opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-11 01:58:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)

Browse Source 
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.

That notably adds support for Fulcio and Rekor signing.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
2023-01-12 00:14:42 +01:00
parent 356f7b6c9d
commit 069edc3adf
287 changed files with 61247 additions and 19 deletions
cmd/podman
common
sign.go
images
push.go
manifest
push.go
docs/source/markdown
podman-manifest-push.1.md.inpodman-push.1.md.in
go.modgo.sum
pkg/domain
entities
images.go
infra
abi
images.gomanifest.go
tunnel
images.gomanifest.go
test/e2e
common_test.gopush_test.go
testdata
sigstore-registries.d-fragment.yamlsigstore-signing-params.yaml
vendor
github.com
containers/image/v5
pkg/cli/sigstore
params
sigstore.go
sigstore.go
signature/sigstore
fulcio
fulcio.go
rekor
leveled_logger.gorekor.go
coreos/go-oidc/v3
LICENSENOTICE
oidc
jose.gojwks.gooidc.goverify.go
go-jose/go-jose/v3
.gitignore.golangci.yml.travis.ymlBUG-BOUNTY.mdCONTRIBUTING.mdLICENSEREADME.mdasymmetric.go
cipher
cbc_hmac.goconcat_kdf.goecdh_es.gokey_wrap.go
crypter.godoc.goencoding.go
json
LICENSEREADME.mddecode.goencode.goindent.goscanner.gostream.gotags.go
jwe.gojwk.gojws.goopaque.goshared.gosigning.gosymmetric.go
go-openapi/runtime
client
auth_info.gokeepalive.goopentracing.gorequest.goresponse.goruntime.go
logger
logger.gostandard.go
middleware
context.go
denco
LICENSEREADME.mdrouter.goserver.goutil.go
doc.gogo18.go
header
header.go
negotiate.gonot_implemented.gooperation.goparameter.gopre_go18.gorapidoc.goredoc.gorequest.gorouter.gosecurity.gospec.goswaggerui.go
untyped
api.go
validation.go
security
authenticator.goauthorizer.go
yamlpc
yaml.go
go-playground
locales
.gitignore.travis.ymlLICENSEREADME.md
currency
currency.go
logo.pngrules.go
universal-translator
.gitignore.travis.ymlLICENSEMakefileREADME.mderrors.goimport_export.gologo.pngtranslator.gouniversal_translator.go
validator/v10
.gitignoreLICENSEMAINTAINERS.mdMakefileREADME.mdbaked_in.gocache.gocountry_codes.gocurrency_codes.godoc.goerrors.gofield_level.gologo.pngpostcode_regexes.goregexes.gostruct_level.gotranslations.goutil.govalidator.govalidator_instance.go
google/trillian
.gitignore.golangci.yamlAUTHORSBUILD.bazelCHANGELOG.mdCODEOWNERSCONTRIBUTING.mdCONTRIBUTORSLICENSEPULL_REQUEST_TEMPLATE.mdREADME.mdcloudbuild.yamlcloudbuild_master.yamlcloudbuild_pr.yamlcloudbuild_tag.yamlcodecov.ymlgen.gotrillian.pb.gotrillian.prototrillian_admin_api.pb.gotrillian_admin_api.prototrillian_admin_api_grpc.pb.gotrillian_log_api.pb.gotrillian_log_api.prototrillian_log_api_grpc.pb.go
types
internal/tls
tls.go
logroot.go
hashicorp
go-cleanhttp
LICENSEREADME.mdcleanhttp.godoc.gohandlers.go
go-retryablehttp
.gitignoreLICENSEMakefileREADME.mdclient.goroundtripper.go
leodido/go-urn
.gitignore.travis.ymlLICENSEREADME.mdmachine.gomachine.go.rlmakefileurn.go
opentracing/opentracing-go
.gitignore.travis.ymlCHANGELOG.mdLICENSEMakefileREADME.mdext.go
ext
field.gotags.go
globaltracer.gogocontext.go
log
field.goutil.go
noop.gopropagation.gospan.gotracer.go
segmentio/ksuid
.gitignoreLICENSE.mdREADME.mdbase62.goksuid.gorand.gosequence.goset.gouint128.go
sigstore
fulcio/pkg/api
client.go
rekor/pkg
client
options.gorekor_client.go
generated/client
entries
create_log_entry_parameters.gocreate_log_entry_responses.goentries_client.goget_log_entry_by_index_parameters.goget_log_entry_by_index_responses.goget_log_entry_by_uuid_parameters.goget_log_entry_by_uuid_responses.gosearch_log_query_parameters.gosearch_log_query_responses.go
index
index_client.gosearch_index_parameters.gosearch_index_responses.go
pubkey
get_public_key_parameters.goget_public_key_responses.gopubkey_client.go
rekor_client.go
tlog
get_log_info_parameters.goget_log_info_responses.goget_log_proof_parameters.goget_log_proof_responses.gotlog_client.go
util
checkpoint.gofetch.gopubkey.gosha.gosigned_note.gotimestamp_note.govalidate.go
sigstore/pkg
oauth
doc.gointeractive.go
oauthflow
device.godoc.goflow.gointeractive.gopkce.go
skratchdot/open-golang
LICENSE
open
exec.goexec_darwin.goexec_windows.goopen.go
golang.org/x
mod/sumdb/note
note.go
net/context/ctxhttp
ctxhttp.go
oauth2
.travis.ymlCONTRIBUTING.mdLICENSEREADME.md
internal
client_appengine.godoc.gooauth2.gotoken.gotransport.go
oauth2.gotoken.gotransport.go
google.golang.org
appengine
LICENSE
internal
api.goapi_classic.goapi_common.goapp_id.go
base
api_base.pb.goapi_base.proto
datastore
datastore_v3.pb.godatastore_v3.proto
identity.goidentity_classic.goidentity_flex.goidentity_vm.gointernal.go
log
log_service.pb.golog_service.proto
main.gomain_common.gomain_vm.gometadata.gonet.goregen.sh
remote_api
remote_api.pb.goremote_api.proto
transaction.go
urlfetch
urlfetch_service.pb.gourlfetch_service.proto
urlfetch
urlfetch.go
protobuf/types/known/fieldmaskpb
field_mask.pb.go
modules.txt

5
docs/source/markdown/podman-manifest-push.1.md.in

@ -49,6 +49,11 @@ Delete the manifest list or image index from local storage if pushing succeeds.
Sign the pushed images with a “simple signing” signature using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
#### **--sign-by-sigstore**=*param-file***
Add a sigstore signature based on further options specified in a containers sigstore signing parameter file *param-file*.
See containers-sigstore-signing-params.yaml(5) for details about the file format.
#### **--sign-by-sigstore-private-key**=*path*
Sign the pushed images with a sigstore signature using a private key at the specified path. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)

5
docs/source/markdown/podman-push.1.md.in

@ -87,6 +87,11 @@ Discard any pre-existing signatures in the image.
Add a “simple signing” signature at the destination using the specified key. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
#### **--sign-by-sigstore**=*param-file***
Add a sigstore signature based on further options specified in a containers sigstore signing parameter file *param-file*.
See containers-sigstore-signing-params.yaml(5) for details about the file format.
#### **--sign-by-sigstore-private-key**=*path*
Add a sigstore signature at the destination using a private key at the specified path. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)