Add Cosign signing/verification #1701
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
On macOS, this increases Skopeo’s binary size by ~10 MB (from ~28.8 to ~39.0 MB, or from ~26.7 to ~36.1 stripped). That’s rather surprising, the source code diff (even more than just additions) is a bit less than 2 MB. |
mtrmac
force-pushed
the
cosign-prototypes
branch
3 times, most recently
from
73f6862 to
abc45e9
Compare
mtrmac
commented
Jul 7, 2022
mtrmac
force-pushed
the
cosign-prototypes
branch
2 times, most recently
from
ce87bf6 to
3946086
Compare
mtrmac
changed the title
mtrmac
commented
Jul 8, 2022
Comment on lines
233
to
254
|
|
||
| passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile) | ||
| if err != nil { | ||
| return err | ||
| // c/image.Copy does allow creating both simple signing and Cosign signatures simultaneously, | ||
| // with independent passphrases, but that would make the CLI probably too confusing. | ||
| // For now, use the passphrase with either, but only one of them. | ||
| if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signByCosignPrivateKey != "" { | ||
| return fmt.Errorf("Only one of --sign-by and sign-by-cosign-private-key can be used with sign-passphrase-file") | ||
| } | ||
| var passphrase string | ||
| if opts.signPassphraseFile != "" { | ||
| p, err := cli.ReadPassphraseFile(opts.signPassphraseFile) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| passphrase = p | ||
| } else if opts.signByCosignPrivateKey != "" { | ||
| p, err := promptForPassphrase(opts.signByCosignPrivateKey, os.Stdin, os.Stdout) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| passphrase = p | ||
| } // opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided. | ||
|
|
Contributor
Author
There was a problem hiding this comment.
This should be moved to utils.go instead of copy&pasted.
Adding to https://github.com/containers/image/issues/1601 .
mtrmac
commented
Jul 11, 2022
cmd/skopeo/copy.go
Outdated
| flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE-IMAGE") | ||
| flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`") | ||
| flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key") | ||
| flags.StringVar(&opts.signByCosignPrivateKey, "sign-by-cosign-private-key", "", "Sign the image using a Cosign private key at `PATH`") |
Contributor
Author
There was a problem hiding this comment.
FWIW I think it’s likely the only way to generate the key right now currently is /usr/bin/cosign. I don’t know if we should use a different file format or just add a “generate key” subcommand; either way that’s a to-do item for https://github.com/containers/image/issues/1601 .
mtrmac
force-pushed
the
cosign-prototypes
branch
from
457fe13 to
916e291
Compare
mtrmac
force-pushed
the
cosign-prototypes
branch
from
916e291 to
541b4df
Compare
mtrmac
commented
Jul 11, 2022
Comment on lines
92
to
104
| **--sign-by** _key-id_ | ||
|
|
||
| Add a signature using that key ID for an image name corresponding to _destination-image_ | ||
| Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_ | ||
|
|
||
| **--sign-by-sigstore-private-key** _path_ | ||
|
|
||
| Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_ | ||
|
|
||
| **--sign-passphrase-file** _path_ | ||
|
|
||
| The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable. | ||
| The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable. | ||
|
|
||
| **--sign-identity** _reference_ |
This was referenced Jul 11, 2022
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
If a passphrase is not provided, prompt for one. Outstanding: - Should have integration tests. - The signing options shared between copy and sync should live in utils.go. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
I left systemtest unmodified, to have _something_ that exercises the compatibility path. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac
force-pushed
the
cosign-prototypes
branch
from
541b4df to
b000ada
Compare
mtrmac
changed the title
Contributor
Author
|
Now ready for review/merging. |
vrothberg
approved these changes
Jul 12, 2022
Member
|
LGTM |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
⚠️ Warning: This is write-only code, as in I haven’t read it after myself, it has never been run, and it has no tests yet. Might be completely broken.unit andintegration tests, and interoperability testing.Depends on UNMERGED containers/image#1598 .Intended to cover:
dir:, c/storage; and copying them aroundEnd-user visible UI surface:
registries.d/*.yamluse-cosign-attachments = truein one or more of the existing sections.--sign-by-cosign-private-keyoptions added here.type: cosignSignedinpolicy.json.dir:.