sigstoreSigned does not have GPG IDs, so we add N/A in that column.
NOTE: this does not show the use-sigstore-attachments value from
registries.d.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Currently
- the output uses the first entry's type, even if the requirements are different
(notably signedBy + sigstoreSIgned)
- all public keys IDs are collected to a single line, even if some of them
are interchangeable, and some are required (e.g. two signedBy requirements
could require an image to be signed by (redhatProd OR redhatBeta) AND (vendor1 OR vendor2)
So, stop collapsing the requirements, and return a separate entry for each one. Multiple
GPG IDs on a single line used to mean AND or OR, now they always mean AND.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Do the registries.d lookup once, separately from building
an entry, so that we can share it across entries.
Also prepare a separate res to allow adding multiple entries.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Just so that we don't have a boolean-named function returning a struct.
Also reorder the parameters to have the container first, and the lookup
key second.
Shoud not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Now that it is the primary return value of a small function,
the long name only makes reading harder.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will evetually allow us to use it for the default scope
as well, which currently uses a simplified version.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add at least a basic unit test for the various entry types.
So that we don't have to actually deal with GPG keys and /usr/bin/gpg*,
parametrize the code with a gpgIDReader , and pass a fake one
in the unit test.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We now have only a few entrypoints that are called externally,
so make the rest private. This will make it more obvious that
we are not breaking any external users.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will allow us to write unit tests without setting up the complete Podman runtime
(and without the Linux dependency).
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
NOTE: This does not edit the use-sigstore-attachments value
in registries.d, similarly to how (podman image trust set) didn't
set the lookaside paths for simple signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Also reject public keys with types that don't use them
- Reject unknown trust types
- And add unit tests
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will allow us to write unit tests without setting up the complete Podman runtime
(and without the Linux dependency).
Also, actually add a basic smoke test of the core functionality.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Only process the incoming args[] (which is a single-element array
for some reason) once, and use a semantic variable name for the value
we care about.
Should not change behavior, the only caller already supposedly ensures
that len(args) == 1.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Split the existing code into policy.go and registries.go,
depending on which files it concerns.
Only moves unchanged code, should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We can always recover it from git, but it seems to serve
no purpose anyway.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is not an easy one to review, sorry.
I went with the version from podman-create. The differences
against podman-run are subtle: apostrophes, whitespace, and
the arg description in the '####' line. Suggestion for review:
run hack/markdown-preprocess-review, then after you finish
with that, cd /tmp/markdown<TAB>/ipc and use your favorite
two-file diff tool to compare podman-run* against zzz*.
I did not even try to combine the podman-build one; that one
is too different.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Two versions: one for container-related commands, one for pods.
The container one is easy: all versions matched, so I made no
changes.
The pod one is hard to review. I went with the pod-clone
version because the pod-create one looks suspicious: it
talks in terms of containers, not pods. It's possible
that I've got it wrong, and that these two cannot be
combined, so please review very carefully. I strongly
recommend using hack/markdown-preprocess-review for this one.
Signed-off-by: Ed Santiago <santiago@redhat.com>
I chose the version from podman-run because it is the most
up-to-date, and most correct wrt current syntax guidelines.
Differences are in arg description, language, and asterisks.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The Linux implementation uses /proc/stat - the FreeBSD equivalent is
quite different where this information is exposed via sysctl.
[NO NEW TESTS NEEDED]
Signed-off-by: Doug Rabson <dfr@rabson.org>
Allow end users to preprocess default environment variables before
injecting them into container using `--env-merge`
Usage
```
podman run -it --rm --env-merge some=${some}-edit --env-merge
some2=${some2}-edit2 myimage sh
```
Closes: https://github.com/containers/podman/issues/15288
Signed-off-by: Aditya R <arajan@redhat.com>
`systemd-tmpfiles` reads "user" configurations in
`/usr/share/user-tmpfiles.d` when `--user` mode is set.
User unit `systemd-tmpfiles-setup.service` can be enabled to alias
rootless socket through systemd-tmpfiles.
Signed-off-by: SeongChan Lee <foriequal@gmail.com>
Rootless Docker daemon exposes its API socket on
`$XDG_RUNTIME_DIR/docker.sock`. On tmpfiles.d, `%t` is same as
`$XDG_RUNTIME_DIR` in `--user` mode, and `/run` otherwise.
We can reuse the same config file for both mode with this change.
Signed-off-by: SeongChan Lee <foriequal@gmail.com>
This commit includes the initial addition of a .packit.yaml which will
run scratch builds for active Fedora releases which get the latest
Podman using Fedora's official packaging sources.
More packit integration to come in the future.
[NO NEW TESTS NEEDED]
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
