summaryrefslogtreecommitdiff
path: root/pkg/trust
diff options
context:
space:
mode:
authorMiloslav Trmač <mitr@redhat.com>2022-08-24 20:51:13 +0200
committerMiloslav Trmač <mitr@redhat.com>2022-08-25 01:52:59 +0200
commit752eceaecc979627e998bee2dba8ee9ce47aa5cf (patch)
tree70dfa592e125c7c9b61b1819f3268e98c78dcdb8 /pkg/trust
parentb36a1d1b79d7579738430adfd0696c324c3dacc0 (diff)
downloadpodman-752eceaecc979627e998bee2dba8ee9ce47aa5cf.tar.gz
podman-752eceaecc979627e998bee2dba8ee9ce47aa5cf.tar.bz2
podman-752eceaecc979627e998bee2dba8ee9ce47aa5cf.zip
Support (image trust show) for sigstoreSigned entries
sigstoreSigned does not have GPG IDs, so we add N/A in that column. NOTE: this does not show the use-sigstore-attachments value from registries.d. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Diffstat (limited to 'pkg/trust')
-rw-r--r--pkg/trust/policy.go2
-rw-r--r--pkg/trust/trust.go24
-rw-r--r--pkg/trust/trust_test.go62
3 files changed, 79 insertions, 9 deletions
diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go
index 7f32e2afc..085f0076a 100644
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@@ -130,7 +130,7 @@ func getPolicy(policyPath string) (policyContent, error) {
return policyContentStruct, nil
}
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
+var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "sigstoreSigned": "sigstoreSigned", "reject": "reject"}
func trustTypeDescription(trustType string) string {
trustDescription, exist := typeDescription[trustType]
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index 5f292083f..a27ce5a85 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -100,15 +100,23 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
entry := template
entry.Type = trustTypeDescription(repoele.Type)
- uids := []string{}
- if len(repoele.KeyPath) > 0 {
- uids = append(uids, idReader(repoele.KeyPath)...)
- }
- if len(repoele.KeyData) > 0 {
- uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+ var gpgIDString string
+ switch repoele.Type {
+ case "signedBy":
+ uids := []string{}
+ if len(repoele.KeyPath) > 0 {
+ uids = append(uids, idReader(repoele.KeyPath)...)
+ }
+ if len(repoele.KeyData) > 0 {
+ uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+ }
+ gpgIDString = strings.Join(uids, ", ")
+
+ case "sigstoreSigned":
+ gpgIDString = "N/A" // We could potentially return key fingerprints here, but they would not be _GPG_ fingerprints.
}
- entry.GPGId = strings.Join(uids, ", ")
- entry.SignatureStore = lookasidePath
+ entry.GPGId = gpgIDString
+ entry.SignatureStore = lookasidePath // We do this even for sigstoreSigned and things like type: reject, to show that the sigstore is being read.
res = append(res, &entry)
}
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index edafeb5c1..58394e77b 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -45,6 +45,10 @@ func TestPolicyDescription(t *testing.T) {
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
+ "quay.io/sigstore-signed": {
+ xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ },
},
},
},
@@ -79,6 +83,22 @@ func TestPolicyDescription(t *testing.T) {
},
{
Transport: "repository",
+ Name: "quay.io/sigstore-signed",
+ RepoName: "quay.io/sigstore-signed",
+ Type: "sigstoreSigned",
+ SignatureStore: "",
+ GPGId: "N/A",
+ },
+ {
+ Transport: "repository",
+ Name: "quay.io/sigstore-signed",
+ RepoName: "quay.io/sigstore-signed",
+ Type: "sigstoreSigned",
+ SignatureStore: "",
+ GPGId: "N/A",
+ },
+ {
+ Transport: "repository",
Name: "registry.redhat.io",
RepoName: "registry.redhat.io",
Type: "signed",
@@ -215,6 +235,30 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
GPGId: "2, 3",
},
},
+ }, {
+ "quay.io/sigstore-signed",
+ signature.PolicyRequirements{
+ xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ },
+ []*Policy{
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "sigstoreSigned",
+ SignatureStore: "",
+ GPGId: "N/A",
+ },
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "sigstoreSigned",
+ SignatureStore: "",
+ GPGId: "N/A",
+ },
+ },
},
{ // Multiple kinds of requirements are represented individually.
"registry.redhat.io",
@@ -224,6 +268,8 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
[]*Policy{
{
@@ -264,6 +310,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "2, 3",
},
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "sigstoreSigned",
+ SignatureStore: "https://registry.redhat.io/containers/sigstore",
+ GPGId: "N/A",
+ },
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "sigstoreSigned",
+ SignatureStore: "https://registry.redhat.io/containers/sigstore",
+ GPGId: "N/A",
+ },
},
},
} {