Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow podman-remote push to accept the --digestfile flag #18216

Closed
cooktheryan opened this issue Apr 16, 2023 · 4 comments · Fixed by #18284
Closed

Allow podman-remote push to accept the --digestfile flag #18216

cooktheryan opened this issue Apr 16, 2023 · 4 comments · Fixed by #18284
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@cooktheryan
Copy link

Feature request description

When using Tekton Chains to sign images generated through Tekton the outputs of Image_digest and Image URL are used by Tekton chains to generate attestation and to cosign the images. When using podman-remote especially when accessing a build server to build and push the process can be completed successfully but I cannot gain the digest information without doing a work around like scp or another back to the Tekton task.

Suggest potential solution

If we were to enable the flag to record the sha and write it to the system running podman-remote the problem would be resolved. I'm unsure if it could be grabbed from stdout of the podman-remote push.

Have you considered any alternatives?

Using podman-remote save to save the image to the pipeline allows for a potential breach of trust.

Additional context

This could be incredibly helpful for GitHub actions as well as Tekton/Tekton chains to build different architectures without needing a full kubernetes cluster of that architecture just a single VM
@cooktheryan cooktheryan added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 16, 2023
@vrothberg
Copy link
Member

Thanks for reaching out, @cooktheryan.

I think that's doable for the remote client. The push REST endpoint is streaming to the client, so I guess we could transport the digest in the http.Response.Trailer.

@mtrmac WDYT?

@mtrmac
Copy link
Collaborator

mtrmac commented Apr 17, 2023

The primary way to deal with signing pushed content should be podman push --sign-by-sigstore*, so that users don’t need to correctly handle the digest references — but that doesn’t currently work for remote either, and it’s not very clear whether it’s acceptable to send the private key material to the remote server.

Either way, implementing --digestfile for remote would be an improvement.

My intuitive first guess for how this can be done is be to add a new kind of entry to the body’s ImagePushReport, instead of using trailers (which are not used anywhere else in the codebase?), but that’s an implementation detail I feel very weakly about.

@cooktheryan
Copy link
Author

thanks @mtrmac it's an interesting scenario. We are trying to avoid needing to use the local podman commands because we are launching instances with terraform with a specific architecture allowing for us to quickly build with podman-remote versus trying to use the qemu functionality.

Really appreciate yall discussing this so quickly

@vrothberg vrothberg mentioned this issue Apr 20, 2023
Merged
@vrothberg
Copy link
Member

Opened #18284 to add support.

vrothberg added a commit to vrothberg/libpod that referenced this issue Apr 21, 2023
@vrothberg
support --digestfile for remote push
1f1525f 
Wire in support for writing the digest of the pushed image to a
user-specified file.  Requires some massaging of _internal_ APIs
and the extension of the push endpoint to integrate the raw manifest
(i.e., in bytes) in the stream.

Closes: containers#18216
Signed-off-by: Valentin Rothberg <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Aug 26, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support --digestfile for remote push vrothberg/libpod
3 participants
@cooktheryan @mtrmac @vrothberg