BREAKING CHANGE: Change how (podman image trust show) represents multiple requirements

Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
author: Miloslav Trmač <mitr@redhat.com> 2022-08-24 20:45:57 +0200
committer: Miloslav Trmač <mitr@redhat.com> 2022-08-25 01:52:59 +0200
commit: b36a1d1b79d7579738430adfd0696c324c3dacc0 (patch)
tree: 7376c6f3b7c9fa800ccaf3ca716d52b386fb0a8c
parent: bba306788aba723d8555281eb07edd90a5890e64 (diff)
download: podman-b36a1d1b79d7579738430adfd0696c324c3dacc0.tar.gz
podman-b36a1d1b79d7579738430adfd0696c324c3dacc0.tar.bz2
podman-b36a1d1b79d7579738430adfd0696c324c3dacc0.zip
2 files changed, 84 insertions, 10 deletions
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index 7b1b798ca..5f292083f 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -96,21 +96,21 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 		}
 	}
 
-	entry := template
-	entry.Type = trustTypeDescription(reqs[0].Type)
-	uids := []string{}
 	for _, repoele := range reqs {
+		entry := template
+		entry.Type = trustTypeDescription(repoele.Type)
+
+		uids := []string{}
 		if len(repoele.KeyPath) > 0 {
 			uids = append(uids, idReader(repoele.KeyPath)...)
 		}
 		if len(repoele.KeyData) > 0 {
 			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
 		}
+		entry.GPGId = strings.Join(uids, ", ")
+		entry.SignatureStore = lookasidePath
+		res = append(res, &entry)
 	}
-	entry.GPGId = strings.Join(uids, ", ")
-	entry.SignatureStore = lookasidePath
-
-	res = append(res, &entry)
 
 	return res
 }
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index d04e9f211..edafeb5c1 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -67,7 +67,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "quay.io/multi-signed",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/multi-signed",
+					RepoName:       "quay.io/multi-signed",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
 				},
 				{
 					Transport:      "repository",
@@ -93,7 +101,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "default",
 					Type:           "signed",
 					SignatureStore: "",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "all",
+					Name:           "* (default)",
+					RepoName:       "default",
+					Type:           "signed",
+					SignatureStore: "",
+					GPGId:          "2, 3",
 				},
 			},
 		},
@@ -188,7 +204,65 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					RepoName:       "repoName",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
+				},
+			},
+		},
+		{ // Multiple kinds of requirements are represented individually.
+			"registry.redhat.io",
+			signature.PolicyRequirements{
+				signature.NewPRReject(),
+				signature.NewPRInsecureAcceptAnything(),
+				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "reject",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "accept",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "2, 3",
 				},
 			},
 		},
author	Miloslav Trmač <mitr@redhat.com>	2022-08-24 20:45:57 +0200
committer	Miloslav Trmač <mitr@redhat.com>	2022-08-25 01:52:59 +0200
commit	b36a1d1b79d7579738430adfd0696c324c3dacc0 (patch)
tree	7376c6f3b7c9fa800ccaf3ca716d52b386fb0a8c
parent	bba306788aba723d8555281eb07edd90a5890e64 (diff)
download	podman-b36a1d1b79d7579738430adfd0696c324c3dacc0.tar.gz podman-b36a1d1b79d7579738430adfd0696c324c3dacc0.tar.bz2 podman-b36a1d1b79d7579738430adfd0696c324c3dacc0.zip