Add support for showing keyPaths in (podman image trust show)

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-07-02 00:30:00 +08:00 · 2022-08-25 01:02:13 +02:00
parent 752eceaecc
commit a7e88c8dac
5 changed files with 48 additions and 0 deletions
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@ -29,6 +29,7 @@ type repoContent struct {
 	Type           string          `json:"type"`
 	KeyType        string          `json:"keyType,omitempty"`
 	KeyPath        string          `json:"keyPath,omitempty"`
+	KeyPaths       []string        `json:"keyPaths,omitempty"`
 	KeyData        string          `json:"keyData,omitempty"`
 	SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"`
 }
--- a/pkg/trust/policy_test.go
+++ b/pkg/trust/policy_test.go
@ -117,6 +117,13 @@ func xNewPRSignedByKeyPath(t *testing.T, keyPath string, signedIdentity signatur
 	return pr
 }

+// xNewPRSignedByKeyPaths is a wrapper for NewPRSignedByKeyPaths which must not fail.
+func xNewPRSignedByKeyPaths(t *testing.T, keyPaths []string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
+	pr, err := signature.NewPRSignedByKeyPaths(signature.SBKeyTypeGPGKeys, keyPaths, signedIdentity)
+	require.NoError(t, err)
+	return pr
+}
+
 // xNewPRSigstoreSignedKeyPath is a wrapper for NewPRSigstoreSignedKeyPath which must not fail.
 func xNewPRSigstoreSignedKeyPath(t *testing.T, keyPath string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
 	pr, err := signature.NewPRSigstoreSignedKeyPath(keyPath, signedIdentity)
--- a/pkg/trust/testdata/redhat.yaml
+++ b/pkg/trust/testdata/redhat.yaml
@ -1,3 +1,5 @@
 docker:
     registry.redhat.io:
         sigstore: https://registry.redhat.io/containers/sigstore
+     registry.access.redhat.com:
+         sigstore: https://registry.redhat.io/containers/sigstore
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@ -107,6 +107,9 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 			if len(repoele.KeyPath) > 0 {
 				uids = append(uids, idReader(repoele.KeyPath)...)
 			}
+			for _, path := range repoele.KeyPaths {
+				uids = append(uids, idReader(path)...)
+			}
 			if len(repoele.KeyData) > 0 {
 				uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
 			}
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@ -41,6 +41,9 @@ func TestPolicyDescription(t *testing.T) {
 						"registry.redhat.io": {
 							xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 						},
+						"registry.access.redhat.com": {
+							xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
+						},
 						"quay.io/multi-signed": {
 							xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 							xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
@ -98,6 +101,13 @@ func TestPolicyDescription(t *testing.T) {
 					GPGId:          "N/A",
 				},
 				{
+					Transport:      "repository",
+					Name:           "registry.access.redhat.com",
+					RepoName:       "registry.access.redhat.com",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat, redhat-beta",
+				}, {
 					Transport:      "repository",
 					Name:           "registry.redhat.io",
 					RepoName:       "registry.redhat.io",
@ -211,6 +221,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 				},
 			},
 		},
+		{
+			"registry.access.redhat.com",
+			signature.PolicyRequirements{
+				xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat, redhat-beta",
+				},
+			},
+		},
 		{
 			"quay.io/multi-signed",
 			signature.PolicyRequirements{
@ -266,6 +292,7 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 				signature.NewPRReject(),
 				signature.NewPRInsecureAcceptAnything(),
 				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
@ -294,6 +321,14 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 					GPGId:          "redhat",
 				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat, redhat-beta",
+				},
 				{
 					Transport:      "transport",
 					Name:           "name",