Merge pull request #1106 from mtrmac/sigstore-sign

libimage: Allow adding sigstore signatures, and submitting passphrases
2022-07-30 00:10:35 +02:00 · 2022-07-30 00:10:35 +02:00 · 158029d40e
parent f7d334769c 83d3b3c975
commit 158029d40e
3 changed files with 44 additions and 25 deletions
--- a/common/libimage/copier.go
+++ b/common/libimage/copier.go
@ -102,6 +102,13 @@ type CopyOptions struct {
 	// If non-empty, asks for a signature to be added during the copy, and
 	// specifies a key ID.
 	SignBy string
 	// If non-empty, passphrase to use when signing with the key ID from SignBy.
 	SignPassphrase string
 	// If non-empty, asks for a signature to be added during the copy, using
 	// a sigstore private key file at the provided path.
 	SignBySigstorePrivateKeyFile string
 	// Passphrase to use when signing with SignBySigstorePrivateKeyFile.
 	SignSigstorePrivateKeyPassphrase []byte
 	// Remove any pre-existing signatures. SignBy will still add a new
 	// signature.
 	RemoveSignatures bool
@ -293,6 +300,9 @@ func (r *Runtime) newCopier(options *CopyOptions) (*copier, error) {
 	c.imageCopyOptions.OciDecryptConfig = options.OciDecryptConfig
 	c.imageCopyOptions.RemoveSignatures = options.RemoveSignatures
 	c.imageCopyOptions.SignBy = options.SignBy
 	c.imageCopyOptions.SignPassphrase = options.SignPassphrase
 	c.imageCopyOptions.SignBySigstorePrivateKeyFile = options.SignBySigstorePrivateKeyFile
 	c.imageCopyOptions.SignSigstorePrivateKeyPassphrase = options.SignSigstorePrivateKeyPassphrase
 	c.imageCopyOptions.ReportWriter = options.Writer
 	defaultContainerConfig, err := config.Default()
--- a/common/libimage/manifest_list.go
+++ b/common/libimage/manifest_list.go
@ -447,14 +447,17 @@ func (m *ManifestList) Push(ctx context.Context, destination string, options *Ma
 	defer copier.close()
 	pushOptions := manifests.PushOptions{
-		Store:              m.image.runtime.store,
+		Store:                            m.image.runtime.store,
-		SystemContext:      copier.systemContext,
+		SystemContext:                    copier.systemContext,
-		ImageListSelection: options.ImageListSelection,
+		ImageListSelection:               options.ImageListSelection,
-		Instances:          options.Instances,
+		Instances:                        options.Instances,
-		ReportWriter:       options.Writer,
+		ReportWriter:                     options.Writer,
-		SignBy:             options.SignBy,
+		SignBy:                           options.SignBy,
-		RemoveSignatures:   options.RemoveSignatures,
+		SignPassphrase:                   options.SignPassphrase,
-		ManifestType:       options.ManifestMIMEType,
+		SignBySigstorePrivateKeyFile:     options.SignBySigstorePrivateKeyFile,
 		SignSigstorePrivateKeyPassphrase: options.SignSigstorePrivateKeyPassphrase,
 		RemoveSignatures:                 options.RemoveSignatures,
 		ManifestType:                     options.ManifestMIMEType,
 	}
 	_, d, err := m.list.Push(ctx, dest, pushOptions)
--- a/common/libimage/manifests/manifests.go
+++ b/common/libimage/manifests/manifests.go
@ -56,15 +56,18 @@ type List interface {
 // PushOptions includes various settings which are needed for pushing the
 // manifest list and its instances.
 type PushOptions struct {
-	Store              storage.Store
+	Store                            storage.Store
-	SystemContext      *types.SystemContext  // github.com/containers/image/types.SystemContext
+	SystemContext                    *types.SystemContext  // github.com/containers/image/types.SystemContext
-	ImageListSelection cp.ImageListSelection // set to either CopySystemImage, CopyAllImages, or CopySpecificImages
+	ImageListSelection               cp.ImageListSelection // set to either CopySystemImage, CopyAllImages, or CopySpecificImages
-	Instances          []digest.Digest       // instances to copy if ImageListSelection == CopySpecificImages
+	Instances                        []digest.Digest       // instances to copy if ImageListSelection == CopySpecificImages
-	ReportWriter       io.Writer             // will be used to log the writing of the list and any blobs
+	ReportWriter                     io.Writer             // will be used to log the writing of the list and any blobs
-	SignBy             string                // fingerprint of GPG key to use to sign images
+	SignBy                           string                // fingerprint of GPG key to use to sign images
-	RemoveSignatures   bool                  // true to discard signatures in images
+	SignPassphrase                   string                // passphrase to use when signing with the key ID from SignBy.
-	ManifestType       string                // the format to use when saving the list - possible options are oci, v2s1, and v2s2
+	SignBySigstorePrivateKeyFile     string                // if non-empty, asks for a signature to be added during the copy, using a sigstore private key file at the provided path.
-	SourceFilter       LookupReferenceFunc   // filter the list source
+	SignSigstorePrivateKeyPassphrase []byte                // passphrase to use when signing with SignBySigstorePrivateKeyFile.
 	RemoveSignatures                 bool                  // true to discard signatures in images
 	ManifestType                     string                // the format to use when saving the list - possible options are oci, v2s1, and v2s2
 	SourceFilter                     LookupReferenceFunc   // filter the list source
 }
 // Create creates a new list containing information about the specified image,
@ -235,14 +238,17 @@ func (l *list) Push(ctx context.Context, dest types.ImageReference, options Push
 		}
 	}
 	copyOptions := &cp.Options{
-		ImageListSelection:    options.ImageListSelection,
+		ImageListSelection:               options.ImageListSelection,
-		Instances:             options.Instances,
+		Instances:                        options.Instances,
-		SourceCtx:             options.SystemContext,
+		SourceCtx:                        options.SystemContext,
-		DestinationCtx:        options.SystemContext,
+		DestinationCtx:                   options.SystemContext,
-		ReportWriter:          options.ReportWriter,
+		ReportWriter:                     options.ReportWriter,
-		RemoveSignatures:      options.RemoveSignatures,
+		RemoveSignatures:                 options.RemoveSignatures,
-		SignBy:                options.SignBy,
+		SignBy:                           options.SignBy,
-		ForceManifestMIMEType: singleImageManifestType,
+		SignPassphrase:                   options.SignPassphrase,
 		SignBySigstorePrivateKeyFile:     options.SignBySigstorePrivateKeyFile,
 		SignSigstorePrivateKeyPassphrase: options.SignSigstorePrivateKeyPassphrase,
 		ForceManifestMIMEType:            singleImageManifestType,
 	}
 	// Copy whatever we were asked to copy.