aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiloslav Trmač <mitr@redhat.com>2022-08-24 19:48:26 +0200
committerMiloslav Trmač <mitr@redhat.com>2022-08-25 01:50:43 +0200
commitff3f574fc0db5e442adfac54b86af7c462595ffc (patch)
tree4e9bafeb916dd200d1a120657e1e9e5afa558483
parent9828bc44534d6527d44351470d5f943281b7dfba (diff)
downloadpodman-ff3f574fc0db5e442adfac54b86af7c462595ffc.tar.gz
podman-ff3f574fc0db5e442adfac54b86af7c462595ffc.tar.bz2
podman-ff3f574fc0db5e442adfac54b86af7c462595ffc.zip
Add support for sigstoreSigned in (podman image trust set)
NOTE: This does not edit the use-sigstore-attachments value in registries.d, similarly to how (podman image trust set) didn't set the lookaside paths for simple signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
-rw-r--r--cmd/podman/images/trust_set.go4
-rw-r--r--docs/source/markdown/podman-image-trust.1.md9
-rw-r--r--pkg/trust/policy.go8
-rw-r--r--pkg/trust/policy_test.go22
4 files changed, 38 insertions, 5 deletions
diff --git a/cmd/podman/images/trust_set.go b/cmd/podman/images/trust_set.go
index 832e9f724..e7339f0b1 100644
--- a/cmd/podman/images/trust_set.go
+++ b/cmd/podman/images/trust_set.go
@@ -53,7 +53,7 @@ File(s) must exist before using this command`)
}
func setTrust(cmd *cobra.Command, args []string) error {
- validTrustTypes := []string{"accept", "insecureAcceptAnything", "reject", "signedBy"}
+ validTrustTypes := []string{"accept", "insecureAcceptAnything", "reject", "signedBy", "sigstoreSigned"}
valid, err := isValidImageURI(args[0])
if err != nil || !valid {
@@ -61,7 +61,7 @@ func setTrust(cmd *cobra.Command, args []string) error {
}
if !util.StringInSlice(setOptions.Type, validTrustTypes) {
- return fmt.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy')", setOptions.Type)
+ return fmt.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy', 'sigstoreSigned')", setOptions.Type)
}
return registry.ImageEngine().SetTrust(registry.Context(), args, setOptions)
}
diff --git a/docs/source/markdown/podman-image-trust.1.md b/docs/source/markdown/podman-image-trust.1.md
index 4e80bdcf5..2a7da82cc 100644
--- a/docs/source/markdown/podman-image-trust.1.md
+++ b/docs/source/markdown/podman-image-trust.1.md
@@ -32,7 +32,8 @@ Trust **type** provides a way to:
Allowlist ("accept") or
Denylist ("reject") registries or
-Require signature (“signedBy”).
+Require a simple signing signature (“signedBy”),
+Require a sigstore signature ("sigstoreSigned").
Trust may be updated using the command **podman image trust set** for an existing trust scope.
@@ -45,12 +46,14 @@ Trust may be updated using the command **podman image trust set** for an existin
#### **--pubkeysfile**, **-f**=*KEY1*
A path to an exported public key on the local system. Key paths
will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to
- require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type.
+ require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** and **sigstoreSigned** types.
#### **--type**, **-t**=*value*
The trust type for this policy entry.
Accepted values:
- **signedBy** (default): Require signatures with corresponding list of
+ **signedBy** (default): Require simple signing signatures with corresponding list of
+ public keys
+ **sigstoreSigned**: Require sigstore signatures with corresponding list of
public keys
**accept**: do not require any signatures for this
registry scope
diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go
index 77e02a05c..3a31b9338 100644
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@@ -161,6 +161,14 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
}
+ case "sigstoreSigned":
+ if len(pubkeysfile) == 0 {
+ return errors.New("at least one public key must be defined for type 'sigstoreSigned'")
+ }
+ for _, filepath := range pubkeysfile {
+ newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyPath: filepath})
+ }
+
default:
return fmt.Errorf("unknown trust type %q", input.Type)
}
diff --git a/pkg/trust/policy_test.go b/pkg/trust/policy_test.go
index c4781335f..c2c2d93be 100644
--- a/pkg/trust/policy_test.go
+++ b/pkg/trust/policy_test.go
@@ -49,6 +49,11 @@ func TestAddPolicyEntries(t *testing.T) {
},
{
Scope: "default",
+ Type: "sigstoreSigned",
+ PubKeyFiles: []string{}, // A key is missing
+ },
+ {
+ Scope: "default",
Type: "this-is-unknown",
PubKeyFiles: []string{},
},
@@ -73,6 +78,12 @@ func TestAddPolicyEntries(t *testing.T) {
PubKeyFiles: []string{"/1.pub", "/2.pub"},
})
assert.NoError(t, err)
+ err = AddPolicyEntries(policyPath, AddPolicyEntriesInput{
+ Scope: "quay.io/sigstore-signed",
+ Type: "sigstoreSigned",
+ PubKeyFiles: []string{"/1.pub", "/2.pub"},
+ })
+ assert.NoError(t, err)
// Test that the outcome is consumable, and compare it with the expected values.
parsedPolicy, err := signature.NewPolicyFromFile(policyPath)
@@ -90,6 +101,10 @@ func TestAddPolicyEntries(t *testing.T) {
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
+ "quay.io/sigstore-signed": {
+ xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ },
},
},
}, parsedPolicy)
@@ -101,3 +116,10 @@ func xNewPRSignedByKeyPath(t *testing.T, keyPath string, signedIdentity signatur
require.NoError(t, err)
return pr
}
+
+// xNewPRSigstoreSignedKeyPath is a wrapper for NewPRSigstoreSignedKeyPath which must not fail.
+func xNewPRSigstoreSignedKeyPath(t *testing.T, keyPath string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
+ pr, err := signature.NewPRSigstoreSignedKeyPath(keyPath, signedIdentity)
+ require.NoError(t, err)
+ return pr
+}