opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-10-31 10:00:01 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add support for creating sigstore signatures, and providing passphrases

Browse Source 
- Allow creating sigstore signatures via --sign-by-sigstore-private-key .
  Like existing --sign-by, it does not work remote (in this case
  because we would have to copy the private key to the server).
- Allow passing a passphrase (which is mandatory for sigstore private keys)
  via --sign-passphrase-file; if it is not provided, prompt interactively.
- Also, use that passphrase for --sign-by as well, allowing non-interactive
  GPG use. (But --sign-passphrase-file can only be used with _one of_
  --sign-by and --sign-by-sigstore-private-key.)

Note that unlike the existing code, (podman build) does not yet
implement sigstore (I'm not sure why it needs to, it seems not to
push images?) because Buildah does not expose the feature yet.

Also, (podman image sign) was not extended to support sigstore.

The test for this follows existing (podman image sign) tests
and doesn't work rootless; that could be improved by exposing
a registries.d override option.

The test for push is getting large; I didn't want to
start yet another registry container, but that would be an
alternative.  In the future, Ginkgo's Ordered/BeforeAll
would allow starting a registry once and using it for two
tests.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
2022-07-29 00:08:40 +02:00
parent 7075e2e1d5
commit d462da676c
16 changed files with 206 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
vendor/github.com/containers/image/v5/pkg/cli/passphrase.go generated vendored Normal file
View File

@ -0,0 +1,36 @@
package cli
import (
"bufio"
"errors"
"fmt"
"io"
"os"
"strings"
"github.com/sirupsen/logrus"
)
// ReadPassphraseFile returns the first line of the specified path.
// For convenience, an empty string is returned if the path is empty.
func ReadPassphraseFile(path string) (string, error) {
if path == "" {
return "", nil
}
logrus.Debugf("Reading user-specified passphrase for signing from %s", path)
ppf, err := os.Open(path)
if err != nil {
return "", err
}
defer ppf.Close()
// Read the *first* line in the passphrase file, just as gpg(1) does.
buf, err := bufio.NewReader(ppf).ReadBytes('\n')
if err != nil && !errors.Is(err, io.EOF) {
return "", fmt.Errorf("reading passphrase file: %w", err)
}
return strings.TrimSuffix(string(buf), "\n"), nil
}