Support (image trust show) for sigstoreSigned entries

sigstoreSigned does not have GPG IDs, so we add N/A in that column. NOTE: this does not show the use-sigstore-attachments value from registries.d. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2022-08-24 20:51:13 +02:00 · 2022-08-24 20:51:13 +02:00 · 752eceaecc
parent b36a1d1b79
commit 752eceaecc
3 changed files with 79 additions and 9 deletions
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@ -130,7 +130,7 @@ func getPolicy(policyPath string) (policyContent, error) {
 	return policyContentStruct, nil
 }

-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
+var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "sigstoreSigned": "sigstoreSigned", "reject": "reject"}

 func trustTypeDescription(trustType string) string {
 	trustDescription, exist := typeDescription[trustType]
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@ -100,15 +100,23 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 		entry := template
 		entry.Type = trustTypeDescription(repoele.Type)

-		uids := []string{}
-		if len(repoele.KeyPath) > 0 {
-			uids = append(uids, idReader(repoele.KeyPath)...)
+		var gpgIDString string
+		switch repoele.Type {
+		case "signedBy":
+			uids := []string{}
+			if len(repoele.KeyPath) > 0 {
+				uids = append(uids, idReader(repoele.KeyPath)...)
+			}
+			if len(repoele.KeyData) > 0 {
+				uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+			}
+			gpgIDString = strings.Join(uids, ", ")
+
+		case "sigstoreSigned":
+			gpgIDString = "N/A" // We could potentially return key fingerprints here, but they would not be _GPG_ fingerprints.
 		}
-		if len(repoele.KeyData) > 0 {
-			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
-		}
-		entry.GPGId = strings.Join(uids, ", ")
-		entry.SignatureStore = lookasidePath
+		entry.GPGId = gpgIDString
+		entry.SignatureStore = lookasidePath // We do this even for sigstoreSigned and things like type: reject, to show that the sigstore is being read.
 		res = append(res, &entry)
 	}

--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@ -45,6 +45,10 @@ func TestPolicyDescription(t *testing.T) {
 							xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 							xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 						},
+						"quay.io/sigstore-signed": {
+							xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+							xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+						},
 					},
 				},
 			},
@ -77,6 +81,22 @@ func TestPolicyDescription(t *testing.T) {
 					SignatureStore: "https://quay.example.com/sigstore",
 					GPGId:          "2, 3",
 				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/sigstore-signed",
+					RepoName:       "quay.io/sigstore-signed",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/sigstore-signed",
+					RepoName:       "quay.io/sigstore-signed",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
 				{
 					Transport:      "repository",
 					Name:           "registry.redhat.io",
@ -215,6 +235,30 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					GPGId:          "2, 3",
 				},
 			},
+		}, {
+			"quay.io/sigstore-signed",
+			signature.PolicyRequirements{
+				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+			},
 		},
 		{ // Multiple kinds of requirements are represented individually.
 			"registry.redhat.io",
@ -224,6 +268,8 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
 			},
 			[]*Policy{
 				{
@ -264,6 +310,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 					GPGId:          "2, 3",
 				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "N/A",
+				},
 			},
 		},
 	} {