From da09f36386ddf80db0978615e549b8f95bcc2ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Tue, 6 Jul 2021 21:00:03 -0300 Subject: [PATCH] --sigfile command line argument for image sign command. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the --sigfile command line argument to allow users to define the signature file name. Replaces: https://github.com/containers/podman/pull/10975 Fixes: https://github.com/containers/podman/issues/10866 Signed-off-by: José Guilherme Vanz Signed-off-by: Daniel J Walsh --- cmd/podman/images/sign.go | 4 ++ contrib/spec/podman.spec.in | 1 + docs/source/markdown/podman-image-sign.1.md | 6 ++ pkg/domain/entities/images.go | 1 + pkg/domain/infra/abi/images.go | 11 ++-- test/system/011-image.bats | 61 +++++++++++++++++++++ 6 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 test/system/011-image.bats diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go index 96f214d0bbf8..d6ac8d63bbf8 100644 --- a/cmd/podman/images/sign.go +++ b/cmd/podman/images/sign.go @@ -48,6 +48,10 @@ func init() { flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys") _ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault) flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image") + + sigFileFlagName := "sigfile" + flags.StringVar(&signOptions.SigFile, sigFileFlagName, "", "Path of the signature file.") + _ = signCommand.RegisterFlagCompletionFunc(sigFileFlagName, completion.AutocompleteDefault) } func sign(cmd *cobra.Command, args []string) error { diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 2db8f6e67145..474add1af991 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -361,6 +361,7 @@ Man pages for the %{name} commands Summary: Tests for %{name} Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: gnupg Requires: bats Requires: jq Requires: skopeo diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md index e284955a2bb7..ea3ac6f11a8c 100644 --- a/docs/source/markdown/podman-image-sign.1.md +++ b/docs/source/markdown/podman-image-sign.1.md @@ -32,6 +32,10 @@ Please refer to containers-certs.d(5) for details. (This option is not available Store the signatures in the specified directory. Default: /var/lib/containers/sigstore +#### **--sigfile**=*path* + +Path of the signature file. Default is /var/lib/containers/sigstore/signature-#, where # is a unigue integer. + #### **--sign-by**=*identity* Override the default identity of the signature. @@ -41,6 +45,8 @@ Sign the busybox image with the identity of foo@bar.com with a user's keyring an sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + sudo podman image sign --sigfile=/tmp/foobar.sig --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + ## RELATED CONFIGURATION The write (and read) location for signatures is defined in YAML-based diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go index 7583ce442449..e830316561a2 100644 --- a/pkg/domain/entities/images.go +++ b/pkg/domain/entities/images.go @@ -373,6 +373,7 @@ type SignOptions struct { Directory string SignBy string CertDir string + SigFile string All bool } diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 5c0227986613..86a5d615537d 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -759,11 +759,14 @@ func putSignature(manifestBlob []byte, mech signature.SigningMechanism, sigStore return err } } - sigFilename, err := getSigFilename(signatureDir) - if err != nil { - return err + sigFileName := options.SigFile + if len(sigFileName) == 0 { + sigFileName, err = getSigFilename(signatureDir) + if err != nil { + return err + } } - if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644); err != nil { + if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFileName), newSig, 0644); err != nil { return err } return nil diff --git a/test/system/011-image.bats b/test/system/011-image.bats new file mode 100644 index 000000000000..2a226b5d2f20 --- /dev/null +++ b/test/system/011-image.bats @@ -0,0 +1,61 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + skip_if_remote "--sign-by does not work with podman-remote" + + basic_setup + + export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg + mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures + + cat >$PODMAN_TMPDIR/keydetails <" \ + "gpg --verify $sigfile" +} + + +@test "podman image - sign with no sigfile" { + GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN" + check_signature "signature-1" +} + +@test "podman image - sign with sigfile" { + local signature_file="$(random_string 10 | tr A-Z a-z)" + + GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures --sigfile $signature_file "docker://$PODMAN_TEST_IMAGE_FQN" + check_signature "$signature_file" +} + +# vim: filetype=sh