aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJosé Guilherme Vanz <jvanz@jvanz.com>2021-07-06 21:00:03 -0300
committerDaniel J Walsh <dwalsh@redhat.com>2021-11-11 15:11:19 -0500
commit6762d5e2381d79c26ecabac8c83d31d1f49e1325 (patch)
treee14bef604ca3723c866b15691ba3a115ebd2997e
parentd6d89fa79f1cb785e2f3f6b8d2295b97b19066e9 (diff)
downloadpodman-6762d5e2381d79c26ecabac8c83d31d1f49e1325.tar.gz
podman-6762d5e2381d79c26ecabac8c83d31d1f49e1325.tar.bz2
podman-6762d5e2381d79c26ecabac8c83d31d1f49e1325.zip
--authfile command line argument for image sign command.
Adds the --authfile command line argument to allow users to use alternative authfile paths when signing images. Replaces: https://github.com/containers/podman/pull/10975 Fixes: https://github.com/containers/podman/issues/10866 Signed-off-by: José Guilherme Vanz <jvanz@jvanz.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--cmd/podman/images/sign.go5
-rw-r--r--contrib/spec/podman.spec.in1
-rw-r--r--docs/source/markdown/podman-image-sign.1.md9
-rw-r--r--pkg/domain/entities/images.go1
-rw-r--r--pkg/domain/infra/abi/images.go1
-rw-r--r--test/system/011-image.bats54
6 files changed, 71 insertions, 0 deletions
diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go
index 96f214d0b..4c42a0bd6 100644
--- a/cmd/podman/images/sign.go
+++ b/cmd/podman/images/sign.go
@@ -3,6 +3,7 @@ package images
import (
"os"
+ "github.com/containers/common/pkg/auth"
"github.com/containers/common/pkg/completion"
"github.com/containers/podman/v3/cmd/podman/common"
"github.com/containers/podman/v3/cmd/podman/registry"
@@ -48,6 +49,10 @@ func init() {
flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys")
_ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)
flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image")
+
+ authfileFlagName := "authfile"
+ flags.StringVar(&signOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
+ _ = signCommand.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault)
}
func sign(cmd *cobra.Command, args []string) error {
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index 2db8f6e67..474add1af 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -361,6 +361,7 @@ Man pages for the %{name} commands
Summary: Tests for %{name}
Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: gnupg
Requires: bats
Requires: jq
Requires: skopeo
diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md
index e284955a2..5f23bbfaf 100644
--- a/docs/source/markdown/podman-image-sign.1.md
+++ b/docs/source/markdown/podman-image-sign.1.md
@@ -23,6 +23,13 @@ Print usage statement.
Sign all the manifests of the multi-architecture image (default false).
+#### **--authfile**=*path*
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json
+
+Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
+environment variable. `export REGISTRY_AUTH_FILE=path`
+
#### **--cert-dir**=*path*
Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
@@ -41,6 +48,8 @@ Sign the busybox image with the identity of foo@bar.com with a user's keyring an
sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
+ sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
+
## RELATED CONFIGURATION
The write (and read) location for signatures is defined in YAML-based
diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go
index 7583ce442..54f7b5d45 100644
--- a/pkg/domain/entities/images.go
+++ b/pkg/domain/entities/images.go
@@ -373,6 +373,7 @@ type SignOptions struct {
Directory string
SignBy string
CertDir string
+ Authfile string
All bool
}
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 5c0227986..8b44b869a 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -641,6 +641,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
}
sc := ir.Libpod.SystemContext()
sc.DockerCertPath = options.CertDir
+ sc.AuthFilePath = options.Authfile
for _, signimage := range names {
err = func() error {
diff --git a/test/system/011-image.bats b/test/system/011-image.bats
new file mode 100644
index 000000000..5150e875e
--- /dev/null
+++ b/test/system/011-image.bats
@@ -0,0 +1,54 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+ skip_if_remote "--sign-by does not work with podman-remote"
+
+ basic_setup
+
+ export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg
+ mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures
+
+ cat >$PODMAN_TMPDIR/keydetails <<EOF
+ %echo Generating a basic OpenPGP key
+ Key-Type: RSA
+ Key-Length: 2048
+ Subkey-Type: RSA
+ Subkey-Length: 2048
+ Name-Real: Foo
+ Name-Comment: Foo
+ Name-Email: foo@bar.com
+ Expire-Date: 0
+ %no-ask-passphrase
+ %no-protection
+ # Do a commit here, so that we can later print "done" :-)
+ %commit
+ %echo done
+EOF
+ GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails
+}
+
+function check_signature() {
+ local sigfile=$1
+ ls -laR $PODMAN_TMPDIR/signatures
+ run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN
+ local repodigest=${output/:/=}
+
+ local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}"
+ test -d $dir || die "Missing signature directory $dir"
+ test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'"
+
+ # Confirm good signature
+ run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile"
+ is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \
+ "gpg --verify $sigfile"
+}
+
+
+@test "podman image - sign with no sigfile" {
+ GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN"
+ check_signature "signature-1"
+}
+
+# vim: filetype=sh