containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support (image trust show) for sigstoreSigned entries 

sigstoreSigned does not have GPG IDs, so we add N/A in that column.

NOTE: this does not show the use-sigstore-attachments value from
registries.d.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač 2022-08-24 20:51:13 +02:00
parent b36a1d1b79
commit 752eceaecc
3 changed files with 79 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/trust/policy.go
View File

@ -130,7 +130,7 @@ func getPolicy(policyPath string) (policyContent, error) {
return policyContentStruct, nil return policyContentStruct, nil
} }
var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"} var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "sigstoreSigned": "sigstoreSigned", "reject": "reject"}
func trustTypeDescription(trustType string) string { func trustTypeDescription(trustType string) string {
trustDescription, exist := typeDescription[trustType] trustDescription, exist := typeDescription[trustType]

24
pkg/trust/trust.go
View File

@ -100,15 +100,23 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
entry := template entry := template
entry.Type = trustTypeDescription(repoele.Type) entry.Type = trustTypeDescription(repoele.Type)
uids := []string{} var gpgIDString string
if len(repoele.KeyPath) > 0 { switch repoele.Type {
uids = append(uids, idReader(repoele.KeyPath)...) case "signedBy":
uids := []string{}
if len(repoele.KeyPath) > 0 {
uids = append(uids, idReader(repoele.KeyPath)...)
}
if len(repoele.KeyData) > 0 {
uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
}
gpgIDString = strings.Join(uids, ", ")
case "sigstoreSigned":
gpgIDString = "N/A" // We could potentially return key fingerprints here, but they would not be _GPG_ fingerprints.
} }
if len(repoele.KeyData) > 0 { entry.GPGId = gpgIDString
uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...) entry.SignatureStore = lookasidePath // We do this even for sigstoreSigned and things like type: reject, to show that the sigstore is being read.
}
entry.GPGId = strings.Join(uids, ", ")
entry.SignatureStore = lookasidePath
res = append(res, &entry) res = append(res, &entry)
} }

62
pkg/trust/trust_test.go
View File

@ -45,6 +45,10 @@ func TestPolicyDescription(t *testing.T) {
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()), xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()), xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
}, },
"quay.io/sigstore-signed": {
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
}, },
}, },
}, },
@ -77,6 +81,22 @@ func TestPolicyDescription(t *testing.T) {
SignatureStore: "https://quay.example.com/sigstore", SignatureStore: "https://quay.example.com/sigstore",
GPGId: "2, 3", GPGId: "2, 3",
}, },
{
Transport: "repository",
Name: "quay.io/sigstore-signed",
RepoName: "quay.io/sigstore-signed",
Type: "sigstoreSigned",
SignatureStore: "",
GPGId: "N/A",
},
{
Transport: "repository",
Name: "quay.io/sigstore-signed",
RepoName: "quay.io/sigstore-signed",
Type: "sigstoreSigned",
SignatureStore: "",
GPGId: "N/A",
},
{ {
Transport: "repository", Transport: "repository",
Name: "registry.redhat.io", Name: "registry.redhat.io",
@ -215,6 +235,30 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
GPGId: "2, 3", GPGId: "2, 3",
}, },
}, },
}, {
"quay.io/sigstore-signed",
signature.PolicyRequirements{
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
[]*Policy{
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "sigstoreSigned",
SignatureStore: "",
GPGId: "N/A",
},
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "sigstoreSigned",
SignatureStore: "",
GPGId: "N/A",
},
},
}, },
{ // Multiple kinds of requirements are represented individually. { // Multiple kinds of requirements are represented individually.
"registry.redhat.io", "registry.redhat.io",
@ -224,6 +268,8 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()), xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()), xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()), xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
}, },
[]*Policy{ []*Policy{
{ {
@ -264,6 +310,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
SignatureStore: "https://registry.redhat.io/containers/sigstore", SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "2, 3", GPGId: "2, 3",
}, },
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "sigstoreSigned",
SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "N/A",
},
{
Transport: "transport",
Name: "name",
RepoName: "repoName",
Type: "sigstoreSigned",
SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "N/A",
},
}, },
}, },
} { } {