Merge pull request #15142 from mtrmac/sigstore-sign-4.2

[v4.2] Sigstore sign

10 files changed, 78 insertions, 13 deletions

diff --git a/test/e2e/config_amd64.go b/test/e2e/config_amd64.go
index f32542df8..ba7940d57 100644
--- a/test/e2e/config_amd64.go
+++ b/test/e2e/config_amd64.go
@@ -8,7 +8,7 @@ var (
 	CACHE_IMAGES             = []string{ALPINE, BB, fedoraMinimal, NGINX_IMAGE, REDIS_IMAGE, REGISTRY_IMAGE, INFRA_IMAGE, LABELS_IMAGE, HEALTHCHECK_IMAGE, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:revive,stylecheck
 	NGINX_IMAGE              = "quay.io/libpod/alpine_nginx:latest"                                                                                                                              //nolint:revive,stylecheck
 	BB_GLIBC                 = "docker.io/library/busybox:glibc"                                                                                                                                 //nolint:revive,stylecheck
-	REGISTRY_IMAGE           = "quay.io/libpod/registry:2.6"                                                                                                                                     //nolint:revive,stylecheck
+	REGISTRY_IMAGE           = "quay.io/libpod/registry:2.8"                                                                                                                                     //nolint:revive,stylecheck
 	LABELS_IMAGE             = "quay.io/libpod/alpine_labels:latest"                                                                                                                             //nolint:revive,stylecheck
 	UBI_MINIMAL              = "registry.access.redhat.com/ubi8-minimal"                                                                                                                         //nolint:revive,stylecheck
 	UBI_INIT                 = "registry.access.redhat.com/ubi8-init"                                                                                                                            //nolint:revive,stylecheck
diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go
index 3ae130c6d..60c53e27e 100644
--- a/test/e2e/login_logout_test.go
+++ b/test/e2e/login_logout_test.go
@@ -52,15 +52,15 @@ var _ = Describe("Podman login and logout", func() {
 			}
 		}
 
-		session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", "registry:2.6", "-Bbn", "podmantest", "test"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"})
+		htpasswd.WaitWithDefaultTimeout()
+		Expect(htpasswd).Should(Exit(0))
 
 		f, err := os.Create(filepath.Join(authPath, "htpasswd"))
 		Expect(err).ToNot(HaveOccurred())
 		defer f.Close()
 
-		_, err = f.WriteString(session.OutputToString())
+		_, err = f.WriteString(htpasswd.OutputToString())
 		Expect(err).ToNot(HaveOccurred())
 		err = f.Sync()
 		Expect(err).ToNot(HaveOccurred())
@@ -80,12 +80,12 @@ var _ = Describe("Podman login and logout", func() {
 		setup := SystemExec("cp", []string{filepath.Join(certPath, "domain.crt"), filepath.Join(certDirPath, "ca.crt")})
 		setup.WaitWithDefaultTimeout()
 
-		session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"),
+		session := podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"),
 			"-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v",
 			strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
 			"-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
-			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
+			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 
@@ -249,7 +249,7 @@ var _ = Describe("Podman login and logout", func() {
 			strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
 			"-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
-			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
+			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 
diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go
index f2a103f6b..898d21d00 100644
--- a/test/e2e/push_test.go
+++ b/test/e2e/push_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -136,6 +137,45 @@ var _ = Describe("Podman push", func() {
 			Expect(fi.Name()).To(Equal("digestfile.txt"))
 			Expect(push2).Should(Exit(0))
 		}
+
+		if !IsRemote() { // Remote does not support signing
+			By("pushing and pulling with sigstore signatures")
+			// Ideally, this should set SystemContext.RegistriesDirPath, but Podman currently doesn’t
+			// expose that as an option. So, for now, modify /etc/directly, and skip testing sigstore if
+			// we don’t have permission to do so.
+			systemRegistriesDAddition := "/etc/containers/registries.d/podman-test-only-temporary-addition.yaml"
+			cmd := exec.Command("cp", "testdata/sigstore-registries.d-fragment.yaml", systemRegistriesDAddition)
+			output, err := cmd.CombinedOutput()
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "Skipping sigstore tests because /etc/containers/registries.d isn’t writable: %s", string(output))
+			} else {
+				defer func() {
+					err := os.Remove(systemRegistriesDAddition)
+					Expect(err).ToNot(HaveOccurred())
+				}()
+
+				// Verify that the policy rejects unsigned images
+				push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed"})
+				push.WaitWithDefaultTimeout()
+				Expect(push).Should(Exit(0))
+				Expect(len(push.ErrorToString())).To(Equal(0))
+
+				pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"})
+				pull.WaitWithDefaultTimeout()
+				Expect(pull).To(ExitWithError())
+				Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists"))
+
+				// Sign an image, and verify it is accepted.
+				push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5000/sigstore-signed"})
+				push.WaitWithDefaultTimeout()
+				Expect(push).Should(Exit(0))
+				Expect(len(push.ErrorToString())).To(Equal(0))
+
+				pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"})
+				pull.WaitWithDefaultTimeout()
+				Expect(pull).Should(Exit(0))
+			}
+		}
 	})
 
 	It("podman push to local registry with authorization", func() {
@@ -167,20 +207,20 @@ var _ = Describe("Podman push", func() {
 		}
 		lock := GetPortLock("5000")
 		defer lock.Unlock()
-		session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", REGISTRY_IMAGE, "-Bbn", "podmantest", "test"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"})
+		htpasswd.WaitWithDefaultTimeout()
+		Expect(htpasswd).Should(Exit(0))
 
 		f, err := os.Create(filepath.Join(authPath, "htpasswd"))
 		Expect(err).ToNot(HaveOccurred())
 		defer f.Close()
 
-		_, err = f.WriteString(session.OutputToString())
+		_, err = f.WriteString(htpasswd.OutputToString())
 		Expect(err).ToNot(HaveOccurred())
 		err = f.Sync()
 		Expect(err).ToNot(HaveOccurred())
 
-		session = podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v",
+		session := podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v",
 			strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
 			"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
diff --git a/test/e2e/sign/key.gpg b/test/e2e/sign/key.gpg
index 32968fc04..725bdfb7d 100644
--- a/test/e2e/sign/key.gpg
+++ b/test/e2e/sign/key.gpg
diff --git a/test/e2e/sign/policy.json b/test/e2e/sign/policy.json
index ab01137bf..812c14989 100644
--- a/test/e2e/sign/policy.json
+++ b/test/e2e/sign/policy.json
@@ -12,6 +12,12 @@
                     "keyType": "GPGKeys",
                     "keyPath": "/tmp/key.gpg"
                 }
+            ],
+            "localhost:5000/sigstore-signed": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "testdata/sigstore-key.pub"
+                }
             ]
         }
     }
diff --git a/test/e2e/sign/secret-key.asc b/test/e2e/sign/secret-key.asc
index 23c0d05c3..f018a3ce5 100644
--- a/test/e2e/sign/secret-key.asc
+++ b/test/e2e/sign/secret-key.asc
diff --git a/test/e2e/testdata/sigstore-key.key b/test/e2e/testdata/sigstore-key.key
new file mode 100644
index 000000000..c4eed76a8
--- /dev/null
+++ b/test/e2e/testdata/sigstore-key.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
+OCwicCI6MX0sInNhbHQiOiI2ckxVcEl1M1pTallrY3dua1pNVktuTHNDUjRENTJv
+Y3J5Wmh2anZ4L1VrPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJMTVpkeTNBL285NS9SektUZGR3RURhODJTVThVcDdlKyJ9LCJj
+aXBoZXJ0ZXh0IjoiNkkzUlRCc1IwRXpHZWs0SE5LazlVdlpyMEp6Y1Bxemw0ZkEr
+SitJdHlCc0RBSkcyNmhESnFLUDFuQkJTUE5XdHpJRzJUVzQ5Z2hObEJmQy9qYVNk
+eFo2QmhXYk9ldlY0MDB4WjVNZ1oyVHdGSnJxaE9HK0JMdmNvanVkc2tOUFpJTlpE
+LytFZVBIYTRlRVJPTWhnSWlTRC9BYTd3eitlc2trVjkrN216Y3N2RVRiTTJTZGd6
+L3daMUtqV3FlOUc2MWlXSTJPSm1rRlhxQWc9PSJ9
+-----END ENCRYPTED COSIGN PRIVATE KEY-----
diff --git a/test/e2e/testdata/sigstore-key.key.pass b/test/e2e/testdata/sigstore-key.key.pass
new file mode 100644
index 000000000..beb5c7687
--- /dev/null
+++ b/test/e2e/testdata/sigstore-key.key.pass
@@ -0,0 +1 @@
+sigstore pass
diff --git a/test/e2e/testdata/sigstore-key.pub b/test/e2e/testdata/sigstore-key.pub
new file mode 100644
index 000000000..1f470f72b
--- /dev/null
+++ b/test/e2e/testdata/sigstore-key.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX/AWbBiFPuAU5+ys+Ce8YFPhTr1a
+nM7A8h6NrQi6w8w8/4dJCzlGH4SN+P93nopATs6jDXs4Lpc2/tiA1SBmzA==
+-----END PUBLIC KEY-----
diff --git a/test/e2e/testdata/sigstore-registries.d-fragment.yaml b/test/e2e/testdata/sigstore-registries.d-fragment.yaml
new file mode 100644
index 000000000..d79f4c935
--- /dev/null
+++ b/test/e2e/testdata/sigstore-registries.d-fragment.yaml
@@ -0,0 +1,3 @@
+docker:
+  localhost:5000/sigstore-signed:
+    use-sigstore-attachments: true