From 6730556e2f6f98a2eef6914ffadabf8a46aef749 Mon Sep 17 00:00:00 2001
From: Qi Wang <qiwan@redhat.com>
Date: Mon, 21 Sep 2020 18:10:36 -0400
Subject: Sign multi-arch images

podman image sign handles muti-arch images.
--all option to create signature for each manifest from the image manifest list.

Signed-off-by: Qi Wang <qiwan@redhat.com>
---
 pkg/domain/entities/images.go  |  1 +
 pkg/domain/infra/abi/images.go | 71 ++++++++++++++++++++++++++++--------------
 2 files changed, 49 insertions(+), 23 deletions(-)

(limited to 'pkg')

diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go
index 81f12bff7..1538cbb8b 100644
--- a/pkg/domain/entities/images.go
+++ b/pkg/domain/entities/images.go
@@ -344,6 +344,7 @@ type SignOptions struct {
 	Directory string
 	SignBy    string
 	CertDir   string
+	All       bool
 }
 
 // SignReport describes the result of signing
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 57a2bc4cf..394ba359c 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -28,6 +28,8 @@ import (
 	"github.com/containers/podman/v2/pkg/rootless"
 	"github.com/containers/podman/v2/pkg/util"
 	"github.com/containers/storage"
+	dockerRef "github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -718,9 +720,9 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 					logrus.Errorf("unable to close %s image source %q", srcRef.DockerReference().Name(), err)
 				}
 			}()
-			getManifest, _, err := rawSource.GetManifest(ctx, nil)
+			topManifestBlob, manifestType, err := rawSource.GetManifest(ctx, nil)
 			if err != nil {
-				return errors.Wrapf(err, "error getting getManifest")
+				return errors.Wrapf(err, "error getting manifest blob")
 			}
 			dockerReference := rawSource.Reference().DockerReference()
 			if dockerReference == nil {
@@ -743,34 +745,34 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
 					return err
 				}
 			}
-			manifestDigest, err := manifest.Digest(getManifest)
+			manifestDigest, err := manifest.Digest(topManifestBlob)
 			if err != nil {
 				return err
 			}
 
-			// create signature
-			newSig, err := signature.SignDockerManifest(getManifest, dockerReference.String(), mech, options.SignBy)
-			if err != nil {
-				return errors.Wrapf(err, "error creating new signature")
-			}
-			// create the signstore file
-			signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, manifestDigest.Algorithm(), manifestDigest.Hex())
-			if err := os.MkdirAll(signatureDir, 0751); err != nil {
-				// The directory is allowed to exist
-				if !os.IsExist(err) {
-					logrus.Error(err)
-					return nil
+			if options.All {
+				if !manifest.MIMETypeIsMultiImage(manifestType) {
+					return errors.Errorf("%s is not a multi-architecture image (manifest type %s)", signimage, manifestType)
+				}
+				list, err := manifest.ListFromBlob(topManifestBlob, manifestType)
+				if err != nil {
+					return errors.Wrapf(err, "Error parsing manifest list %q", string(topManifestBlob))
+				}
+				instanceDigests := list.Instances()
+				for _, instanceDigest := range instanceDigests {
+					digest := instanceDigest
+					man, _, err := rawSource.GetManifest(ctx, &digest)
+					if err != nil {
+						return err
+					}
+					if err = putSignature(man, mech, sigStoreDir, instanceDigest, dockerReference, options); err != nil {
+						return errors.Wrapf(err, "error storing signature for %s, %v", dockerReference.String(), instanceDigest)
+					}
 				}
-			}
-			sigFilename, err := getSigFilename(signatureDir)
-			if err != nil {
-				logrus.Errorf("error creating sigstore file: %v", err)
 				return nil
 			}
-			err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644)
-			if err != nil {
-				logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
-				return nil
+			if err = putSignature(topManifestBlob, mech, sigStoreDir, manifestDigest, dockerReference, options); err != nil {
+				return errors.Wrapf(err, "error storing signature for %s, %v", dockerReference.String(), manifestDigest)
 			}
 			return nil
 		}()
@@ -806,3 +808,26 @@ func localPathFromURI(url *url.URL) (string, error) {
 	}
 	return url.Path, nil
 }
+
+// putSignature creates signature and saves it to the signstore file
+func putSignature(manifestBlob []byte, mech signature.SigningMechanism, sigStoreDir string, instanceDigest digest.Digest, dockerReference dockerRef.Reference, options entities.SignOptions) error {
+	newSig, err := signature.SignDockerManifest(manifestBlob, dockerReference.String(), mech, options.SignBy)
+	if err != nil {
+		return err
+	}
+	signatureDir := fmt.Sprintf("%s@%s=%s", sigStoreDir, instanceDigest.Algorithm(), instanceDigest.Hex())
+	if err := os.MkdirAll(signatureDir, 0751); err != nil {
+		// The directory is allowed to exist
+		if !os.IsExist(err) {
+			return err
+		}
+	}
+	sigFilename, err := getSigFilename(signatureDir)
+	if err != nil {
+		return err
+	}
+	if err = ioutil.WriteFile(filepath.Join(signatureDir, sigFilename), newSig, 0644); err != nil {
+		return err
+	}
+	return nil
+}
-- 
cgit v1.2.3-54-g00ecf