From 853603cccecc5577719c0e5da2f07c46b06f0596 Mon Sep 17 00:00:00 2001
From: Brian Goff <cpuguy83@gmail.com>
Date: Tue, 14 May 2024 21:47:04 +0000
Subject: [PATCH] fix: Ensure container targets use signed artifact

I don't have a good test case for this right now.
I'll open an issue because ideally we can ensure that this doesn't
regress in the future.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
---
 frontend/azlinux/handle_container.go |  2 +-
 frontend/azlinux/handle_rpm.go       | 24 +++++++++++++-----------
 frontend/request.go                  |  3 +--
 frontend/windows/handle_container.go | 11 +----------
 frontend/windows/handle_zip.go       | 26 +++++++++++++-------------
 5 files changed, 29 insertions(+), 37 deletions(-)

diff --git a/frontend/azlinux/handle_container.go b/frontend/azlinux/handle_container.go
index 345b07b2..546b5d9d 100644
--- a/frontend/azlinux/handle_container.go
+++ b/frontend/azlinux/handle_container.go
@@ -26,7 +26,7 @@ func handleContainer(w worker) gwclient.BuildFunc {
 
 			pg := dalec.ProgressGroup("Building " + targetKey + " container: " + spec.Name)
 
-			rpmDir, err := specToRpmLLB(w, client, spec, sOpt, targetKey, pg)
+			rpmDir, err := specToRpmLLB(ctx, w, client, spec, sOpt, targetKey, pg)
 			if err != nil {
 				return nil, nil, fmt.Errorf("error creating rpm: %w", err)
 			}
diff --git a/frontend/azlinux/handle_rpm.go b/frontend/azlinux/handle_rpm.go
index 254b5bfa..5230c0b2 100644
--- a/frontend/azlinux/handle_rpm.go
+++ b/frontend/azlinux/handle_rpm.go
@@ -26,19 +26,11 @@ func handleRPM(w worker) gwclient.BuildFunc {
 				return nil, nil, err
 			}
 
-			st, err := specToRpmLLB(w, client, spec, sOpt, targetKey, pg)
+			st, err := specToRpmLLB(ctx, w, client, spec, sOpt, targetKey, pg)
 			if err != nil {
 				return nil, nil, err
 			}
 
-			if signer, ok := spec.GetSigner(targetKey); ok {
-				signed, err := frontend.ForwardToSigner(ctx, client, platform, signer, st)
-				if err != nil {
-					return nil, nil, err
-				}
-				st = signed
-			}
-
 			def, err := st.Marshal(ctx, pg)
 			if err != nil {
 				return nil, nil, fmt.Errorf("error marshalling llb: %w", err)
@@ -76,12 +68,22 @@ func installBuildDeps(w worker, spec *dalec.Spec, targetKey string, opts ...llb.
 	}
 }
 
-func specToRpmLLB(w worker, client gwclient.Client, spec *dalec.Spec, sOpt dalec.SourceOpts, targetKey string, opts ...llb.ConstraintsOpt) (llb.State, error) {
+func specToRpmLLB(ctx context.Context, w worker, client gwclient.Client, spec *dalec.Spec, sOpt dalec.SourceOpts, targetKey string, opts ...llb.ConstraintsOpt) (llb.State, error) {
 	base := w.Base(client, opts...).With(installBuildDeps(w, spec, targetKey, opts...))
 	br, err := rpm.SpecToBuildrootLLB(base, spec, sOpt, targetKey, opts...)
 	if err != nil {
 		return llb.Scratch(), err
 	}
 	specPath := filepath.Join("SPECS", spec.Name, spec.Name+".spec")
-	return rpm.Build(br, base, specPath, opts...), nil
+	st := rpm.Build(br, base, specPath, opts...)
+
+	if signer, ok := spec.GetSigner(targetKey); ok {
+		signed, err := frontend.ForwardToSigner(ctx, client, signer, st)
+		if err != nil {
+			return llb.Scratch(), err
+		}
+		st = signed
+	}
+
+	return st, nil
 }
diff --git a/frontend/request.go b/frontend/request.go
index 570b7b13..fdd19394 100644
--- a/frontend/request.go
+++ b/frontend/request.go
@@ -11,7 +11,6 @@ import (
 	"github.com/moby/buildkit/frontend/dockerui"
 	gwclient "github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/moby/buildkit/solver/pb"
-	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
 
@@ -119,7 +118,7 @@ func marshalDockerfile(ctx context.Context, dt []byte, opts ...llb.ConstraintsOp
 	return st.Marshal(ctx)
 }
 
-func ForwardToSigner(ctx context.Context, client gwclient.Client, platform *ocispecs.Platform, cfg *dalec.Frontend, s llb.State) (llb.State, error) {
+func ForwardToSigner(ctx context.Context, client gwclient.Client, cfg *dalec.Frontend, s llb.State) (llb.State, error) {
 	const (
 		sourceKey  = "source"
 		contextKey = "context"
diff --git a/frontend/windows/handle_container.go b/frontend/windows/handle_container.go
index b615bb58..872e11cd 100644
--- a/frontend/windows/handle_container.go
+++ b/frontend/windows/handle_container.go
@@ -52,20 +52,11 @@ func handleContainer(ctx context.Context, client gwclient.Client) (*gwclient.Res
 		pg := dalec.ProgressGroup("Build windows container: " + spec.Name)
 		worker := workerImg(sOpt, pg)
 
-		bin, err := buildBinaries(spec, worker, sOpt, targetKey)
+		bin, err := buildBinaries(ctx, spec, worker, client, sOpt, targetKey)
 		if err != nil {
 			return nil, nil, fmt.Errorf("unable to build binary %w", err)
 		}
 
-		if signer, ok := spec.GetSigner(targetKey); ok {
-			signed, err := frontend.ForwardToSigner(ctx, client, platform, signer, bin)
-			if err != nil {
-				return nil, nil, err
-			}
-
-			bin = signed
-		}
-
 		baseImgName := getBaseOutputImage(spec, targetKey, defaultBaseImage)
 		baseImage := llb.Image(baseImgName, llb.Platform(targetPlatform))
 
diff --git a/frontend/windows/handle_zip.go b/frontend/windows/handle_zip.go
index 7518be30..df44ea6e 100644
--- a/frontend/windows/handle_zip.go
+++ b/frontend/windows/handle_zip.go
@@ -34,20 +34,11 @@ func handleZip(ctx context.Context, client gwclient.Client) (*gwclient.Result, e
 		pg := dalec.ProgressGroup("Build windows container: " + spec.Name)
 		worker := workerImg(sOpt, pg)
 
-		bin, err := buildBinaries(spec, worker, sOpt, targetKey)
+		bin, err := buildBinaries(ctx, spec, worker, client, sOpt, targetKey)
 		if err != nil {
 			return nil, nil, fmt.Errorf("unable to build binaries: %w", err)
 		}
 
-		if signer, ok := spec.GetSigner(targetKey); ok {
-			signed, err := frontend.ForwardToSigner(ctx, client, platform, signer, bin)
-			if err != nil {
-				return nil, nil, err
-			}
-
-			bin = signed
-		}
-
 		st := getZipLLB(worker, spec.Name, bin)
 
 		def, err := st.Marshal(ctx)
@@ -143,7 +134,7 @@ func withSourcesMounted(dst string, states map[string]llb.State, sources map[str
 	return dalec.WithRunOptions(ordered...)
 }
 
-func buildBinaries(spec *dalec.Spec, worker llb.State, sOpt dalec.SourceOpts, targetKey string) (llb.State, error) {
+func buildBinaries(ctx context.Context, spec *dalec.Spec, worker llb.State, client gwclient.Client, sOpt dalec.SourceOpts, targetKey string) (llb.State, error) {
 	worker = worker.With(installBuildDeps(spec.GetBuildDeps(targetKey)))
 
 	sources, err := specToSourcesLLB(worker, spec, sOpt)
@@ -156,7 +147,7 @@ func buildBinaries(spec *dalec.Spec, worker llb.State, sOpt dalec.SourceOpts, ta
 	binaries := maps.Keys(spec.Artifacts.Binaries)
 	script := generateInvocationScript(binaries)
 
-	artifacts := worker.Run(
+	st := worker.Run(
 		shArgs(script.String()),
 		llb.Dir("/build"),
 		withSourcesMounted("/build", patched, spec.Sources),
@@ -164,7 +155,16 @@ func buildBinaries(spec *dalec.Spec, worker llb.State, sOpt dalec.SourceOpts, ta
 		llb.Network(llb.NetModeNone),
 	).AddMount(outputDir, llb.Scratch())
 
-	return artifacts, nil
+	if signer, ok := spec.GetSigner(targetKey); ok {
+		signed, err := frontend.ForwardToSigner(ctx, client, signer, st)
+		if err != nil {
+			return llb.Scratch(), err
+		}
+
+		st = signed
+	}
+
+	return st, nil
 }
 
 func getZipLLB(worker llb.State, name string, artifacts llb.State) llb.State {