[merged] Introduce signing #539
Conversation
|
Please resync your pull . |
Atomic/atomic.py
Outdated
| results = '/var/lib/atomic' | ||
| skull = (u"\u2620").encode('utf-8') | ||
|
|
||
|
|
baude
force-pushed
the
sign_verify
branch
7 times, most recently
from
e3ebf04 to
c754981
Compare
Atomic/client.py
Outdated
| def ids_same(id1, id2): | ||
| if id1 == id2: | ||
| return True | ||
| if no_shaw(id1) == no_shaw(id2): |
There was a problem hiding this comment.
Why is this discarding the algorithm identifier? At a first glance I can’t see any reason for this, and it could allow attacks using a weaker algorithm against a stronger one.
There was a problem hiding this comment.
In atomic, the image/container ids are exposed without the sha256 pre-pended. There was confusion about what sha sum was being used in the local filesystem. We thought it was the image ID but if it is the manifest, this is no longer needed.
|
☔ The latest upstream changes (presumably f97e97f) made this pull request unmergeable. Please resolve the merge conflicts. |
Atomic/sign.py
Outdated
| fq_sig_path = os.path.join(self.args.output) | ||
| self.make_sig_dirs(os.path.dirname(fq_sig_path)) | ||
|
|
||
| util.skopeo_standalone_sign(sign_image, manifest_file.name, |
There was a problem hiding this comment.
Does sign_image here really work, always, when verifying against a policy? AFAICS it would be necessary to do the equivalent of reference.WithDefaultTag.
atomic
Outdated
| signp = subparser.add_parser("sign", help="Sign an image", | ||
| epilog="Create a signature for an image which can be used later to verify it.") | ||
| signp.set_defaults(_class=Sign, func="sign") | ||
| signp.add_argument("sign_targets", nargs="*", help=_("images to sign")) |
| if sigs[0] == 0: | ||
| del sigs[0] | ||
| missing = missing_ints(sigs) | ||
| if missing == 0: |
There was a problem hiding this comment.
AFAICS this can never happen.
There was a problem hiding this comment.
resolved by a different solution.
|
☔ The latest upstream changes (presumably 84cc530) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@baude sorry doing some shuffling of code around in atomic command, so this needs a rebase. |
Atomic/util.py
Outdated
| # If signature path is defined, get it; else return default | ||
| signature_path = get_atomic_config_item(['default-sigstore-path'], atomic_config=atomic_conf) | ||
| if signature_path is None: | ||
| signature_path = '/var/lib/atomic/containers' |
There was a problem hiding this comment.
(See above; I don’t think there even should be a default location to be used for the whole internet, and then the issue of redundancy between the signing code and the argument parsing + help disappears.)
Allow atomic users to sign an images that has been pulled from a repository. This uses GPG, skopeo, and friends and creates a local signature file for a image that has been pulled locally. Signatures are stored in the dir: /var/lib/atomic/containers/registry/image_name@sha256:image_id/ Individual signature files are then stored as: ../signature-(INTEGER) where INTEGER is incremented each time a signature is added.
|
📌 Commit 90a595a has been approved by |
|
☀️ Test successful - status-atomicjenkins |
5 participants
Allow atomic users to sign an images that has been pulled
from a repository. This uses GPG, skopeo, and friends and
creates a local signature file for a image that has been
pulled locally. Signatures are stored in the dir:
/etc/pki/containers/registry/image_name@sha256:image_id/
Individual signature files are then stored as:
../signature-(INTEGER)
where INTEGER is incremented each time a signature
is added.