Merge pull request #20879 from containers/renovate/common-image-and-storage-deps

fix(deps): update github.com/containers/image/v5 digest to 671ab94
2025-05-22 01:27:07 +08:00 · 2023-12-04 01:57:04 +00:00
parent 8b4235a553 6efba48e22
commit 2a28f3bc73
11 changed files with 121 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@ -15,7 +15,7 @@ require (
 	github.com/containers/common v0.57.1-0.20231130092720-630c929caef9
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.7.1
-	github.com/containers/image/v5 v5.29.1-0.20231130112833-c43036d4fc96
+	github.com/containers/image/v5 v5.29.1-0.20231201205726-671ab94a09ea
 	github.com/containers/libhvee v0.5.0
 	github.com/containers/ocicrypt v1.1.9
 	github.com/containers/psgo v1.8.0
--- a/go.sum
+++ b/go.sum
@ -262,8 +262,8 @@ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6J
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.7.1 h1:+Rc+sOPplrkQb/BUXeN0ug8TxjgyrIqo/9P/eNS2A4c=
 github.com/containers/gvisor-tap-vsock v0.7.1/go.mod h1:WSSsjcuYZkvP8i0J+Ht3LF8yvysn3krD5zxQ74wz7y0=
-github.com/containers/image/v5 v5.29.1-0.20231130112833-c43036d4fc96 h1:NeakBfEUoMzlCK1t1xkigEu/p4luDhfPtVLdrlhVhkA=
-github.com/containers/image/v5 v5.29.1-0.20231130112833-c43036d4fc96/go.mod h1:viinaAODpZKsuvRIecjkmgV890VxszevaGiH+m8Qcug=
+github.com/containers/image/v5 v5.29.1-0.20231201205726-671ab94a09ea h1:tsXGDybhfKVnQ3vgsuPYhhNu5VnxNlDdLFwx5X1ruSo=
+github.com/containers/image/v5 v5.29.1-0.20231201205726-671ab94a09ea/go.mod h1:viinaAODpZKsuvRIecjkmgV890VxszevaGiH+m8Qcug=
 github.com/containers/libhvee v0.5.0 h1:rDhfG2NI8Q+VgeXht2dXezanxEdpj9pHqYX3vWfOGUw=
 github.com/containers/libhvee v0.5.0/go.mod h1:yvU3Em2u1ZLl2VLd2glMIBWriBwfhWsDaRJsvixUIB0=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
--- a/vendor/github.com/containers/image/v5/signature/fulcio_cert.go
+++ b/vendor/github.com/containers/image/v5/signature/fulcio_cert.go
@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package signature

 import (
--- a/vendor/github.com/containers/image/v5/signature/fulcio_cert_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/fulcio_cert_stub.go
@ -0,0 +1,28 @@
+//go:build containers_image_fulcio_stub
+// +build containers_image_fulcio_stub
+
+package signature
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"errors"
+)
+
+type fulcioTrustRoot struct {
+	caCertificates *x509.CertPool
+	oidcIssuer     string
+	subjectEmail   string
+}
+
+func (f *fulcioTrustRoot) validate() error {
+	return errors.New("fulcio disabled at compile-time")
+}
+
+func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte,
+	untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string,
+	untrustedPayloadBytes []byte) (crypto.PublicKey, error) {
+	return nil, errors.New("fulcio diabled at compile-time")
+
+}
--- a/vendor/github.com/containers/image/v5/signature/internal/rekor_set.go
+++ b/vendor/github.com/containers/image/v5/signature/internal/rekor_set.go
@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package internal

 import (
--- a/vendor/github.com/containers/image/v5/signature/internal/rekor_set_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/internal/rekor_set_stub.go
@ -0,0 +1,15 @@
+//go:build containers_image_rekor_stub
+// +build containers_image_rekor_stub
+
+package internal
+
+import (
+	"crypto/ecdsa"
+	"time"
+)
+
+// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data.
+// Returns bundle upload time on success.
+func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) {
+	return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time")
+}
--- a/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio.go
@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package fulcio

 import (
--- a/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/fulcio/fulcio_stub.go
@ -0,0 +1,45 @@
+//go:build containers_image_fulcio_stub
+// +build containers_image_fulcio_stub
+
+package fulcio
+
+import (
+	"fmt"
+	"io"
+	"net/url"
+
+	"github.com/containers/image/v5/signature/sigstore/internal"
+)
+
+func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
+
+// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on an OIDC ID token obtained using a device authorization grant (RFC 8628).
+//
+// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file).
+func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
+	interactiveOutput io.Writer) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
+
+// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on an interactively-obtained OIDC ID token.
+// The token is obtained
+//   - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer,
+//     to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process;
+//     either or both may be impossible in a container or a remote VM).
+//   - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text.
+//
+// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file).
+func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
+	interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
--- a/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor.go
@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package rekor

 import (
--- a/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor_stub.go
+++ b/vendor/github.com/containers/image/v5/signature/sigstore/rekor/rekor_stub.go
@ -0,0 +1,17 @@
+//go:build containers_image_rekor_stub
+// +build containers_image_rekor_stub
+
+package rekor
+
+import (
+	"fmt"
+	"net/url"
+
+	signerInternal "github.com/containers/image/v5/signature/sigstore/internal"
+)
+
+func WithRekor(rekorURL *url.URL) signerInternal.Option {
+	return func(s *signerInternal.SigstoreSigner) error {
+		return fmt.Errorf("rekor disabled at build time")
+	}
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -234,7 +234,7 @@ github.com/containers/conmon/runner/config
 # github.com/containers/gvisor-tap-vsock v0.7.1
 ## explicit; go 1.20
 github.com/containers/gvisor-tap-vsock/pkg/types
-# github.com/containers/image/v5 v5.29.1-0.20231130112833-c43036d4fc96
+# github.com/containers/image/v5 v5.29.1-0.20231201205726-671ab94a09ea
 ## explicit; go 1.19
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory