opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-09 23:27:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2040 from QiWang19/signimg

Browse Source 
Support podman image sign
This commit is contained in:
OpenShift Merge Robot
2019-01-09 09:09:10 -08:00
committed by GitHub
parent 7b9d4f1c92 bce22dc621
commit c37f731596
4 changed files with 249 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/podman/image.go
View File

@@ -20,6 +20,7 @@ var (
saveCommand,
tagCommand,
trustCommand,
signCommand,
}
imageDescription = "Manage images"

194
cmd/podman/sign.go Normal file
View File

@@ -0,0 +1,194 @@
package main
import (
"fmt"
"io/ioutil"
"net/url"
"os"
"strconv"
"strings"
"github.com/containers/image/signature"
"github.com/containers/image/transports"
"github.com/containers/image/transports/alltransports"
"github.com/containers/libpod/cmd/podman/libpodruntime"
"github.com/containers/libpod/libpod/image"
"github.com/containers/libpod/pkg/trust"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
var (
signFlags = []cli.Flag{
cli.StringFlag{
Name: "sign-by",
Usage: "Name of the signing key",
},
cli.StringFlag{
Name: "directory, d",
Usage: "Define an alternate directory to store signatures",
},
}
signDescription = "Create a signature file that can be used later to verify the image"
signCommand = cli.Command{
Name: "sign",
Usage: "Sign an image",
Description: signDescription,
Flags: sortFlags(signFlags),
Action: signCmd,
ArgsUsage: "IMAGE-NAME [IMAGE-NAME ...]",
OnUsageError: usageErrorHandler,
}
)
// SignatureStoreDir defines default directory to store signatures
const SignatureStoreDir = "/var/lib/containers/sigstore"
func signCmd(c *cli.Context) error {
args := c.Args()
if len(args) < 1 {
return errors.Errorf("at least one image name must be specified")
}
runtime, err := libpodruntime.GetRuntime(c)
if err != nil {
return errors.Wrapf(err, "could not create runtime")
}
defer runtime.Shutdown(false)
signby := c.String("sign-by")
if signby == "" {
return errors.Errorf("You must provide an identity")
}
var sigStoreDir string
if c.IsSet("directory") {
sigStoreDir = c.String("directory")
if _, err := os.Stat(sigStoreDir); err != nil {
return errors.Wrapf(err, "invalid directory %s", sigStoreDir)
}
}
mech, err := signature.NewGPGSigningMechanism()
if err != nil {
return errors.Wrap(err, "Error initializing GPG")
}
defer mech.Close()
if err := mech.SupportsSigning(); err != nil {
return errors.Wrap(err, "Signing is not supported")
}
systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext())
registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
if err != nil {
return errors.Wrapf(err, "error reading registry configuration")
}
for _, signimage := range args {
srcRef, err := alltransports.ParseImageName(signimage)
if err != nil {
return errors.Wrapf(err, "error parsing image name")
}
rawSource, err := srcRef.NewImageSource(getContext(), runtime.SystemContext())
if err != nil {
return errors.Wrapf(err, "error getting image source")
}
manifest, _, err := rawSource.GetManifest(getContext(), nil)
if err != nil {
return errors.Wrapf(err, "error getting manifest")
}
dockerReference := rawSource.Reference().DockerReference()
if dockerReference == nil {
return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(rawSource.Reference()))
}
// create the signstore file
newImage, err := runtime.ImageRuntime().New(getContext(), signimage, runtime.GetConfig().SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{SignBy: signby}, false)
if err != nil {
return errors.Wrapf(err, "error pulling image %s", signimage)
}
registryInfo := trust.HaveMatchRegistry(rawSource.Reference().DockerReference().String(), registryConfigs)
if registryInfo != nil {
if sigStoreDir == "" {
sigStoreDir = registryInfo.SigStoreStaging
if sigStoreDir == "" {
sigStoreDir = registryInfo.SigStore
}
}
sigStoreDir, err = isValidSigStoreDir(sigStoreDir)
if err != nil {
return errors.Wrapf(err, "invalid signature storage %s", sigStoreDir)
}
}
if sigStoreDir == "" {
sigStoreDir = SignatureStoreDir
}
repos := newImage.RepoDigests()
if len(repos) == 0 {
logrus.Errorf("no repodigests associated with the image %s", signimage)
continue
}
// create signature
newSig, err := signature.SignDockerManifest(manifest, dockerReference.String(), mech, signby)
if err != nil {
return errors.Wrapf(err, "error creating new signature")
}
sigStoreDir = fmt.Sprintf("%s/%s", sigStoreDir, strings.Replace(repos[0][strings.Index(repos[0], "/")+1:len(repos[0])], ":", "=", 1))
if err := os.MkdirAll(sigStoreDir, 0751); err != nil {
// The directory is allowed to exist
if !os.IsExist(err) {
logrus.Errorf("error creating directory %s: %s", sigStoreDir, err)
continue
}
}
sigFilename, err := getSigFilename(sigStoreDir)
if err != nil {
logrus.Errorf("error creating sigstore file: %v", err)
continue
}
err = ioutil.WriteFile(sigStoreDir+"/"+sigFilename, newSig, 0644)
if err != nil {
logrus.Errorf("error storing signature for %s", rawSource.Reference().DockerReference().String())
continue
}
}
return nil
}
func getSigFilename(sigStoreDirPath string) (string, error) {
sigFileSuffix := 1
sigFiles, err := ioutil.ReadDir(sigStoreDirPath)
if err != nil {
return "", err
}
sigFilenames := make(map[string]bool)
for _, file := range sigFiles {
sigFilenames[file.Name()] = true
}
for {
sigFilename := "signature-" + strconv.Itoa(sigFileSuffix)
if _, exists := sigFilenames[sigFilename]; !exists {
return sigFilename, nil
}
sigFileSuffix++
}
}
func isValidSigStoreDir(sigStoreDir string) (string, error) {
writeURIs := map[string]bool{"file": true}
url, err := url.Parse(sigStoreDir)
if err != nil {
return sigStoreDir, errors.Wrapf(err, "invalid directory %s", sigStoreDir)
}
_, exists := writeURIs[url.Scheme]
if !exists {
return sigStoreDir, errors.Errorf("Writing to %s is not supported. Use a supported scheme", sigStoreDir)
}
sigStoreDir = url.Path
return sigStoreDir, nil
}