mirror of
https://github.com/containers/podman.git
synced 2025-06-25 12:20:42 +08:00
dde6bcbca3
Add new _prefetch helper for fetching and caching images. Use it in a few places, most importantly 120-load.bats where our teardown() now runs 'rmi -af'. Reason: in #17911 we discovered that podman save + load do not actually preserve the image: annotations and other metadata are lost. This means that a test which runs after 120-load.bats is operating on a different $IMAGE than a test which runs before. This is not a problem except in very obscure corner cases, like one fixed in #18542, but it seems irresponsible to just handwave that issue away The _prefetch function uses skopeo for fetching and saving images, because skopeo preserves digests and metadata. [Side note for posterity: I tried amending basic_setup() to always rmi -a + prefetch, instead of the current images -a + rmi unwanted ones. That slowed down system tests by 10 minutes, presumably because loads are much slower than queries. I reverted that change and am documenting it as a reminder of why we do things the way we do.] Signed-off-by: Ed Santiago <santiago@redhat.com>
59 lines
1.7 KiB
Bash
59 lines
1.7 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load helpers
|
|
|
|
function setup() {
|
|
skip_if_remote "--sign-by does not work with podman-remote"
|
|
|
|
basic_setup
|
|
|
|
export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg
|
|
mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures
|
|
|
|
cat >$PODMAN_TMPDIR/keydetails <<EOF
|
|
%echo Generating a basic OpenPGP key
|
|
Key-Type: RSA
|
|
Key-Length: 2048
|
|
Subkey-Type: RSA
|
|
Subkey-Length: 2048
|
|
Name-Real: Foo
|
|
Name-Comment: Foo
|
|
Name-Email: foo@bar.com
|
|
Expire-Date: 0
|
|
%no-ask-passphrase
|
|
%no-protection
|
|
# Do a commit here, so that we can later print "done" :-)
|
|
%commit
|
|
%echo done
|
|
EOF
|
|
GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails
|
|
}
|
|
|
|
function check_signature() {
|
|
# This test requires that $IMAGE be 100% the same as the registry one
|
|
run_podman rmi -a -f
|
|
_prefetch $IMAGE
|
|
|
|
local sigfile=$1
|
|
find $PODMAN_TMPDIR/signatures -print
|
|
run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN
|
|
local repodigest=${output/:/=}
|
|
|
|
local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}"
|
|
test -d $dir || die "Missing signature directory $dir"
|
|
test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'"
|
|
|
|
# Confirm good signature
|
|
run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile"
|
|
is "$output" ".*Good signature from .Foo.*<foo@bar.com>" \
|
|
"gpg --verify $sigfile"
|
|
}
|
|
|
|
|
|
@test "podman image - sign with no sigfile" {
|
|
GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by foo@bar.com --directory $PODMAN_TMPDIR/signatures "containers-storage:$PODMAN_TEST_IMAGE_FQN"
|
|
check_signature "signature-1"
|
|
}
|
|
|
|
# vim: filetype=sh
|