From 6762d5e2381d79c26ecabac8c83d31d1f49e1325 Mon Sep 17 00:00:00 2001 From: José Guilherme Vanz Date: Tue, 6 Jul 2021 21:00:03 -0300 Subject: --authfile command line argument for image sign command. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the --authfile command line argument to allow users to use alternative authfile paths when signing images. Replaces: https://github.com/containers/podman/pull/10975 Fixes: https://github.com/containers/podman/issues/10866 Signed-off-by: José Guilherme Vanz Signed-off-by: Daniel J Walsh --- cmd/podman/images/sign.go | 5 +++ contrib/spec/podman.spec.in | 1 + docs/source/markdown/podman-image-sign.1.md | 9 +++++ pkg/domain/entities/images.go | 1 + pkg/domain/infra/abi/images.go | 1 + test/system/011-image.bats | 54 +++++++++++++++++++++++++++++ 6 files changed, 71 insertions(+) create mode 100644 test/system/011-image.bats diff --git a/cmd/podman/images/sign.go b/cmd/podman/images/sign.go index 96f214d0b..4c42a0bd6 100644 --- a/cmd/podman/images/sign.go +++ b/cmd/podman/images/sign.go @@ -3,6 +3,7 @@ package images import ( "os" + "github.com/containers/common/pkg/auth" "github.com/containers/common/pkg/completion" "github.com/containers/podman/v3/cmd/podman/common" "github.com/containers/podman/v3/cmd/podman/registry" @@ -48,6 +49,10 @@ func init() { flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys") _ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault) flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image") + + authfileFlagName := "authfile" + flags.StringVar(&signOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override") + _ = signCommand.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault) } func sign(cmd *cobra.Command, args []string) error { diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index 2db8f6e67..474add1af 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -361,6 +361,7 @@ Man pages for the %{name} commands Summary: Tests for %{name} Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: gnupg Requires: bats Requires: jq Requires: skopeo diff --git a/docs/source/markdown/podman-image-sign.1.md b/docs/source/markdown/podman-image-sign.1.md index e284955a2..5f23bbfaf 100644 --- a/docs/source/markdown/podman-image-sign.1.md +++ b/docs/source/markdown/podman-image-sign.1.md @@ -23,6 +23,13 @@ Print usage statement. Sign all the manifests of the multi-architecture image (default false). +#### **--authfile**=*path* + +Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json + +Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE +environment variable. `export REGISTRY_AUTH_FILE=path` + #### **--cert-dir**=*path* Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. @@ -41,6 +48,8 @@ Sign the busybox image with the identity of foo@bar.com with a user's keyring an sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar + ## RELATED CONFIGURATION The write (and read) location for signatures is defined in YAML-based diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go index 7583ce442..54f7b5d45 100644 --- a/pkg/domain/entities/images.go +++ b/pkg/domain/entities/images.go @@ -373,6 +373,7 @@ type SignOptions struct { Directory string SignBy string CertDir string + Authfile string All bool } diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index 5c0227986..8b44b869a 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -641,6 +641,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie } sc := ir.Libpod.SystemContext() sc.DockerCertPath = options.CertDir + sc.AuthFilePath = options.Authfile for _, signimage := range names { err = func() error { diff --git a/test/system/011-image.bats b/test/system/011-image.bats new file mode 100644 index 000000000..5150e875e --- /dev/null +++ b/test/system/011-image.bats @@ -0,0 +1,54 @@ +#!/usr/bin/env bats + +load helpers + +function setup() { + skip_if_remote "--sign-by does not work with podman-remote" + + basic_setup + + export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg + mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures + + cat >$PODMAN_TMPDIR/keydetails <" \ + "gpg --verify $sigfile" +} + + +@test "podman image - sign with no sigfile" { + GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN" + check_signature "signature-1" +} + +# vim: filetype=sh -- cgit v1.2.3-54-g00ecf