change: properly use local auth when signing/verifying images and get…

…ting signatures in imagedetails (#2027)
acorn-io · Aug 8, 2023 · cc16336 · cc16336
1 parent 068eb6d
commit cc16336
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 6 deletions.
diff --git a/pkg/cli/images_sign.go b/pkg/cli/images_sign.go
@@ -112,7 +112,9 @@ func (a *ImageSign) Run(cmd *cobra.Command, args []string) error {
 
 	signatureB64 := base64.StdEncoding.EncodeToString(signature)
 
-	imageSignOpts := &client.ImageSignOptions{}
+	imageSignOpts := &client.ImageSignOptions{
+		Auth: auth,
+	}
 
 	pubkey, err := sigSigner.PublicKey()
 	if err != nil {

diff --git a/pkg/cli/images_verify.go b/pkg/cli/images_verify.go
@@ -73,6 +73,7 @@ func (a *ImageVerify) Run(cmd *cobra.Command, args []string) error {
 	vOpts := &client.ImageVerifyOptions{
 		Annotations: a.Annotations,
 		PublicKey:   a.Key,
+		Auth:        auth,
 	}
 
 	// load public key from file (if it is a file, not a remote reference)

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -352,12 +352,14 @@ type EventStreamOptions struct {
 }
 
 type ImageSignOptions struct {
-	PublicKey string `json:"publicKeys,omitempty"`
+	PublicKey string              `json:"publicKeys,omitempty"`
+	Auth      *apiv1.RegistryAuth `json:"auth,omitempty"`
 }
 
 type ImageVerifyOptions struct {
-	PublicKey   string            `json:"publicKeys,omitempty"`
-	Annotations map[string]string `json:"annotations,omitempty"`
+	PublicKey   string              `json:"publicKeys,omitempty"`
+	Annotations map[string]string   `json:"annotations,omitempty"`
+	Auth        *apiv1.RegistryAuth `json:"auth,omitempty"`
 }
 
 func (o EventStreamOptions) ListOptions() *kclient.ListOptions {

diff --git a/pkg/client/sign.go b/pkg/client/sign.go
@@ -12,9 +12,10 @@ func (c *DefaultClient) ImageSign(ctx context.Context, image string, payload []b
 		Payload:      payload,
 		SignatureB64: signatureB64,
 		PublicKey:    opts.PublicKey,
+		Auth:         opts.Auth,
 	}
 
-	imageDetails, err := c.ImageDetails(ctx, image, &ImageDetailsOptions{})
+	imageDetails, err := c.ImageDetails(ctx, image, &ImageDetailsOptions{Auth: opts.Auth})
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/client/verify.go b/pkg/client/verify.go
@@ -12,6 +12,7 @@ import (
 func (c *DefaultClient) ImageVerify(ctx context.Context, image string, opts *ImageVerifyOptions) (*apiv1.ImageSignature, error) {
 	sigInput := &apiv1.ImageSignature{
 		PublicKey: opts.PublicKey,
+		Auth:      opts.Auth,
 	}
 
 	if opts.PublicKey == "" {
@@ -22,7 +23,7 @@ func (c *DefaultClient) ImageVerify(ctx context.Context, image string, opts *Ima
 		Match: opts.Annotations,
 	}
 
-	imageDetails, err := c.ImageDetails(ctx, image, &ImageDetailsOptions{})
+	imageDetails, err := c.ImageDetails(ctx, image, &ImageDetailsOptions{Auth: opts.Auth})
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/imagedetails/imagedetails.go b/pkg/imagedetails/imagedetails.go
@@ -82,6 +82,12 @@ func GetImageDetails(ctx context.Context, c kclient.Client, namespace, imageName
 	if err != nil {
 		return nil, err
 	}
+
+	opts, err = images.GetAuthenticationRemoteOptions(ctx, c, namespace, opts...)
+	if err != nil {
+		return nil, err
+	}
+
 	_, sigHash, err := acornsign.FindSignature(imgRef.Context().Digest(appImageWithData.AppImage.Digest), opts...)
 	if err != nil {
 		return nil, err