forked from containers/podman
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
--sigfile command line argument for image sign command.
Adds the --sigfile command line argument to allow users to define the signature file name. Replaces: containers#10975 Fixes: containers#10866 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
- Loading branch information
Showing
6 changed files
with
80 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -373,6 +373,7 @@ type SignOptions struct { | |
Directory string | ||
SignBy string | ||
CertDir string | ||
SigFile string | ||
All bool | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
#!/usr/bin/env bats | ||
|
||
load helpers | ||
|
||
function setup() { | ||
skip_if_remote "--sign-by does not work with podman-remote" | ||
|
||
basic_setup | ||
|
||
export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg | ||
mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures | ||
|
||
cat >$PODMAN_TMPDIR/keydetails <<EOF | ||
%echo Generating a basic OpenPGP key | ||
Key-Type: RSA | ||
Key-Length: 2048 | ||
Subkey-Type: RSA | ||
Subkey-Length: 2048 | ||
Name-Real: Foo | ||
Name-Comment: Foo | ||
Name-Email: foo@bar.com | ||
Expire-Date: 0 | ||
%no-ask-passphrase | ||
%no-protection | ||
# Do a commit here, so that we can later print "done" :-) | ||
%commit | ||
%echo done | ||
EOF | ||
GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails | ||
} | ||
|
||
function check_signature() { | ||
local sigfile=$1 | ||
ls -laR $PODMAN_TMPDIR/signatures | ||
run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN | ||
local repodigest=${output/:/=} | ||
|
||
local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}" | ||
test -d $dir || die "Missing signature directory $dir" | ||
test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'" | ||
|
||
# Confirm good signature | ||
run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile" | ||
is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \ | ||
"gpg --verify $sigfile" | ||
} | ||
|
||
|
||
@test "podman image - sign with no sigfile" { | ||
GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN" | ||
check_signature "signature-1" | ||
} | ||
|
||
@test "podman image - sign with sigfile" { | ||
local signature_file="$(random_string 10 | tr A-Z a-z)" | ||
|
||
GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures --sigfile $signature_file "docker://$PODMAN_TEST_IMAGE_FQN" | ||
check_signature "$signature_file" | ||
} | ||
|
||
# vim: filetype=sh |