Add --sign-by-sq-fingerprint to push operations

This adds a new feature that allows signing using Sequoia-backed keys. The existing options to sign using GPG-backed keys (and sigstore) remain unchanged, and continue to use the same backends as usual. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-11-30 01:58:46 +08:00 · 2025-07-11 17:54:50 +02:00
parent 2f005b67f4
commit 9e2850d0a8
25 changed files with 365 additions and 16 deletions
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -1309,8 +1309,8 @@ func (p *PodmanTestIntegration) removeNetwork(name string) {

 // generatePolicyFile generates a signature verification policy file.
 // it returns the policy file path.
-func generatePolicyFile(tempDir string, port int) string {
-	keyPath := filepath.Join(tempDir, "key.gpg")
+func generatePolicyFile(tempDir string, port int, sequoiaKeyPath string) string {
+	gpgKeyPath := filepath.Join(tempDir, "key.gpg")
 	policyPath := filepath.Join(tempDir, "policy.json")
 	conf := fmt.Sprintf(`
 {
@@ -1339,11 +1339,18 @@ func generatePolicyFile(tempDir string, port int) string {
                    "type": "sigstoreSigned",
                    "keyPath": "testdata/sigstore-key.pub"
                }
+            ],
+            "localhost:%[1]d/simple-sq-signed": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "%[3]s"
+                }
            ]
        }
    }
 }
-`, port, keyPath)
+`, port, gpgKeyPath, sequoiaKeyPath)
 	writeConf([]byte(conf), policyPath)
 	return policyPath
 }