From 5c95c0920f32b61021395ec2700884d136240de7 Mon Sep 17 00:00:00 2001 From: Miloslav Trmač Date: Fri, 29 Jul 2022 00:08:40 +0200 Subject: Add support for creating sigstore signatures, and providing passphrases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Allow creating sigstore signatures via --sign-by-sigstore-private-key . Like existing --sign-by, it does not work remote (in this case because we would have to copy the private key to the server). - Allow passing a passphrase (which is mandatory for sigstore private keys) via --sign-passphrase-file; if it is not provided, prompt interactively. - Also, use that passphrase for --sign-by as well, allowing non-interactive GPG use. (But --sign-passphrase-file can only be used with _one of_ --sign-by and --sign-by-sigstore-private-key.) Note that unlike the existing code, (podman build) does not yet implement sigstore (I'm not sure why it needs to, it seems not to push images?) because Buildah does not expose the feature yet. Also, (podman image sign) was not extended to support sigstore. The test for this follows existing (podman image sign) tests and doesn't work rootless; that could be improved by exposing a registries.d override option. The test for push is getting large; I didn't want to start yet another registry container, but that would be an alternative. In the future, Ginkgo's Ordered/BeforeAll would allow starting a registry once and using it for two tests. Signed-off-by: Miloslav Trmač --- .../containers/image/v5/pkg/cli/passphrase.go | 36 ++++++++++++++++++++++ vendor/modules.txt | 1 + 2 files changed, 37 insertions(+) create mode 100644 vendor/github.com/containers/image/v5/pkg/cli/passphrase.go (limited to 'vendor') diff --git a/vendor/github.com/containers/image/v5/pkg/cli/passphrase.go b/vendor/github.com/containers/image/v5/pkg/cli/passphrase.go new file mode 100644 index 000000000..c46650cdc --- /dev/null +++ b/vendor/github.com/containers/image/v5/pkg/cli/passphrase.go @@ -0,0 +1,36 @@ +package cli + +import ( + "bufio" + "errors" + "fmt" + "io" + "os" + "strings" + + "github.com/sirupsen/logrus" +) + +// ReadPassphraseFile returns the first line of the specified path. +// For convenience, an empty string is returned if the path is empty. +func ReadPassphraseFile(path string) (string, error) { + if path == "" { + return "", nil + } + + logrus.Debugf("Reading user-specified passphrase for signing from %s", path) + + ppf, err := os.Open(path) + if err != nil { + return "", err + } + defer ppf.Close() + + // Read the *first* line in the passphrase file, just as gpg(1) does. + buf, err := bufio.NewReader(ppf).ReadBytes('\n') + if err != nil && !errors.Is(err, io.EOF) { + return "", fmt.Errorf("reading passphrase file: %w", err) + } + + return strings.TrimSuffix(string(buf), "\n"), nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 2330107ab..8d23648f0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -210,6 +210,7 @@ github.com/containers/image/v5/pkg/blobinfocache/boltdb github.com/containers/image/v5/pkg/blobinfocache/internal/prioritize github.com/containers/image/v5/pkg/blobinfocache/memory github.com/containers/image/v5/pkg/blobinfocache/none +github.com/containers/image/v5/pkg/cli github.com/containers/image/v5/pkg/compression github.com/containers/image/v5/pkg/compression/internal github.com/containers/image/v5/pkg/compression/types -- cgit v1.2.3-54-g00ecf