Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for container identity for cosign #270

Merged
merged 2 commits into from
Jun 27, 2024
Merged

Added support for container identity for cosign #270

merged 2 commits into from
Jun 27, 2024

Conversation

midnightercz
Copy link
Member

Container identity is public facing registry + repository in public format

@midnightercz midnightercz requested a review from querti as a code owner June 25, 2024 15:50
@midnightercz midnightercz requested review from emilyzheng and querti and removed request for querti June 25, 2024 15:51
@midnightercz
Added support for container identity for cosign
2180ae8 
Container identity is public facing registry + repository in public
format
emilyzheng
emilyzheng reviewed Jun 26, 2024
View reviewed changes
src/pubtools/_quay/signer_wrapper.py Outdated Show resolved Hide resolved
src/pubtools/_quay/push_docker.py
@@ -557,10 +559,13 @@ def sign_new_manifests(self, docker_push_items: List[Any]) -> List[Tuple[str, st
+ ":"
+ tag
)
registry = self.dest_registries[0]
pub_reference = f"{registry}/{repo}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The critical.identity.docker-reference field should follow the same rules / design as for the GPG signatures:
For every tag the image is published under, there should be a signature with identity set to exactly that tag.

Does tag need to be included in identity?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cosign doesn't include it in docker-reference. I guess it's because tag is option when you sign with cosign

src/pubtools/_quay/push_docker.py
@@ -557,10 +559,13 @@ def sign_new_manifests(self, docker_push_items: List[Any]) -> List[Tuple[str, st
+ ":"
+ tag
)
registry = self.dest_registries[0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When an image is pulled from registry.access.redhat.com, identity in signature starts with registry.redhat.io, would signature verification fail?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not exactly sure how validation works. But when doing validation in podman for example it uses containers/policy.json where you specify trusted host. SO if you have there both hosts, it should work

@codecov Codecov
Copy link

codecov bot commented Jun 26, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (be58349) to head (dff5df7).

Additional details and impacted files 
@@            Coverage Diff            @@
##            master      #270   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           26        26           
  Lines         3235      3245   +10     
=========================================
+ Hits          3235      3245   +10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@midnightercz midnightercz requested a review from emilyzheng June 26, 2024 08:44
@midnightercz midnightercz merged commit 6234c1e into master Jun 27, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emilyzheng emilyzheng emilyzheng approved these changes

@querti querti Awaiting requested review from querti querti is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@midnightercz @emilyzheng