Merge pull request #20879 from containers/renovate/common-image-and-storage-deps

fix(deps): update github.com/containers/image/v5 digest to 671ab94
2025-05-21 09:05:56 +08:00 · 2023-12-04 01:57:04 +00:00
parent 8b4235a553 6efba48e22
commit 2a28f3bc73
11 changed files with 121 additions and 4 deletions
--- a/vendor/github.com/containers/image/v5/signature/fulcio_cert.go
+++ b/vendor/github.com/containers/image/v5/signature/fulcio_cert.go
@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package signature

 import (
--- a/vendor/github.com/containers/image/v5/signature/fulcio_cert_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/fulcio_cert_stub.go
@ -0,0 +1,28 @@
+//go:build containers_image_fulcio_stub
+// +build containers_image_fulcio_stub
+
+package signature
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"errors"
+)
+
+type fulcioTrustRoot struct {
+	caCertificates *x509.CertPool
+	oidcIssuer     string
+	subjectEmail   string
+}
+
+func (f *fulcioTrustRoot) validate() error {
+	return errors.New("fulcio disabled at compile-time")
+}
+
+func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte,
+	untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string,
+	untrustedPayloadBytes []byte) (crypto.PublicKey, error) {
+	return nil, errors.New("fulcio diabled at compile-time")
+
+}
--- a/vendor/github.com/containers/image/v5/signature/internal/rekor_set.go
+++ b/vendor/github.com/containers/image/v5/signature/internal/rekor_set.go
@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package internal

 import (
--- a/vendor/github.com/containers/image/v5/signature/internal/rekor_set_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/internal/rekor_set_stub.go
@ -0,0 +1,15 @@
+//go:build containers_image_rekor_stub
+// +build containers_image_rekor_stub
+
+package internal
+
+import (
+	"crypto/ecdsa"
+	"time"
+)
+
+// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data.
+// Returns bundle upload time on success.
+func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) {
+	return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time")
+}
--- a/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio.go
@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package fulcio

 import (
--- a/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio_stub.go
@ -0,0 +1,45 @@
+//go:build containers_image_fulcio_stub
+// +build containers_image_fulcio_stub
+
+package fulcio
+
+import (
+	"fmt"
+	"io"
+	"net/url"
+
+	"github.com/containers/image/v5/signature/sigstore/internal"
+)
+
+func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
+
+// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on an OIDC ID token obtained using a device authorization grant (RFC 8628).
+//
+// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file).
+func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
+	interactiveOutput io.Writer) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
+
+// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on an interactively-obtained OIDC ID token.
+// The token is obtained
+//   - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer,
+//     to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process;
+//     either or both may be impossible in a container or a remote VM).
+//   - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text.
+//
+// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file).
+func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
+	interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
--- a/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor.go
@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package rekor

 import (
--- a/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor_stub.go
@ -0,0 +1,17 @@
+//go:build containers_image_rekor_stub
+// +build containers_image_rekor_stub
+
+package rekor
+
+import (
+	"fmt"
+	"net/url"
+
+	signerInternal "github.com/containers/image/v5/signature/sigstore/internal"
+)
+
+func WithRekor(rekorURL *url.URL) signerInternal.Option {
+	return func(s *signerInternal.SigstoreSigner) error {
+		return fmt.Errorf("rekor disabled at build time")
+	}
+}