Skip to content

Commit

Permalink
--authfile command line argument for image sign command.
Browse files Browse the repository at this point in the history
Adds the --authfile command line argument to allow users to use
alternative authfile paths when signing images.

Replaces: #10975
Fixes: #10866

Signed-off-by: José Guilherme Vanz <[email protected]>
Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
jvanz authored and rhatdan committed Nov 11, 2021
1 parent d6d89fa commit 6762d5e
Show file tree
Hide file tree
Showing 6 changed files with 71 additions and 0 deletions.
5 changes: 5 additions & 0 deletions cmd/podman/images/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package images
import (
"os"

"github.com/containers/common/pkg/auth"
"github.com/containers/common/pkg/completion"
"github.com/containers/podman/v3/cmd/podman/common"
"github.com/containers/podman/v3/cmd/podman/registry"
Expand Down Expand Up @@ -48,6 +49,10 @@ func init() {
flags.StringVar(&signOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys")
_ = signCommand.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)
flags.BoolVarP(&signOptions.All, "all", "a", false, "Sign all the manifests of the multi-architecture image")

authfileFlagName := "authfile"
flags.StringVar(&signOptions.Authfile, authfileFlagName, auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
_ = signCommand.RegisterFlagCompletionFunc(authfileFlagName, completion.AutocompleteDefault)
}

func sign(cmd *cobra.Command, args []string) error {
Expand Down
1 change: 1 addition & 0 deletions contrib/spec/podman.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -361,6 +361,7 @@ Man pages for the %{name} commands
Summary: Tests for %{name}

Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: gnupg
Requires: bats
Requires: jq
Requires: skopeo
Expand Down
9 changes: 9 additions & 0 deletions docs/source/markdown/podman-image-sign.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,13 @@ Print usage statement.

Sign all the manifests of the multi-architecture image (default false).

#### **--authfile**=*path*

Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json

Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
environment variable. `export REGISTRY_AUTH_FILE=path`

#### **--cert-dir**=*path*

Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
Expand All @@ -41,6 +48,8 @@ Sign the busybox image with the identity of [email protected] with a user's keyring an

sudo podman image sign --sign-by [email protected] --directory /tmp/signatures docker://privateregistry.example.com/foobar

sudo podman image sign --authfile=/tmp/foobar.json --sign-by [email protected] --directory /tmp/signatures docker://privateregistry.example.com/foobar

## RELATED CONFIGURATION

The write (and read) location for signatures is defined in YAML-based
Expand Down
1 change: 1 addition & 0 deletions pkg/domain/entities/images.go
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,7 @@ type SignOptions struct {
Directory string
SignBy string
CertDir string
Authfile string
All bool
}

Expand Down
1 change: 1 addition & 0 deletions pkg/domain/infra/abi/images.go
Original file line number Diff line number Diff line change
Expand Up @@ -641,6 +641,7 @@ func (ir *ImageEngine) Sign(ctx context.Context, names []string, options entitie
}
sc := ir.Libpod.SystemContext()
sc.DockerCertPath = options.CertDir
sc.AuthFilePath = options.Authfile

for _, signimage := range names {
err = func() error {
Expand Down
54 changes: 54 additions & 0 deletions test/system/011-image.bats
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#!/usr/bin/env bats

load helpers

function setup() {
skip_if_remote "--sign-by does not work with podman-remote"

basic_setup

export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg
mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures

cat >$PODMAN_TMPDIR/keydetails <<EOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: Foo
Name-Comment: Foo
Name-Email: [email protected]
Expire-Date: 0
%no-ask-passphrase
%no-protection
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOF
GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails
}

function check_signature() {
local sigfile=$1
ls -laR $PODMAN_TMPDIR/signatures
run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN
local repodigest=${output/:/=}

local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}"
test -d $dir || die "Missing signature directory $dir"
test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'"

# Confirm good signature
run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile"
is "$output" ".*Good signature from .Foo.*<[email protected]>" \
"gpg --verify $sigfile"
}


@test "podman image - sign with no sigfile" {
GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by [email protected] --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN"
check_signature "signature-1"
}

# vim: filetype=sh

0 comments on commit 6762d5e

Please sign in to comment.