Merge pull request #1106 from mtrmac/sigstore-sign

libimage: Allow adding sigstore signatures, and submitting passphrases
2022-07-30 00:10:35 +02:00 · 2022-07-30 00:10:35 +02:00 · 158029d40e
parent f7d334769c 83d3b3c975
commit 158029d40e
3 changed files with 44 additions and 25 deletions
--- a/common/libimage/copier.go
+++ b/common/libimage/copier.go
@ -102,6 +102,13 @@ type CopyOptions struct {
 	// If non-empty, asks for a signature to be added during the copy, and
 	// specifies a key ID.
 	SignBy string
+	// If non-empty, passphrase to use when signing with the key ID from SignBy.
+	SignPassphrase string
+	// If non-empty, asks for a signature to be added during the copy, using
+	// a sigstore private key file at the provided path.
+	SignBySigstorePrivateKeyFile string
+	// Passphrase to use when signing with SignBySigstorePrivateKeyFile.
+	SignSigstorePrivateKeyPassphrase []byte
 	// Remove any pre-existing signatures. SignBy will still add a new
 	// signature.
 	RemoveSignatures bool
@ -293,6 +300,9 @@ func (r *Runtime) newCopier(options *CopyOptions) (*copier, error) {
 	c.imageCopyOptions.OciDecryptConfig = options.OciDecryptConfig
 	c.imageCopyOptions.RemoveSignatures = options.RemoveSignatures
 	c.imageCopyOptions.SignBy = options.SignBy
+	c.imageCopyOptions.SignPassphrase = options.SignPassphrase
+	c.imageCopyOptions.SignBySigstorePrivateKeyFile = options.SignBySigstorePrivateKeyFile
+	c.imageCopyOptions.SignSigstorePrivateKeyPassphrase = options.SignSigstorePrivateKeyPassphrase
 	c.imageCopyOptions.ReportWriter = options.Writer

 	defaultContainerConfig, err := config.Default()
--- a/common/libimage/manifest_list.go
+++ b/common/libimage/manifest_list.go
@ -453,6 +453,9 @@ func (m *ManifestList) Push(ctx context.Context, destination string, options *Ma
 		Instances:                        options.Instances,
 		ReportWriter:                     options.Writer,
 		SignBy:                           options.SignBy,
+		SignPassphrase:                   options.SignPassphrase,
+		SignBySigstorePrivateKeyFile:     options.SignBySigstorePrivateKeyFile,
+		SignSigstorePrivateKeyPassphrase: options.SignSigstorePrivateKeyPassphrase,
 		RemoveSignatures:                 options.RemoveSignatures,
 		ManifestType:                     options.ManifestMIMEType,
 	}
--- a/common/libimage/manifests/manifests.go
+++ b/common/libimage/manifests/manifests.go
@ -62,6 +62,9 @@ type PushOptions struct {
 	Instances                        []digest.Digest       // instances to copy if ImageListSelection == CopySpecificImages
 	ReportWriter                     io.Writer             // will be used to log the writing of the list and any blobs
 	SignBy                           string                // fingerprint of GPG key to use to sign images
+	SignPassphrase                   string                // passphrase to use when signing with the key ID from SignBy.
+	SignBySigstorePrivateKeyFile     string                // if non-empty, asks for a signature to be added during the copy, using a sigstore private key file at the provided path.
+	SignSigstorePrivateKeyPassphrase []byte                // passphrase to use when signing with SignBySigstorePrivateKeyFile.
 	RemoveSignatures                 bool                  // true to discard signatures in images
 	ManifestType                     string                // the format to use when saving the list - possible options are oci, v2s1, and v2s2
 	SourceFilter                     LookupReferenceFunc   // filter the list source
@ -242,6 +245,9 @@ func (l *list) Push(ctx context.Context, dest types.ImageReference, options Push
 		ReportWriter:                     options.ReportWriter,
 		RemoveSignatures:                 options.RemoveSignatures,
 		SignBy:                           options.SignBy,
+		SignPassphrase:                   options.SignPassphrase,
+		SignBySigstorePrivateKeyFile:     options.SignBySigstorePrivateKeyFile,
+		SignSigstorePrivateKeyPassphrase: options.SignSigstorePrivateKeyPassphrase,
 		ForceManifestMIMEType:            singleImageManifestType,
 	}