BREAKING CHANGE: Change how (podman image trust show) represents multiple requirements

Currently - the output uses the first entry's type, even if the requirements are different (notably signedBy + sigstoreSIgned) - all public keys IDs are collected to a single line, even if some of them are interchangeable, and some are required (e.g. two signedBy requirements could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2) So, stop collapsing the requirements, and return a separate entry for each one. Multiple GPG IDs on a single line used to mean AND or OR, now they always mean AND. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-05-17 23:26:08 +08:00 · 2022-08-24 20:45:57 +02:00
parent d5f34eac7b
commit 80db448526
2 changed files with 84 additions and 10 deletions
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@ -96,21 +96,21 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 		}
 	}

-	entry := template
-	entry.Type = trustTypeDescription(reqs[0].Type)
-	uids := []string{}
 	for _, repoele := range reqs {
+		entry := template
+		entry.Type = trustTypeDescription(repoele.Type)
+
+		uids := []string{}
 		if len(repoele.KeyPath) > 0 {
 			uids = append(uids, idReader(repoele.KeyPath)...)
 		}
 		if len(repoele.KeyData) > 0 {
 			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
 		}
+		entry.GPGId = strings.Join(uids, ", ")
+		entry.SignatureStore = lookasidePath
+		res = append(res, &entry)
 	}
-	entry.GPGId = strings.Join(uids, ", ")
-	entry.SignatureStore = lookasidePath
-
-	res = append(res, &entry)

 	return res
 }
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@ -67,7 +67,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "quay.io/multi-signed",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/multi-signed",
+					RepoName:       "quay.io/multi-signed",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
 				},
 				{
 					Transport:      "repository",
@ -93,7 +101,15 @@ func TestPolicyDescription(t *testing.T) {
 					RepoName:       "default",
 					Type:           "signed",
 					SignatureStore: "",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "all",
+					Name:           "* (default)",
+					RepoName:       "default",
+					Type:           "signed",
+					SignatureStore: "",
+					GPGId:          "2, 3",
 				},
 			},
 		},
@ -188,7 +204,65 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					RepoName:       "repoName",
 					Type:           "signed",
 					SignatureStore: "https://quay.example.com/sigstore",
-					GPGId:          "1, 2, 3",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://quay.example.com/sigstore",
+					GPGId:          "2, 3",
+				},
+			},
+		},
+		{ // Multiple kinds of requirements are represented individually.
+			"registry.redhat.io",
+			signature.PolicyRequirements{
+				signature.NewPRReject(),
+				signature.NewPRInsecureAcceptAnything(),
+				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "reject",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					Type:           "accept",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "1",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "2, 3",
 				},
 			},
 		},