-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
--authfile command line argument for image sign command.
Adds the --authfile command line argument to allow users to use alternative authfile paths when signing images. Replaces: #10975 Fixes: #10866 Signed-off-by: José Guilherme Vanz <[email protected]> Signed-off-by: Daniel J Walsh <[email protected]>
- Loading branch information
Showing
6 changed files
with
71 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,13 @@ Print usage statement. | |
|
||
Sign all the manifests of the multi-architecture image (default false). | ||
|
||
#### **--authfile**=*path* | ||
|
||
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json | ||
|
||
Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE | ||
environment variable. `export REGISTRY_AUTH_FILE=path` | ||
|
||
#### **--cert-dir**=*path* | ||
|
||
Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. | ||
|
@@ -41,6 +48,8 @@ Sign the busybox image with the identity of [email protected] with a user's keyring an | |
|
||
sudo podman image sign --sign-by [email protected] --directory /tmp/signatures docker://privateregistry.example.com/foobar | ||
|
||
sudo podman image sign --authfile=/tmp/foobar.json --sign-by [email protected] --directory /tmp/signatures docker://privateregistry.example.com/foobar | ||
|
||
## RELATED CONFIGURATION | ||
|
||
The write (and read) location for signatures is defined in YAML-based | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/usr/bin/env bats | ||
|
||
load helpers | ||
|
||
function setup() { | ||
skip_if_remote "--sign-by does not work with podman-remote" | ||
|
||
basic_setup | ||
|
||
export _GNUPGHOME_TMP=$PODMAN_TMPDIR/.gnupg | ||
mkdir --mode=0700 $_GNUPGHOME_TMP $PODMAN_TMPDIR/signatures | ||
|
||
cat >$PODMAN_TMPDIR/keydetails <<EOF | ||
%echo Generating a basic OpenPGP key | ||
Key-Type: RSA | ||
Key-Length: 2048 | ||
Subkey-Type: RSA | ||
Subkey-Length: 2048 | ||
Name-Real: Foo | ||
Name-Comment: Foo | ||
Name-Email: [email protected] | ||
Expire-Date: 0 | ||
%no-ask-passphrase | ||
%no-protection | ||
# Do a commit here, so that we can later print "done" :-) | ||
%commit | ||
%echo done | ||
EOF | ||
GNUPGHOME=$_GNUPGHOME_TMP gpg --verbose --batch --gen-key $PODMAN_TMPDIR/keydetails | ||
} | ||
|
||
function check_signature() { | ||
local sigfile=$1 | ||
ls -laR $PODMAN_TMPDIR/signatures | ||
run_podman inspect --format '{{.Digest}}' $PODMAN_TEST_IMAGE_FQN | ||
local repodigest=${output/:/=} | ||
|
||
local dir="$PODMAN_TMPDIR/signatures/libpod/${PODMAN_TEST_IMAGE_NAME}@${repodigest}" | ||
test -d $dir || die "Missing signature directory $dir" | ||
test -e "$dir/$sigfile" || die "Missing signature file '$sigfile'" | ||
|
||
# Confirm good signature | ||
run env GNUPGHOME=$_GNUPGHOME_TMP gpg --verify "$dir/$sigfile" | ||
is "$output" ".*Good signature from .Foo.*<[email protected]>" \ | ||
"gpg --verify $sigfile" | ||
} | ||
|
||
|
||
@test "podman image - sign with no sigfile" { | ||
GNUPGHOME=$_GNUPGHOME_TMP run_podman image sign --sign-by [email protected] --directory $PODMAN_TMPDIR/signatures "docker://$PODMAN_TEST_IMAGE_FQN" | ||
check_signature "signature-1" | ||
} | ||
|
||
# vim: filetype=sh |