+@test "podman image - sign with no sigfile" {
+    GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures  "docker://$PODMAN_TEST_IMAGE_FQN"
+    check_signature "signature-1"
+}
+
+@test "podman image - sign with sigfile" {
+    local signature_file="$(random_string 10 | tr A-Z a-z)"
+
+    GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures  --sigfile $signature_file "docker://$PODMAN_TEST_IMAGE_FQN"
+    check_signature "$signature_file"
+}
+
+# vim: filetype=sh