diff options
author | José Guilherme Vanz <jvanz@jvanz.com> | 2021-07-06 21:00:03 -0300 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-11-11 15:11:19 -0500 |
commit | 6762d5e2381d79c26ecabac8c83d31d1f49e1325 (patch) | |
tree | e14bef604ca3723c866b15691ba3a115ebd2997e | |
parent | d6d89fa79f1cb785e2f3f6b8d2295b97b19066e9 (diff) | |
download | podman-6762d5e2381d79c26ecabac8c83d31d1f49e1325.tar.gz podman-6762d5e2381d79c26ecabac8c83d31d1f49e1325.tar.bz2 podman-6762d5e2381d79c26ecabac8c83d31d1f49e1325.zip |
--authfile command line argument for image sign command.
Adds the --authfile command line argument to allow users to use
alternative authfile paths when signing images.
Replaces: https://github.com/containers/podman/pull/10975
Fixes: https://github.com/containers/podman/issues/10866
Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r-- | cmd/podman/images/sign.go | 5 | ||||
-rw-r--r-- | contrib/spec/podman.spec.in | 1 | ||||
-rw-r--r-- | docs/source/markdown/podman-image-sign.1.md | 9 | ||||
-rw-r--r-- | pkg/domain/entities/images.go | 1 | ||||
-rw-r--r-- | pkg/domain/infra/abi/images.go | 1 | ||||
-rw-r--r-- | test/system/011-image.bats | 54 |
6 files changed, 71 insertions, 0 deletions
diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go index 96f214d0b..4c42a0bd6 100644 --- a/cmd/podman/images/sign.go +++ b/cmd/podman/images/sign.go @@ -3,6 +3,7 @@ package images import ( "os" + "github.com/containers/common/pkg/auth" "github.com/containers/common/pkg/completion" "github.com/containers/podman/v3/cmd/podman/common" "github.com/containers/podman/v3/cmd/podman/registry" @@ -48,6 +49,10 @@ func init() { flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys") _ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault) flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image") + + authfileFlagName := "authfile" + flags.StringVar(&signOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + _ = signCommand.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault) } func sign(cmd *cobra.Command, args []string) error { diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 2db8f6e67..474add1af 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -361,6 +361,7 @@ Man pages for the %{name} commands Summary: Tests for %{name} Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: gnupg Requires: bats Requires: jq Requires: skopeo diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md index e284955a2..5f23bbfaf 100644 --- a/docs/source/markdown/podman-image-sign.1.md +++ b/docs/source/markdown/podman-image-sign.1.md @@ -23,6 +23,13 @@ Print usage statement. Sign all the manifests of the multi-architecture image (default false). +#### **--authfile**=*path* + +Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json + +Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE +environment variable. `export REGISTRY_AUTH_FILE=path` + #### **--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. @@ -41,6 +48,8 @@ Sign the busybox image with the identity of foo@bar.com with a user's keyring an sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + ## RELATED CONFIGURATION The write (and read) location for signatures is defined in YAML-based diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go index 7583ce442..54f7b5d45 100644 --- a/pkg/domain/entities/images.go +++ b/pkg/domain/entities/images.go @@ -373,6 +373,7 @@ type SignOptions struct { Directory string SignBy string CertDir string + Authfile string All bool } diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 5c0227986..8b44b869a 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -641,6 +641,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie } sc := ir.Libpod.SystemContext() sc.DockerCertPath = options.CertDir + sc.AuthFilePath = options.Authfile for _, signimage := range names { err = func() error { diff --git a/test/system/011-image.bats b/test/system/011-image.bats new file mode 100644 index 000000000..5150e875e --- /dev/null +++ b/test/system/011-image.bats @@ -0,0 +1,54 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + skip_if_remote "--sign-by does not work with podman-remote" + + basic_setup + + export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg + mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures + + cat >$PODMAN_TMPDIR/keydetails <<EOF + %echo Generating a basic OpenPGP key + Key-Type: RSA + Key-Length: 2048 + Subkey-Type: RSA + Subkey-Length: 2048 + Name-Real: Foo + Name-Comment: Foo + Name-Email: foo@bar.com + Expire-Date: 0 + %no-ask-passphrase + %no-protection + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done +EOF + GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails +} + +function check_signature() { + local sigfile=$1 + ls -laR $PODMAN_TMPDIR/signatures + run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN + local repodigest=${output/:/=} + + local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}" + test -d $dir || die "Missing signature directory $dir" + test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'" + + # Confirm good signature + run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile" + is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \ + "gpg --verify $sigfile" +} + + +@test "podman image - sign with no sigfile" { + GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN" + check_signature "signature-1" +} + +# vim: filetype=sh |