Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge release-5.32 into main #2532

Merged
merged 12 commits into from
Aug 25, 2024
Merged

Merge release-5.32 into main #2532

merged 12 commits into from
Aug 25, 2024

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Aug 20, 2024

… so that Go considers commits on main later than the just-released 5.32.2 version.

mtrmac and others added 11 commits August 9, 2024 22:24
@mtrmac
Fix the version number
c94eadb 
We are on the 5.32 branch and the previous release was 5.32.1.

Signed-off-by: Miloslav Trmač <[email protected]>
@TomSweeneyRedHat
Merge pull request containers#2511 from mtrmac/5.32-version
4bcaca1 
[release-5.32] Fix the version number
@mtrmac
Use InvalidPolicyFormatError for invalid sigstore options
c0c8d34 
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Turn loadBytesFromDataOrPath into loadBytesFromConfigSources
03550b4 
Use a struct as an input, so that the parameters are named and
we minimize risk of inconsistencies, and make it easier to add more sources.

Should not change behavior.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Use loadBytesFromConfigSources in prSignedBy.isSignatureAuthorAccepted
a5ea016 
Extend loadBytesFromConfigSources to return multiple values, and to support
reading the from files; then share the code.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Split verifySigstorePayloadBlobSignature from VerifySigstorePayload
d42de59 
because we will want to support multiple public keys, and that's
easier to do in a separate function.

Should not change behavior except for order of error checks.

Signed-off-by: Miloslav Trmač <[email protected]>
@dcermak @danishprakash @mtrmac
Add field KeyPaths and KeyDatas to prSigstoreSigned
95c0635 
The new fields `KeyPaths` and `KeyDatas` is taken directly from
`/etc/containers/policy.json` and allows users to provide multiple signature
keys to be used to verify images. Only one of the keys has to verify, thereby
this mechanism allows us to have support seamless key rotation on a registry.

This fixes containers#2319

Signed-off-by: Dan Čermák <[email protected]>
Co-authored-by: Danish Prakash <[email protected]>
Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Support accepting multiple Rekor public keys
2a87b21 
Add rekorPublicKeyPaths and rekorPublicKeyDatas , similar to the primary
root of trust public keys.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Release 5.32.2
0b425a4 
This adds the ability to accept sigstore signatures signed by
any key from a set of several (huge thanks to @dcermak and
@danishprakash for doing almost all the work), and Rekor log
presence proofs signed by any key from a set of several keys.

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Bump to 5.32.3-dev
46bde10 
Signed-off-by: Miloslav Trmač <[email protected]>
@TomSweeneyRedHat
Merge pull request containers#2531 from mtrmac/5.32-backport
51d37e8 
Release 5.32.2
TomSweeneyRedHat
TomSweeneyRedHat reviewed Aug 21, 2024
View reviewed changes
version/version.go Outdated
@@ -6,7 +6,7 @@ const (
// VersionMajor is for an API incompatible changes
VersionMajor = 5
// VersionMinor is for functionality in a backwards-compatible manner
VersionMinor = 33
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want this. Should main be at 5.33.*-dev?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The net effect of this PR should be to keep main at 5.33.0-dev , as in https://github.com/mtrmac/image/blob/into-main/version/version.go (and the PR’s file change view is showing no changes).

The PR contents are all contents of the release-5.32 branch, + a merge commit into main (it needs to be that way, the goal is to make the commit tagged 5.32.2 an ancestor of the main branch).

So, we do include the 5.32 version bumps as individual commits, but the merge commit undoes the version.go changes.

@TomSweeneyRedHat
Copy link
Member

Do you want the commits that changed the versions too? The other commits look fine to me, but it looks like you need to update this.

@mtrmac
Copy link
Collaborator Author

mtrmac commented Aug 21, 2024

Do you want the commits that changed the versions too?

We need the 5.32.2 commit to become an ancestor of main, and that brings up everything in the history of 5.32.2, including the version bumps. As long as the merge undoes that, I think we are fine.

it looks like you need to update this.

Rebased.

@TomSweeneyRedHat
Copy link
Member

LGTM

@rhatdan
Copy link
Member

rhatdan commented Aug 25, 2024

/approve
/lgtm

@rhatdan rhatdan merged commit b832c5a into containers:main Aug 25, 2024
10 checks passed
@mtrmac mtrmac deleted the into-main branch August 26, 2024 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mtrmac @TomSweeneyRedHat @rhatdan @dcermak