From b898f914a3a9b8cad5519ace0167d738e2f85186 Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Wed, 21 Oct 2020 09:51:35 -0400 Subject: save image remove signatures remove signatures to podman save since the image formats do not support signatures Close: #7659 Signed-off-by: Qi Wang --- test/e2e/save_test.go | 69 +++++++++++++++++++++++++++++++++++++++++++++++ test/e2e/sign/key.gpg | 30 +++++++++++++++++++++ test/e2e/sign/policy.json | 18 +++++++++++++ 3 files changed, 117 insertions(+) create mode 100644 test/e2e/sign/key.gpg create mode 100644 test/e2e/sign/policy.json (limited to 'test/e2e') diff --git a/test/e2e/save_test.go b/test/e2e/save_test.go index 1f1258be3..79fc4d737 100644 --- a/test/e2e/save_test.go +++ b/test/e2e/save_test.go @@ -1,8 +1,12 @@ package integration import ( + "io/ioutil" "os" + "os/exec" "path/filepath" + "strconv" + "strings" "github.com/containers/podman/v2/pkg/rootless" . "github.com/containers/podman/v2/test/utils" @@ -116,6 +120,71 @@ var _ = Describe("Podman save", func() { Expect(save).To(ExitWithError()) }) + It("podman save remove signature", func() { + SkipIfRootless("FIXME: Need get in rootless push sign") + if podmanTest.Host.Arch == "ppc64le" { + Skip("No registry image for ppc64le") + } + tempGNUPGHOME := filepath.Join(podmanTest.TempDir, "tmpGPG") + err := os.Mkdir(tempGNUPGHOME, os.ModePerm) + Expect(err).To(BeNil()) + origGNUPGHOME := os.Getenv("GNUPGHOME") + err = os.Setenv("GNUPGHOME", tempGNUPGHOME) + Expect(err).To(BeNil()) + defer os.Setenv("GNUPGHOME", origGNUPGHOME) + + port := 5000 + session := podmanTest.Podman([]string{"run", "-d", "--name", "registry", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), "docker.io/registry:2.6"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + if !WaitContainerReady(podmanTest, "registry", "listening on", 20, 1) { + Skip("Cannot start docker registry.") + } + + cmd := exec.Command("gpg", "--import", "sign/secret-key.asc") + err = cmd.Run() + Expect(err).To(BeNil()) + + cmd = exec.Command("cp", "/etc/containers/registries.d/default.yaml", "default.yaml") + if err = cmd.Run(); err != nil { + Skip("no signature store to verify") + } + defer func() { + cmd = exec.Command("cp", "default.yaml", "/etc/containers/registries.d/default.yaml") + cmd.Run() + }() + + cmd = exec.Command("cp", "sign/key.gpg", "/tmp/key.gpg") + Expect(cmd.Run()).To(BeNil()) + sigstore := ` +default-docker: + sigstore: file:///var/lib/containers/sigstore + sigstore-staging: file:///var/lib/containers/sigstore +` + Expect(ioutil.WriteFile("/etc/containers/registries.d/default.yaml", []byte(sigstore), 0755)).To(BeNil()) + + session = podmanTest.Podman([]string{"tag", ALPINE, "localhost:5000/alpine"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"push", "--tls-verify=false", "--sign-by", "foo@bar.com", "localhost:5000/alpine"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"rmi", ALPINE, "localhost:5000/alpine"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + session = podmanTest.Podman([]string{"pull", "--tls-verify=false", "--signature-policy=sign/policy.json", "localhost:5000/alpine"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + + outfile := filepath.Join(podmanTest.TempDir, "temp.tar") + save := podmanTest.Podman([]string{"save", "remove-signatures=true", "-o", outfile, "localhost:5000/alpine"}) + save.WaitWithDefaultTimeout() + Expect(save).To(ExitWithError()) + }) + It("podman save image with digest reference", func() { // pull a digest reference session := podmanTest.PodmanNoCache([]string{"pull", ALPINELISTDIGEST}) diff --git a/test/e2e/sign/key.gpg b/test/e2e/sign/key.gpg new file mode 100644 index 000000000..32968fc04 --- /dev/null +++ b/test/e2e/sign/key.gpg @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF8kNqwBCAC0x3Kog+WlDNwcR6rWIP8Gj2T6LrQ2/3knSyAWzTgC/OBB6Oh0 +KAokXLjy8J3diG3EaSltE7erGG/bZCz8jYvMiwDJScON4zzidotqjoY80E+NeRDg +CC0gqvqmh0ftJIjYNBHzSxqrGRQwzwZU+u6ezlE8+0dvsHcHY+MRnxXJQrdM07EP +Prp85kKckChDlJ1tyGUB/YHieFQmOW5+TERA7ZqQOAQ12Vviv6V4kNfEJJq3MS2c +csZpO323tcHt3oebqsZCIElhX7uVw6GAeCw1tm4NZXs4g1yIC21Of/hzPeC18F72 +splCgKaAOiE9w/nMGLNEYy2NzgEclZLs2Y7jABEBAAG0FGZvb2JhciA8Zm9vQGJh +ci5jb20+iQFUBBMBCAA+FiEERyT4ac7LLibByeabqaoHAy6P2bIFAl8kNqwCGwMF +CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQqaoHAy6P2bKtuggAgv54 +/F8wgi+uMrtFr8rqNtZMDyXRxfXaXUy5uGNfqHD83yqxweEqxiA8lmFkRHixPWtg +Z2MniFXMVc9kVmg8GNIIuzewXrPqtXztvuURQo9phK68v8fXEqqT6K25wtq8TiQZ +0J3mQIJPPTMe3pCCOyR6+W3iMtQp2AmitxKbzLP3J3GG2i0rG5S147A2rPnzTeMY +hds819+JE7jNMD7FkV+TcQlOVl4wyOQhNEJcjb6rA6EUe5+s85pIFTBSyPMJpJ03 +Y0dLdcSGpKdncGTK2X9+hS96G1+FP/t8hRIDblqUHtBRXe3Ozz6zSqpqu1DbAQSM +bIrLYxXfnZEN+ro0dLkBDQRfJDasAQgAncvLLZUHZkJWDPka3ocysJ7+/lmrXyAj +T3D4r7UM4oaLBOMKjvaKSDw1uW5qYmTxnnsqFDI0O5+XJxD1/0qEf6l2oUpnILdx +Vruf28FuvymbsyhDgs+MBoHz0jLWWPHUW2oWLIqcvaF0BePQ1GS6UoZlmZejsLww +cSpbaAHJng7An/iLuqOBr5EdUA5XMXqmdMFDrjh0uZezImJ2Eacu/hshBdu3IY49 +J5XP18GWrSdUnP27cv3tOii9j5Lfl8QAvCN89vkALIU3eZtnMlWZqLgl5o6COVFm +zpyx+iHOoCznQBt0aGoSNmE/dAqWIQS/xCSFqMHI6kNd9N0oR0rEHwARAQABiQE8 +BBgBCAAmFiEERyT4ac7LLibByeabqaoHAy6P2bIFAl8kNqwCGwwFCQPCZwAACgkQ +qaoHAy6P2bJfjQgAje6YR+p1QaNlTN9l4t2kGzy9RhkfYMrTgI2fEqbS9bFJUy3Y +3mH+vj/r2gN/kaN8LHH4K1d7fAohBsFqSI0flzHHIx2rfti9zAlbXcAErbnG+f0f +k0AaqU7KelU35vjPfNe6Vn7ky6G9CC6jW04NkLZDNFA2GusdYf1aM0LWew5t4WZa +quLVFhL36q9eHaogO/fcPR/quvQefHokk+b541ytwMN9l/g43rTbCvAjrUDHwipb +Gbw91Wg2XjbecRiCXDKWds2M149BpxUzY5xHFtD5t5WSEE/SkkryGTMmTxS3tuQZ +9PdtCPGrNDO6Ts/amORF04Tf+YMJgfv3IWxMeQ== +=y0uZ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/test/e2e/sign/policy.json b/test/e2e/sign/policy.json new file mode 100644 index 000000000..ab01137bf --- /dev/null +++ b/test/e2e/sign/policy.json @@ -0,0 +1,18 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": { + "docker": { + "localhost:5000": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/tmp/key.gpg" + } + ] + } + } +} -- cgit v1.2.3-54-g00ecf