Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v4.4] Add … push --sign-by-sigstore #17241

Merged
merged 1 commit into from
Jan 27, 2023
Merged

[v4.4] Add … push --sign-by-sigstore #17241

merged 1 commit into from
Jan 27, 2023

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Jan 26, 2023

This is a backport of (as yet unmerged) #17088.

podman push and podman manifest push sync now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.

That notably adds support for Fulcio and Rekor signing.

Depends on unmerged containers/image#1787 ; see that PR for documentation of the YAML file format, as well as example files.

See also containers/common#1288 for more discussion about where the interactive prompting pieces should be.

Untested so far.

Does this PR introduce a user-facing change?

`podman push` and `podman manifest push` now support a `--sign-by-sigstore` option, which allows using Fulcio and Rekor.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 26, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 26, 2023
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 26, 2023

@TomSweeneyRedHat @mheon @ashley-cui I’m afraid this feature didn’t get merged before cutting the 4.4 branch. I’m sorry I didn’t notice earlier.

@ashley-cui
Copy link
Member

Adding bloat-approved for testing.

@ashley-cui ashley-cui added the bloat_approved Approve a PR in which binary file size grows by over 50k label Jan 26, 2023
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 26, 2023

Tests passed, please merge (targeting before 4.4 final)

@rhatdan
Copy link
Member

rhatdan commented Jan 26, 2023

LGTM

@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 26, 2023
edited
Loading

(Compare previous reviews in #17088 )

@mheon
Copy link
Member

mheon commented Jan 27, 2023

Can we get #17088 in first? I'd prefer not to have a situation where the branch is more up to date than main

@mheon
Copy link
Member

mheon commented Jan 27, 2023

(If time becomes an issue, we can definitely merge this before release, though)

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 27, 2023
@mtrmac
Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml)
097ca60 
(podman push) and (podman manifest push) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.

That notably adds support for Fulcio and Rekor signing.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac mtrmac force-pushed the sign-by-sigstore-4.4 branch from 8a5d701 to 097ca60 Compare January 27, 2023 15:46
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 27, 2023
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 27, 2023

Can we get #17088 in first? I'd prefer not to have a situation where the branch is more up to date than main

Sure, that makes sense. Both #17088 and this PR are now rebased and tests are passing.

@ashley-cui
Copy link
Member

Gave #17088 a slash lgtm, going to slash lgtm this PR and hold it. Once the other PR merges, feel free to un-hold.

/lgtm
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2023
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 27, 2023
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 27, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2023
@openshift-merge-robot openshift-merge-robot merged commit e25a4fb into containers:v4.4 Jan 27, 2023
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 27, 2023

Thanks everyone!

@mtrmac mtrmac deleted the sign-by-sigstore-4.4 branch January 27, 2023 19:12
@edsantiago edsantiago mentioned this pull request Jan 30, 2023
Open
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 13, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@ashley-cui ashley-cui

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bloat_approved Approve a PR in which binary file size grows by over 50k lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mtrmac @ashley-cui @rhatdan @mheon @openshift-merge-robot