diff options
author | Miloslav Trmač <mitr@redhat.com> | 2022-07-29 00:08:40 +0200 |
---|---|---|
committer | Miloslav Trmač <mitr@redhat.com> | 2022-07-30 17:26:08 +0200 |
commit | d462da676cf0e97420d42ea64d72f69cab675922 (patch) | |
tree | 2dd71b580ec8f39b0672ea26f5b4ac2cdced8c8a /cmd/podman/images | |
parent | 7075e2e1d5cc669e698070081a74093bdcbf115e (diff) | |
download | podman-d462da676cf0e97420d42ea64d72f69cab675922.tar.gz podman-d462da676cf0e97420d42ea64d72f69cab675922.tar.bz2 podman-d462da676cf0e97420d42ea64d72f69cab675922.zip |
Add support for creating sigstore signatures, and providing passphrases
- Allow creating sigstore signatures via --sign-by-sigstore-private-key .
Like existing --sign-by, it does not work remote (in this case
because we would have to copy the private key to the server).
- Allow passing a passphrase (which is mandatory for sigstore private keys)
via --sign-passphrase-file; if it is not provided, prompt interactively.
- Also, use that passphrase for --sign-by as well, allowing non-interactive
GPG use. (But --sign-passphrase-file can only be used with _one of_
--sign-by and --sign-by-sigstore-private-key.)
Note that unlike the existing code, (podman build) does not yet
implement sigstore (I'm not sure why it needs to, it seems not to
push images?) because Buildah does not expose the feature yet.
Also, (podman image sign) was not extended to support sigstore.
The test for this follows existing (podman image sign) tests
and doesn't work rootless; that could be improved by exposing
a registries.d override option.
The test for push is getting large; I didn't want to
start yet another registry container, but that would be an
alternative. In the future, Ginkgo's Ordered/BeforeAll
would allow starting a registry once and using it for two
tests.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Diffstat (limited to 'cmd/podman/images')
-rw-r--r-- | cmd/podman/images/push.go | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/cmd/podman/images/push.go b/cmd/podman/images/push.go index 764936426..1734900de 100644 --- a/cmd/podman/images/push.go +++ b/cmd/podman/images/push.go @@ -17,8 +17,9 @@ import ( // CLI-only fields into the API types. type pushOptionsWrapper struct { entities.ImagePushOptions - TLSVerifyCLI bool // CLI only - CredentialsCLI string + TLSVerifyCLI bool // CLI only + CredentialsCLI string + SignPassphraseFileCLI string } var ( @@ -106,6 +107,14 @@ func pushFlags(cmd *cobra.Command) { flags.StringVar(&pushOptions.SignBy, signByFlagName, "", "Add a signature at the destination using the specified key") _ = cmd.RegisterFlagCompletionFunc(signByFlagName, completion.AutocompleteNone) + signBySigstorePrivateKeyFlagName := "sign-by-sigstore-private-key" + flags.StringVar(&pushOptions.SignBySigstorePrivateKeyFile, signBySigstorePrivateKeyFlagName, "", "Sign the image using a sigstore private key at `PATH`") + _ = cmd.RegisterFlagCompletionFunc(signBySigstorePrivateKeyFlagName, completion.AutocompleteDefault) + + signPassphraseFileFlagName := "sign-passphrase-file" + flags.StringVar(&pushOptions.SignPassphraseFileCLI, signPassphraseFileFlagName, "", "Read a passphrase for signing an image from `PATH`") + _ = cmd.RegisterFlagCompletionFunc(signPassphraseFileFlagName, completion.AutocompleteDefault) + flags.BoolVar(&pushOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") compressionFormat := "compression-format" @@ -118,6 +127,8 @@ func pushFlags(cmd *cobra.Command) { _ = flags.MarkHidden("digestfile") _ = flags.MarkHidden("quiet") _ = flags.MarkHidden(signByFlagName) + _ = flags.MarkHidden(signBySigstorePrivateKeyFlagName) + _ = flags.MarkHidden(signPassphraseFileFlagName) } if !registry.IsRemote() { flags.StringVar(&pushOptions.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file") @@ -153,6 +164,10 @@ func imagePush(cmd *cobra.Command, args []string) error { pushOptions.Password = creds.Password } + if err := common.PrepareSigningPassphrase(&pushOptions.ImagePushOptions, pushOptions.SignPassphraseFileCLI); err != nil { + return err + } + // Let's do all the remaining Yoga in the API to prevent us from scattering // logic across (too) many parts of the code. return registry.ImageEngine().Push(registry.GetContext(), source, destination, pushOptions.ImagePushOptions) |