Skip to content

Add --sign-by-sq-fingerprint #26618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 2 commits into from
Oct 21, 2025
Merged

Add --sign-by-sq-fingerprint #26618

openshift-merge-bot merged 2 commits into from
Oct 21, 2025

Conversation

@mtrmac
Copy link
Contributor

@mtrmac mtrmac commented Jul 11, 2025

On top of #26617 .

Right now, this does not build Podman with the Sequoia backend, and thus does not work; I’ll update this PR with build changes as well. Compare also the packaging / CI discussion in containers/skopeo#2645 .

Does this PR introduce a user-facing change?

New option --sing-by-sq-fingerprint, to sign using Sequoia-PGP keys. This currently requires a non-default Podman build configuration to work.

@openshift-ci openshift-ci bot added release-note do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 11, 2025
@mtrmac mtrmac force-pushed the sequoia branch 3 times, most recently from dcc86fe to e546425 Compare July 11, 2025 18:02
@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Jul 11, 2025

And FWIW, RHEL will probably not have Sequoia on board until at least 9.8 and 10.2.

TomSweeneyRedHat
TomSweeneyRedHat reviewed Jul 11, 2025
View reviewed changes
cmd/podman/artifact/push.go
DigestFile string
TLSVerifyCLI bool // CLI only
CredentialsCLI string
signing common.SigningCLIOnlyOptions
Copy link
Member

@TomSweeneyRedHat TomSweeneyRedHat Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a problem, just curious why this isn't "Signing"?

Copy link
Contributor Author

@mtrmac mtrmac Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think conceptually this is a package-private type / field, and in such a situation using a package-private symbol helps linters detect unused / write-only values. (Compare the unused fields in pkg/domain/entities in #26617, although it’s unclear whether such a policy would have helped there.)

But, also, I’m not currently very interested in consistently cleaning up the whole type.

If consistency is preferred, I can make it a Signing type.

TomSweeneyRedHat
TomSweeneyRedHat reviewed Jul 11, 2025
View reviewed changes
docs/source/markdown/options/sign-by-sq-fingerprint.md
#### **--sign-by-sq-fingerprint**=*fingerprint*

Add a “simple signing” signature using a Sequoia-PGP key with the specified fingerprint.
(This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
Copy link
Member

@TomSweeneyRedHat TomSweeneyRedHat Jul 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
(This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines)
This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines.

Not a strong suggestion, but I'd remove the first set of parens here.

Copy link
Contributor Author

@mtrmac mtrmac Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Searching for “This option is not available with”, there are ~40 other instances which parenthesize this, or a similar, remark.

I have no preference at all as to whether this should be parenthesized.

@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Jul 11, 2025
edited
Loading

Not a detailed review, but looks good over all. I would like to NOT merge this until after we move Podman v5.6 to it's own RHEL branch, probably mid to late August. This should be aimed at Podman v5.7 or 6.0 at the earliest.

@packit-as-a-service
Copy link

packit-as-a-service bot commented Jul 11, 2025

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

@mtrmac mtrmac mentioned this pull request Jul 14, 2025
Merged
@mtrmac
Copy link
Contributor Author

mtrmac commented Jul 15, 2025

As of e546425 , the new integration test is correctly skipped because the Sequoia implementation is not enabled.

@mtrmac mtrmac force-pushed the sequoia branch 6 times, most recently from 1749d9e to adec92c Compare July 15, 2025 18:03
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 16, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 16, 2025
@mtrmac mtrmac force-pushed the sequoia branch 2 times, most recently from b6aed2e to 6e2fd88 Compare July 18, 2025 16:59
@mtrmac mtrmac force-pushed the sequoia branch 4 times, most recently from 64717ad to 908fc92 Compare July 29, 2025 16:09
@mtrmac mtrmac force-pushed the sequoia branch 5 times, most recently from deeb2b5 to 5d2682d Compare September 11, 2025 16:51
@mtrmac
Exercise containers_image_sequoia in CI
2f005b6 
This build tag replaces the backend for _verification_
of GPG signatures, to use Sequoia-PGP instead of GNUPG.

Do Rawhide builds with Sequoia; the podman-sequoia package exists
in F43 and later, so we can't do it in earlier versions.

This way we cover both variants (+ containers_image_openpgp
in the podman-remote client, at least that it builds).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Add --sign-by-sq-fingerprint to push operations
9e2850d 
This adds a new feature that allows signing using Sequoia-backed
keys.  The existing options to sign using GPG-backed keys (and sigstore)
remain unchanged, and continue to use the same backends as usual.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Copy link
Contributor Author

mtrmac commented Sep 11, 2025

Ready for review, @containers/podman-maintainers PTAL.

This works, but I’m not very familiar with the CI / build architecture, I might well be missing something.

@mtrmac mtrmac marked this pull request as ready for review September 11, 2025 18:38
@mtrmac mtrmac changed the title WIP: Add --sign-by-sq-fingerprint Add --sign-by-sq-fingerprint Sep 11, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 11, 2025
@mtrmac
Copy link
Contributor Author

mtrmac commented Sep 30, 2025

@containers/podman-maintainers review please.

Luap99
Luap99 approved these changes Oct 1, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mtrmac mtrmac added the 5.7 label Oct 16, 2025
@mtrmac
Copy link
Contributor Author

mtrmac commented Oct 20, 2025

@containers/podman-maintainers please review+merge.

aguidirh
aguidirh reviewed Oct 21, 2025
View reviewed changes
Copy link
Contributor

@aguidirh aguidirh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Luap99
Luap99 approved these changes Oct 21, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 21, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 21, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, mtrmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit b3ec5cf into containers:main Oct 21, 2025
89 checks passed
@mtrmac mtrmac deleted the sequoia branch October 21, 2025 12:41
@lsm5 lsm5 mentioned this pull request Oct 21, 2025
Merged
@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jan 20, 2026
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jan 20, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@Luap99 Luap99 Luap99 approved these changes

+1 more reviewer

@aguidirh aguidirh aguidirh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Luap99 Luap99

Labels

5.7 approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mtrmac @TomSweeneyRedHat @Luap99 @aguidirh @openshift-merge-robot