1 files changed, 67 insertions, 87 deletions

diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 1b523f06a..57a2bc4cf 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -26,7 +26,6 @@ import (
 	"github.com/containers/podman/v2/pkg/domain/entities"
 	domainUtils "github.com/containers/podman/v2/pkg/domain/utils"
 	"github.com/containers/podman/v2/pkg/rootless"
-	"github.com/containers/podman/v2/pkg/trust"
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/storage"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -34,9 +33,6 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// SignatureStoreDir defines default directory to store signatures
-const SignatureStoreDir = "/var/lib/containers/sigstore"
-
 func (ir *ImageEngine) Exists(_ context.Context, nameOrID string) (*entities.BoolReport, error) {
 	_, err := ir.Libpod.ImageRuntime().NewFromLocal(nameOrID)
 	if err != nil {
@@ -707,90 +703,79 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 	sc := ir.Libpod.SystemContext()
 	sc.DockerCertPath = options.CertDir
 
-	systemRegistriesDirPath := trust.RegistriesDirPath(sc)
-	registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
-	if err != nil {
-		return nil, errors.Wrapf(err, "error reading registry configuration")
-	}
-
 	for _, signimage := range names {
-		srcRef, err := alltransports.ParseImageName(signimage)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error parsing image name")
-		}
-		rawSource, err := srcRef.NewImageSource(ctx, sc)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error getting image source")
-		}
-		err = rawSource.Close()
-		if err != nil {
-			logrus.Errorf("unable to close new image source %q", err)
-		}
-		getManifest, _, err := rawSource.GetManifest(ctx, nil)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error getting getManifest")
-		}
-		dockerReference := rawSource.Reference().DockerReference()
-		if dockerReference == nil {
-			return nil, errors.Errorf("cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference()))
-		}
-		var sigStoreDir string
-		if options.Directory != "" {
-			sigStoreDir = options.Directory
-		}
-		if sigStoreDir == "" {
-			if rootless.IsRootless() {
-				sigStoreDir = filepath.Join(filepath.Dir(ir.Libpod.StorageConfig().GraphRoot), "sigstore")
-			} else {
-				var sigStoreURI string
-				registryInfo := trust.HaveMatchRegistry(rawSource.Reference().DockerReference().String(), registryConfigs)
-				if registryInfo != nil {
-					if sigStoreURI = registryInfo.SigStoreStaging; sigStoreURI == "" {
-						sigStoreURI = registryInfo.SigStore
-					}
+		err = func() error {
+			srcRef, err := alltransports.ParseImageName(signimage)
+			if err != nil {
+				return errors.Wrapf(err, "error parsing image name")
+			}
+			rawSource, err := srcRef.NewImageSource(ctx, sc)
+			if err != nil {
+				return errors.Wrapf(err, "error getting image source")
+			}
+			defer func() {
+				if err = rawSource.Close(); err != nil {
+					logrus.Errorf("unable to close %s image source %q", srcRef.DockerReference().Name(), err)
 				}
-				if sigStoreURI == "" {
-					return nil, errors.Errorf("no signature storage configuration found for %s", rawSource.Reference().DockerReference().String())
-
+			}()
+			getManifest, _, err := rawSource.GetManifest(ctx, nil)
+			if err != nil {
+				return errors.Wrapf(err, "error getting getManifest")
+			}
+			dockerReference := rawSource.Reference().DockerReference()
+			if dockerReference == nil {
+				return errors.Errorf("cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference()))
+			}
+			var sigStoreDir string
+			if options.Directory != "" {
+				repo := reference.Path(dockerReference)
+				if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
+					return errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String())
+				}
+				sigStoreDir = filepath.Join(options.Directory, repo)
+			} else {
+				signatureURL, err := docker.SignatureStorageBaseURL(sc, rawSource.Reference(), true)
+				if err != nil {
+					return err
 				}
-				sigStoreDir, err = localPathFromURI(sigStoreURI)
+				sigStoreDir, err = localPathFromURI(signatureURL)
 				if err != nil {
-					return nil, errors.Wrapf(err, "invalid signature storage %s", sigStoreURI)
+					return err
 				}
 			}
-		}
-		manifestDigest, err := manifest.Digest(getManifest)
-		if err != nil {
-			return nil, err
-		}
-		repo := reference.Path(dockerReference)
-		if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
-			return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", dockerReference.String())
-		}
+			manifestDigest, err := manifest.Digest(getManifest)
+			if err != nil {
+				return err
+			}
 
-		// create signature
-		newSig, err := signature.SignDockerManifest(getManifest, dockerReference.String(), mech, options.SignBy)
-		if err != nil {
-			return nil, errors.Wrapf(err, "error creating new signature")
-		}
-		// create the signstore file
-		signatureDir := fmt.Sprintf("%s@%s=%s", filepath.Join(sigStoreDir, repo), manifestDigest.Algorithm(), manifestDigest.Hex())
-		if err := os.MkdirAll(signatureDir, 0751); err != nil {
-			// The directory is allowed to exist
-			if !os.IsExist(err) {
-				logrus.Error(err)
-				continue
+			// create signature
+			newSig, err := signature.SignDockerManifest(getManifest, dockerReference.String(), mech, options.SignBy)
+			if err != nil {
+				return errors.Wrapf(err, "error creating new signature")
 			}
-		}
-		sigFilename, err := getSigFilename(signatureDir)
-		if err != nil {
-			logrus.Errorf("error creating sigstore file: %v", err)
-			continue
-		}
-		err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644)
+			// create the signstore file
+			signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, manifestDigest.Algorithm(), manifestDigest.Hex())
+			if err := os.MkdirAll(signatureDir, 0751); err != nil {
+				// The directory is allowed to exist
+				if !os.IsExist(err) {
+					logrus.Error(err)
+					return nil
+				}
+			}
+			sigFilename, err := getSigFilename(signatureDir)
+			if err != nil {
+				logrus.Errorf("error creating sigstore file: %v", err)
+				return nil
+			}
+			err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644)
+			if err != nil {
+				logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
+				return nil
+			}
+			return nil
+		}()
 		if err != nil {
-			logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
-			continue
+			return nil, err
 		}
 	}
 	return nil, nil
@@ -815,14 +800,9 @@ func getSigFilename(sigStoreDirPath string) (string, error) {
 	}
 }
 
-func localPathFromURI(sigStoreDir string) (string, error) {
-	url, err := url.Parse(sigStoreDir)
-	if err != nil {
-		return sigStoreDir, errors.Wrapf(err, "invalid directory %s", sigStoreDir)
-	}
+func localPathFromURI(url *url.URL) (string, error) {
 	if url.Scheme != "file" {
-		return sigStoreDir, errors.Errorf("writing to %s is not supported. Use a supported scheme", sigStoreDir)
+		return "", errors.Errorf("writing to %s is not supported. Use a supported scheme", url.String())
 	}
-	sigStoreDir = url.Path
-	return sigStoreDir, nil
+	return url.Path, nil
 }