From 68463278e3b22a03fa7a711f4993381747e5e2fc Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Sat, 30 Jul 2022 01:50:45 +0200 Subject: Use httpasswd from the surrouding OS instead of the registry image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit htpasswd is no longer included in docker.io/library/distribution after 2.7.0, per https://github.com/docker/distribution-library-image/issues/107 , and we want to upgrade to a recent version. At least system tests currently execute htpasswd from the OS, so it seems that it is likely to be available. Signed-off-by: Miloslav Trmač --- test/e2e/login_logout_test.go | 10 +++++----- test/e2e/push_test.go | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'test') diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go index 3ae130c6d..efefbb113 100644 --- a/test/e2e/login_logout_test.go +++ b/test/e2e/login_logout_test.go @@ -52,15 +52,15 @@ var _ = Describe("Podman login and logout", func() { } } - session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", "registry:2.6", "-Bbn", "podmantest", "test"}) - session.WaitWithDefaultTimeout() - Expect(session).Should(Exit(0)) + htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"}) + htpasswd.WaitWithDefaultTimeout() + Expect(htpasswd).Should(Exit(0)) f, err := os.Create(filepath.Join(authPath, "htpasswd")) Expect(err).ToNot(HaveOccurred()) defer f.Close() - _, err = f.WriteString(session.OutputToString()) + _, err = f.WriteString(htpasswd.OutputToString()) Expect(err).ToNot(HaveOccurred()) err = f.Sync() Expect(err).ToNot(HaveOccurred()) @@ -80,7 +80,7 @@ var _ = Describe("Podman login and logout", func() { setup := SystemExec("cp", []string{filepath.Join(certPath, "domain.crt"), filepath.Join(certDirPath, "ca.crt")}) setup.WaitWithDefaultTimeout() - session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), + session := podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), "-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v", strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go index f2a103f6b..0faa040f4 100644 --- a/test/e2e/push_test.go +++ b/test/e2e/push_test.go @@ -167,20 +167,20 @@ var _ = Describe("Podman push", func() { } lock := GetPortLock("5000") defer lock.Unlock() - session := podmanTest.Podman([]string{"run", "--entrypoint", "htpasswd", REGISTRY_IMAGE, "-Bbn", "podmantest", "test"}) - session.WaitWithDefaultTimeout() - Expect(session).Should(Exit(0)) + htpasswd := SystemExec("htpasswd", []string{"-Bbn", "podmantest", "test"}) + htpasswd.WaitWithDefaultTimeout() + Expect(htpasswd).Should(Exit(0)) f, err := os.Create(filepath.Join(authPath, "htpasswd")) Expect(err).ToNot(HaveOccurred()) defer f.Close() - _, err = f.WriteString(session.OutputToString()) + _, err = f.WriteString(htpasswd.OutputToString()) Expect(err).ToNot(HaveOccurred()) err = f.Sync() Expect(err).ToNot(HaveOccurred()) - session = podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v", + session := podmanTest.Podman([]string{"run", "-d", "-p", "5000:5000", "--name", "registry", "-v", strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", "-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", -- cgit v1.2.3-54-g00ecf From 7599fde73e383824196854174847094d148b72a0 Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Sat, 30 Jul 2022 17:21:15 +0200 Subject: Use existing REGISTRY_IMAGE variables in more places MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... instead of hard-coding a copy of the value. Notably this makes hack/podman_registry actually support the documented -i option. Signed-off-by: Miloslav Trmač --- hack/podman-registry | 2 +- test/e2e/login_logout_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'test') diff --git a/hack/podman-registry b/hack/podman-registry index 84faafb48..f1254966b 100755 --- a/hack/podman-registry +++ b/hack/podman-registry @@ -218,7 +218,7 @@ function do_start() { -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ -e "REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt" \ -e "REGISTRY_HTTP_TLS_KEY=/auth/domain.key" \ - registry:2.6 + ${PODMAN_REGISTRY_IMAGE} # Confirm that registry started and port is active wait_for_port $PODMAN_REGISTRY_PORT diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go index efefbb113..60c53e27e 100644 --- a/test/e2e/login_logout_test.go +++ b/test/e2e/login_logout_test.go @@ -85,7 +85,7 @@ var _ = Describe("Podman login and logout", func() { strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", "-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", - "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"}) + "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) @@ -249,7 +249,7 @@ var _ = Describe("Podman login and logout", func() { strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", "-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", - "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"}) + "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", REGISTRY_IMAGE}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) -- cgit v1.2.3-54-g00ecf From 5a5624f8189c0e4c529e4c00d6ed66397d1db5b4 Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Sat, 30 Jul 2022 00:08:00 +0200 Subject: Update the registry server we test against from 2.6 to 2.8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... primarily so that it can support OCI artifacts. 2.8 already seems to exist in the repo. This requires changing WaitContainerReady to also check stderr (ultimately because docker/distribution was updated to a more recent sirupsen/logrus, which logs by default to stderr instead of stdout). Signed-off-by: Miloslav Trmač --- hack/podman-registry | 4 ++-- test/e2e/config_amd64.go | 2 +- test/e2e/config_arm64.go | 2 +- test/utils/utils.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/hack/podman-registry b/hack/podman-registry index f1254966b..f1b68deaa 100755 --- a/hack/podman-registry +++ b/hack/podman-registry @@ -7,7 +7,7 @@ ME=$(basename $0) ############################################################################### # BEGIN defaults -PODMAN_REGISTRY_IMAGE=quay.io/libpod/registry:2.6 +PODMAN_REGISTRY_IMAGE=quay.io/libpod/registry:2.8 PODMAN_REGISTRY_USER= PODMAN_REGISTRY_PASS= @@ -30,7 +30,7 @@ into a local temporary directory, create an htpasswd, start the registry, and dump a series of environment variables to stdout: \$ $ME start - PODMAN_REGISTRY_IMAGE=\"docker.io/library/registry:2.6\" + PODMAN_REGISTRY_IMAGE=\"docker.io/library/registry:2.8\" PODMAN_REGISTRY_PORT=\"5050\" PODMAN_REGISTRY_USER=\"userZ3RZ\" PODMAN_REGISTRY_PASS=\"T8JVJzKrcl4p6uT\" diff --git a/test/e2e/config_amd64.go b/test/e2e/config_amd64.go index f32542df8..ba7940d57 100644 --- a/test/e2e/config_amd64.go +++ b/test/e2e/config_amd64.go @@ -8,7 +8,7 @@ var ( CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, NGINX_IMAGE, REDIS_IMAGE, REGISTRY_IMAGE, INFRA_IMAGE, LABELS_IMAGE, HEALTHCHECK_IMAGE, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:revive,stylecheck NGINX_IMAGE = "quay.io/libpod/alpine_nginx:latest" //nolint:revive,stylecheck BB_GLIBC = "docker.io/library/busybox:glibc" //nolint:revive,stylecheck - REGISTRY_IMAGE = "quay.io/libpod/registry:2.6" //nolint:revive,stylecheck + REGISTRY_IMAGE = "quay.io/libpod/registry:2.8" //nolint:revive,stylecheck LABELS_IMAGE = "quay.io/libpod/alpine_labels:latest" //nolint:revive,stylecheck UBI_MINIMAL = "registry.access.redhat.com/ubi8-minimal" //nolint:revive,stylecheck UBI_INIT = "registry.access.redhat.com/ubi8-init" //nolint:revive,stylecheck diff --git a/test/e2e/config_arm64.go b/test/e2e/config_arm64.go index c1e0afc47..32ed2f90d 100644 --- a/test/e2e/config_arm64.go +++ b/test/e2e/config_arm64.go @@ -8,7 +8,7 @@ var ( CACHE_IMAGES = []string{ALPINE, BB, fedoraMinimal, NGINX_IMAGE, REDIS_IMAGE, REGISTRY_IMAGE, INFRA_IMAGE, LABELS_IMAGE, HEALTHCHECK_IMAGE, UBI_INIT, UBI_MINIMAL, fedoraToolbox} //nolint:revive,stylecheck NGINX_IMAGE = "quay.io/lsm5/alpine_nginx-aarch64:latest" //nolint:revive,stylecheck BB_GLIBC = "docker.io/library/busybox:glibc" //nolint:revive,stylecheck - REGISTRY_IMAGE = "quay.io/libpod/registry:2.6" //nolint:revive,stylecheck + REGISTRY_IMAGE = "quay.io/libpod/registry:2.8" //nolint:revive,stylecheck LABELS_IMAGE = "quay.io/libpod/alpine_labels:latest" //nolint:revive,stylecheck UBI_MINIMAL = "registry.access.redhat.com/ubi8-minimal" //nolint:revive,stylecheck UBI_INIT = "registry.access.redhat.com/ubi8-init" //nolint:revive,stylecheck diff --git a/test/utils/utils.go b/test/utils/utils.go index 9c2a63c81..19b287ae1 100644 --- a/test/utils/utils.go +++ b/test/utils/utils.go @@ -225,7 +225,7 @@ func (p *PodmanTest) WaitContainerReady(id string, expStr string, timeout int, s return false } - if strings.Contains(s.OutputToString(), expStr) { + if strings.Contains(s.OutputToString(), expStr) || strings.Contains(s.ErrorToString(), expStr) { return true } time.Sleep(time.Duration(step) * time.Second) -- cgit v1.2.3-54-g00ecf From d462da676cf0e97420d42ea64d72f69cab675922 Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Fri, 29 Jul 2022 00:08:40 +0200 Subject: Add support for creating sigstore signatures, and providing passphrases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Allow creating sigstore signatures via --sign-by-sigstore-private-key . Like existing --sign-by, it does not work remote (in this case because we would have to copy the private key to the server). - Allow passing a passphrase (which is mandatory for sigstore private keys) via --sign-passphrase-file; if it is not provided, prompt interactively. - Also, use that passphrase for --sign-by as well, allowing non-interactive GPG use. (But --sign-passphrase-file can only be used with _one of_ --sign-by and --sign-by-sigstore-private-key.) Note that unlike the existing code, (podman build) does not yet implement sigstore (I'm not sure why it needs to, it seems not to push images?) because Buildah does not expose the feature yet. Also, (podman image sign) was not extended to support sigstore. The test for this follows existing (podman image sign) tests and doesn't work rootless; that could be improved by exposing a registries.d override option. The test for push is getting large; I didn't want to start yet another registry container, but that would be an alternative. In the future, Ginkgo's Ordered/BeforeAll would allow starting a registry once and using it for two tests. Signed-off-by: Miloslav Trmač --- cmd/podman/common/sign.go | 36 +++++++++++++++++++ cmd/podman/images/push.go | 19 ++++++++-- cmd/podman/manifest/push.go | 19 ++++++++-- docs/source/markdown/podman-manifest-push.1.md | 10 +++++- docs/source/markdown/podman-push.1.md | 10 +++++- pkg/domain/entities/images.go | 10 ++++++ pkg/domain/infra/abi/images.go | 3 ++ pkg/domain/infra/abi/manifest.go | 3 ++ test/e2e/push_test.go | 40 ++++++++++++++++++++++ test/e2e/sign/policy.json | 6 ++++ test/e2e/testdata/sigstore-key.key | 11 ++++++ test/e2e/testdata/sigstore-key.key.pass | 1 + test/e2e/testdata/sigstore-key.pub | 4 +++ .../testdata/sigstore-registries.d-fragment.yaml | 3 ++ .../containers/image/v5/pkg/cli/passphrase.go | 36 +++++++++++++++++++ vendor/modules.txt | 1 + 16 files changed, 206 insertions(+), 6 deletions(-) create mode 100644 cmd/podman/common/sign.go create mode 100644 test/e2e/testdata/sigstore-key.key create mode 100644 test/e2e/testdata/sigstore-key.key.pass create mode 100644 test/e2e/testdata/sigstore-key.pub create mode 100644 test/e2e/testdata/sigstore-registries.d-fragment.yaml create mode 100644 vendor/github.com/containers/image/v5/pkg/cli/passphrase.go (limited to 'test') diff --git a/cmd/podman/common/sign.go b/cmd/podman/common/sign.go new file mode 100644 index 000000000..e8a90ed57 --- /dev/null +++ b/cmd/podman/common/sign.go @@ -0,0 +1,36 @@ +package common + +import ( + "fmt" + + "github.com/containers/image/v5/pkg/cli" + "github.com/containers/podman/v4/pkg/domain/entities" + "github.com/containers/podman/v4/pkg/terminal" +) + +// PrepareSigningPassphrase updates pushOpts.SignPassphrase and SignSigstorePrivateKeyPassphrase based on a --sign-passphrase-file value signPassphraseFile, +// and validates pushOpts.Sign* consistency. +// It may interactively prompt for a passphrase if one is required and wasn’t provided otherwise. +func PrepareSigningPassphrase(pushOpts *entities.ImagePushOptions, signPassphraseFile string) error { + // c/common/libimage.Image does allow creating both simple signing and sigstore signatures simultaneously, + // with independent passphrases, but that would make the CLI probably too confusing. + // For now, use the passphrase with either, but only one of them. + if signPassphraseFile != "" && pushOpts.SignBy != "" && pushOpts.SignBySigstorePrivateKeyFile != "" { + return fmt.Errorf("only one of --sign-by and sign-by-sigstore-private-key can be used with --sign-passphrase-file") + } + + var passphrase string + if signPassphraseFile != "" { + p, err := cli.ReadPassphraseFile(signPassphraseFile) + if err != nil { + return err + } + passphrase = p + } else if pushOpts.SignBySigstorePrivateKeyFile != "" { + p := terminal.ReadPassphrase() + passphrase = string(p) + } // pushOpts.SignBy triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided. + pushOpts.SignPassphrase = passphrase + pushOpts.SignSigstorePrivateKeyPassphrase = []byte(passphrase) + return nil +} diff --git a/cmd/podman/images/push.go b/cmd/podman/images/push.go index 764936426..1734900de 100644 --- a/cmd/podman/images/push.go +++ b/cmd/podman/images/push.go @@ -17,8 +17,9 @@ import ( // CLI-only fields into the API types. type pushOptionsWrapper struct { entities.ImagePushOptions - TLSVerifyCLI bool // CLI only - CredentialsCLI string + TLSVerifyCLI bool // CLI only + CredentialsCLI string + SignPassphraseFileCLI string } var ( @@ -106,6 +107,14 @@ func pushFlags(cmd *cobra.Command) { flags.StringVar(&pushOptions.SignBy, signByFlagName, "", "Add a signature at the destination using the specified key") _ = cmd.RegisterFlagCompletionFunc(signByFlagName, completion.AutocompleteNone) + signBySigstorePrivateKeyFlagName := "sign-by-sigstore-private-key" + flags.StringVar(&pushOptions.SignBySigstorePrivateKeyFile, signBySigstorePrivateKeyFlagName, "", "Sign the image using a sigstore private key at `PATH`") + _ = cmd.RegisterFlagCompletionFunc(signBySigstorePrivateKeyFlagName, completion.AutocompleteDefault) + + signPassphraseFileFlagName := "sign-passphrase-file" + flags.StringVar(&pushOptions.SignPassphraseFileCLI, signPassphraseFileFlagName, "", "Read a passphrase for signing an image from `PATH`") + _ = cmd.RegisterFlagCompletionFunc(signPassphraseFileFlagName, completion.AutocompleteDefault) + flags.BoolVar(&pushOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries") compressionFormat := "compression-format" @@ -118,6 +127,8 @@ func pushFlags(cmd *cobra.Command) { _ = flags.MarkHidden("digestfile") _ = flags.MarkHidden("quiet") _ = flags.MarkHidden(signByFlagName) + _ = flags.MarkHidden(signBySigstorePrivateKeyFlagName) + _ = flags.MarkHidden(signPassphraseFileFlagName) } if !registry.IsRemote() { flags.StringVar(&pushOptions.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file") @@ -153,6 +164,10 @@ func imagePush(cmd *cobra.Command, args []string) error { pushOptions.Password = creds.Password } + if err := common.PrepareSigningPassphrase(&pushOptions.ImagePushOptions, pushOptions.SignPassphraseFileCLI); err != nil { + return err + } + // Let's do all the remaining Yoga in the API to prevent us from scattering // logic across (too) many parts of the code. return registry.ImageEngine().Push(registry.GetContext(), source, destination, pushOptions.ImagePushOptions) diff --git a/cmd/podman/manifest/push.go b/cmd/podman/manifest/push.go index df394d275..6afd8ea4c 100644 --- a/cmd/podman/manifest/push.go +++ b/cmd/podman/manifest/push.go @@ -20,8 +20,9 @@ import ( type manifestPushOptsWrapper struct { entities.ImagePushOptions - TLSVerifyCLI bool // CLI only - CredentialsCLI string + TLSVerifyCLI bool // CLI only + CredentialsCLI string + SignPassphraseFileCLI string } var ( @@ -72,6 +73,14 @@ func init() { flags.StringVar(&manifestPushOpts.SignBy, signByFlagName, "", "sign the image using a GPG key with the specified `FINGERPRINT`") _ = pushCmd.RegisterFlagCompletionFunc(signByFlagName, completion.AutocompleteNone) + signBySigstorePrivateKeyFlagName := "sign-by-sigstore-private-key" + flags.StringVar(&manifestPushOpts.SignBySigstorePrivateKeyFile, signBySigstorePrivateKeyFlagName, "", "Sign the image using a sigstore private key at `PATH`") + _ = pushCmd.RegisterFlagCompletionFunc(signBySigstorePrivateKeyFlagName, completion.AutocompleteDefault) + + signPassphraseFileFlagName := "sign-passphrase-file" + flags.StringVar(&manifestPushOpts.SignPassphraseFileCLI, signPassphraseFileFlagName, "", "Read a passphrase for signing an image from `PATH`") + _ = pushCmd.RegisterFlagCompletionFunc(signPassphraseFileFlagName, completion.AutocompleteDefault) + flags.BoolVar(&manifestPushOpts.TLSVerifyCLI, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry") flags.BoolVarP(&manifestPushOpts.Quiet, "quiet", "q", false, "don't output progress information when pushing lists") flags.SetNormalizeFunc(utils.AliasFlags) @@ -79,6 +88,8 @@ func init() { if registry.IsRemote() { _ = flags.MarkHidden("cert-dir") _ = flags.MarkHidden(signByFlagName) + _ = flags.MarkHidden(signBySigstorePrivateKeyFlagName) + _ = flags.MarkHidden(signPassphraseFileFlagName) } } @@ -104,6 +115,10 @@ func push(cmd *cobra.Command, args []string) error { manifestPushOpts.Password = creds.Password } + if err := common.PrepareSigningPassphrase(&manifestPushOpts.ImagePushOptions, manifestPushOpts.SignPassphraseFileCLI); err != nil { + return err + } + // TLS verification in c/image is controlled via a `types.OptionalBool` // which allows for distinguishing among set-true, set-false, unspecified // which is important to implement a sane way of dealing with defaults of diff --git a/docs/source/markdown/podman-manifest-push.1.md b/docs/source/markdown/podman-manifest-push.1.md index 22e8cae9a..66cdb8324 100644 --- a/docs/source/markdown/podman-manifest-push.1.md +++ b/docs/source/markdown/podman-manifest-push.1.md @@ -60,7 +60,15 @@ Delete the manifest list or image index from local storage if pushing succeeds. #### **--sign-by**=*fingerprint* -Sign the pushed images using the GPG key that matches the specified fingerprint. +Sign the pushed images with a “simple signing” signature using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--sign-by-sigstore-private-key**=*path* + +Sign the pushed images with a sigstore signature using a private key at the specified path. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--sign-passphrase-file**=*path* + +If signing the image (using either **--sign-by** or **--sign-by-sigstore-private-key**), read the passphrase to use from the specified path. #### **--tls-verify** diff --git a/docs/source/markdown/podman-push.1.md b/docs/source/markdown/podman-push.1.md index 3cda982ac..a69bdce0a 100644 --- a/docs/source/markdown/podman-push.1.md +++ b/docs/source/markdown/podman-push.1.md @@ -99,7 +99,15 @@ Discard any pre-existing signatures in the image. #### **--sign-by**=*key* -Add a signature at the destination using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) +Add a “simple signing” signature at the destination using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--sign-by-sigstore-private-key**=*path* + +Add a sigstore signature at the destination using a private key at the specified path. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) + +#### **--sign-passphrase-file**=*path* + +If signing the image (using either **--sign-by** or **--sign-by-sigstore-private-key**), read the passphrase to use from the specified path. #### **--tls-verify** diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go index b8b346005..dad2dc6cc 100644 --- a/pkg/domain/entities/images.go +++ b/pkg/domain/entities/images.go @@ -205,6 +205,16 @@ type ImagePushOptions struct { // SignBy adds a signature at the destination using the specified key. // Ignored for remote calls. SignBy string + // SignPassphrase, if non-empty, specifies a passphrase to use when signing + // with the key ID from SignBy. + SignPassphrase string + // SignBySigstorePrivateKeyFile, if non-empty, asks for a signature to be added + // during the copy, using a sigstore private key file at the provided path. + // Ignored for remote calls. + SignBySigstorePrivateKeyFile string + // SignSigstorePrivateKeyPassphrase is the passphrase to use when signing with + // SignBySigstorePrivateKeyFile. + SignSigstorePrivateKeyPassphrase []byte // SkipTLSVerify to skip HTTPS and certificate verification. SkipTLSVerify types.OptionalBool // Progress to get progress notifications diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go index ff42b0367..94178a8e2 100644 --- a/pkg/domain/infra/abi/images.go +++ b/pkg/domain/infra/abi/images.go @@ -304,6 +304,9 @@ func (ir *ImageEngine) Push(ctx context.Context, source string, destination stri pushOptions.ManifestMIMEType = manifestType pushOptions.RemoveSignatures = options.RemoveSignatures pushOptions.SignBy = options.SignBy + pushOptions.SignPassphrase = options.SignPassphrase + pushOptions.SignBySigstorePrivateKeyFile = options.SignBySigstorePrivateKeyFile + pushOptions.SignSigstorePrivateKeyPassphrase = options.SignSigstorePrivateKeyPassphrase pushOptions.InsecureSkipTLSVerify = options.SkipTLSVerify pushOptions.Writer = options.Writer diff --git a/pkg/domain/infra/abi/manifest.go b/pkg/domain/infra/abi/manifest.go index bdc3d9513..6606b2cd0 100644 --- a/pkg/domain/infra/abi/manifest.go +++ b/pkg/domain/infra/abi/manifest.go @@ -316,6 +316,9 @@ func (ir *ImageEngine) ManifestPush(ctx context.Context, name, destination strin pushOptions.ManifestMIMEType = manifestType pushOptions.RemoveSignatures = opts.RemoveSignatures pushOptions.SignBy = opts.SignBy + pushOptions.SignPassphrase = opts.SignPassphrase + pushOptions.SignBySigstorePrivateKeyFile = opts.SignBySigstorePrivateKeyFile + pushOptions.SignSigstorePrivateKeyPassphrase = opts.SignSigstorePrivateKeyPassphrase pushOptions.InsecureSkipTLSVerify = opts.SkipTLSVerify if opts.All { diff --git a/test/e2e/push_test.go b/test/e2e/push_test.go index 0faa040f4..898d21d00 100644 --- a/test/e2e/push_test.go +++ b/test/e2e/push_test.go @@ -4,6 +4,7 @@ import ( "fmt" "io/ioutil" "os" + "os/exec" "path/filepath" "strings" @@ -136,6 +137,45 @@ var _ = Describe("Podman push", func() { Expect(fi.Name()).To(Equal("digestfile.txt")) Expect(push2).Should(Exit(0)) } + + if !IsRemote() { // Remote does not support signing + By("pushing and pulling with sigstore signatures") + // Ideally, this should set SystemContext.RegistriesDirPath, but Podman currently doesn’t + // expose that as an option. So, for now, modify /etc/directly, and skip testing sigstore if + // we don’t have permission to do so. + systemRegistriesDAddition := "/etc/containers/registries.d/podman-test-only-temporary-addition.yaml" + cmd := exec.Command("cp", "testdata/sigstore-registries.d-fragment.yaml", systemRegistriesDAddition) + output, err := cmd.CombinedOutput() + if err != nil { + fmt.Fprintf(os.Stderr, "Skipping sigstore tests because /etc/containers/registries.d isn’t writable: %s", string(output)) + } else { + defer func() { + err := os.Remove(systemRegistriesDAddition) + Expect(err).ToNot(HaveOccurred()) + }() + + // Verify that the policy rejects unsigned images + push := podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", ALPINE, "localhost:5000/sigstore-signed"}) + push.WaitWithDefaultTimeout() + Expect(push).Should(Exit(0)) + Expect(len(push.ErrorToString())).To(Equal(0)) + + pull := podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"}) + pull.WaitWithDefaultTimeout() + Expect(pull).To(ExitWithError()) + Expect(pull.ErrorToString()).To(ContainSubstring("A signature was required, but no signature exists")) + + // Sign an image, and verify it is accepted. + push = podmanTest.Podman([]string{"push", "-q", "--tls-verify=false", "--remove-signatures", "--sign-by-sigstore-private-key", "testdata/sigstore-key.key", "--sign-passphrase-file", "testdata/sigstore-key.key.pass", ALPINE, "localhost:5000/sigstore-signed"}) + push.WaitWithDefaultTimeout() + Expect(push).Should(Exit(0)) + Expect(len(push.ErrorToString())).To(Equal(0)) + + pull = podmanTest.Podman([]string{"pull", "-q", "--tls-verify=false", "--signature-policy", "sign/policy.json", "localhost:5000/sigstore-signed"}) + pull.WaitWithDefaultTimeout() + Expect(pull).Should(Exit(0)) + } + } }) It("podman push to local registry with authorization", func() { diff --git a/test/e2e/sign/policy.json b/test/e2e/sign/policy.json index ab01137bf..812c14989 100644 --- a/test/e2e/sign/policy.json +++ b/test/e2e/sign/policy.json @@ -12,6 +12,12 @@ "keyType": "GPGKeys", "keyPath": "/tmp/key.gpg" } + ], + "localhost:5000/sigstore-signed": [ + { + "type": "sigstoreSigned", + "keyPath": "testdata/sigstore-key.pub" + } ] } } diff --git a/test/e2e/testdata/sigstore-key.key b/test/e2e/testdata/sigstore-key.key new file mode 100644 index 000000000..c4eed76a8 --- /dev/null +++ b/test/e2e/testdata/sigstore-key.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiI2ckxVcEl1M1pTallrY3dua1pNVktuTHNDUjRENTJv +Y3J5Wmh2anZ4L1VrPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJMTVpkeTNBL285NS9SektUZGR3RURhODJTVThVcDdlKyJ9LCJj +aXBoZXJ0ZXh0IjoiNkkzUlRCc1IwRXpHZWs0SE5LazlVdlpyMEp6Y1Bxemw0ZkEr +SitJdHlCc0RBSkcyNmhESnFLUDFuQkJTUE5XdHpJRzJUVzQ5Z2hObEJmQy9qYVNk +eFo2QmhXYk9ldlY0MDB4WjVNZ1oyVHdGSnJxaE9HK0JMdmNvanVkc2tOUFpJTlpE +LytFZVBIYTRlRVJPTWhnSWlTRC9BYTd3eitlc2trVjkrN216Y3N2RVRiTTJTZGd6 +L3daMUtqV3FlOUc2MWlXSTJPSm1rRlhxQWc9PSJ9 +-----END ENCRYPTED COSIGN PRIVATE KEY----- diff --git a/test/e2e/testdata/sigstore-key.key.pass b/test/e2e/testdata/sigstore-key.key.pass new file mode 100644 index 000000000..beb5c7687 --- /dev/null +++ b/test/e2e/testdata/sigstore-key.key.pass @@ -0,0 +1 @@ +sigstore pass diff --git a/test/e2e/testdata/sigstore-key.pub b/test/e2e/testdata/sigstore-key.pub new file mode 100644 index 000000000..1f470f72b --- /dev/null +++ b/test/e2e/testdata/sigstore-key.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX/AWbBiFPuAU5+ys+Ce8YFPhTr1a +nM7A8h6NrQi6w8w8/4dJCzlGH4SN+P93nopATs6jDXs4Lpc2/tiA1SBmzA== +-----END PUBLIC KEY----- diff --git a/test/e2e/testdata/sigstore-registries.d-fragment.yaml b/test/e2e/testdata/sigstore-registries.d-fragment.yaml new file mode 100644 index 000000000..d79f4c935 --- /dev/null +++ b/test/e2e/testdata/sigstore-registries.d-fragment.yaml @@ -0,0 +1,3 @@ +docker: + localhost:5000/sigstore-signed: + use-sigstore-attachments: true diff --git a/vendor/github.com/containers/image/v5/pkg/cli/passphrase.go b/vendor/github.com/containers/image/v5/pkg/cli/passphrase.go new file mode 100644 index 000000000..c46650cdc --- /dev/null +++ b/vendor/github.com/containers/image/v5/pkg/cli/passphrase.go @@ -0,0 +1,36 @@ +package cli + +import ( + "bufio" + "errors" + "fmt" + "io" + "os" + "strings" + + "github.com/sirupsen/logrus" +) + +// ReadPassphraseFile returns the first line of the specified path. +// For convenience, an empty string is returned if the path is empty. +func ReadPassphraseFile(path string) (string, error) { + if path == "" { + return "", nil + } + + logrus.Debugf("Reading user-specified passphrase for signing from %s", path) + + ppf, err := os.Open(path) + if err != nil { + return "", err + } + defer ppf.Close() + + // Read the *first* line in the passphrase file, just as gpg(1) does. + buf, err := bufio.NewReader(ppf).ReadBytes('\n') + if err != nil && !errors.Is(err, io.EOF) { + return "", fmt.Errorf("reading passphrase file: %w", err) + } + + return strings.TrimSuffix(string(buf), "\n"), nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 9dc401f60..2a1beb611 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -210,6 +210,7 @@ github.com/containers/image/v5/pkg/blobinfocache/boltdb github.com/containers/image/v5/pkg/blobinfocache/internal/prioritize github.com/containers/image/v5/pkg/blobinfocache/memory github.com/containers/image/v5/pkg/blobinfocache/none +github.com/containers/image/v5/pkg/cli github.com/containers/image/v5/pkg/compression github.com/containers/image/v5/pkg/compression/internal github.com/containers/image/v5/pkg/compression/types -- cgit v1.2.3-54-g00ecf