Merge pull request #15466 from mtrmac/image-trust-sigstore

podman image trust overhaul, incl. sigstore
containers · Aug 25, 2022 · bb7ae54 · bb7ae54
2 parents f98215c + 61fe95b
commit bb7ae54
Show file tree

Hide file tree

Showing 12 changed files with 1,086 additions and 355 deletions.
diff --git a/cmd/podman/images/trust_set.go b/cmd/podman/images/trust_set.go
@@ -53,15 +53,15 @@ File(s) must exist before using this command`)
 }
 
 func setTrust(cmd *cobra.Command, args []string) error {
-	validTrustTypes := []string{"accept", "insecureAcceptAnything", "reject", "signedBy"}
+	validTrustTypes := []string{"accept", "insecureAcceptAnything", "reject", "signedBy", "sigstoreSigned"}
 
 	valid, err := isValidImageURI(args[0])
 	if err != nil || !valid {
 		return err
 	}
 
 	if !util.StringInSlice(setOptions.Type, validTrustTypes) {
-		return fmt.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy')", setOptions.Type)
+		return fmt.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy', 'sigstoreSigned')", setOptions.Type)
 	}
 	return registry.ImageEngine().SetTrust(registry.Context(), args, setOptions)
 }

diff --git a/docs/source/markdown/podman-image-trust.1.md b/docs/source/markdown/podman-image-trust.1.md
@@ -32,7 +32,8 @@ Trust **type** provides a way to:
 
 Allowlist ("accept") or
 Denylist ("reject") registries or
-Require signature (“signedBy”).
+Require a simple signing signature (“signedBy”),
+Require a sigstore signature ("sigstoreSigned").
 
 Trust may be updated using the command **podman image trust set** for an existing trust scope.
 
@@ -45,12 +46,14 @@ Trust may be updated using the command **podman image trust set** for an existin
 #### **--pubkeysfile**, **-f**=*KEY1*
   A path to an exported public key on the local system. Key paths
   will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to
-  require an image be signed by multiple keys.  The **--pubkeysfile** option is required for the **signedBy** type.
+  require an image be signed by multiple keys.  The **--pubkeysfile** option is required for the **signedBy** and **sigstoreSigned** types.
 
 #### **--type**, **-t**=*value*
   The trust type for this policy entry.
   Accepted values:
-    **signedBy** (default): Require signatures with corresponding list of
+    **signedBy** (default): Require simple signing signatures with corresponding list of
+                        public keys
+    **sigstoreSigned**: Require sigstore signatures with corresponding list of
                         public keys
     **accept**: do not require any signatures for this
             registry scope

diff --git a/pkg/domain/infra/abi/trust.go b/pkg/domain/infra/abi/trust.go
@@ -2,16 +2,11 @@ package abi
 
 import (
 	"context"
-	"encoding/json"
-	"errors"
 	"fmt"
 	"io/ioutil"
-	"os"
-	"strings"
 
 	"github.com/containers/podman/v4/pkg/domain/entities"
 	"github.com/containers/podman/v4/pkg/trust"
-	"github.com/sirupsen/logrus"
 )
 
 func (ir *ImageEngine) ShowTrust(ctx context.Context, args []string, options entities.ShowTrustOptions) (*entities.ShowTrustReport, error) {
@@ -34,145 +29,27 @@ func (ir *ImageEngine) ShowTrust(ctx context.Context, args []string, options ent
 	if len(options.RegistryPath) > 0 {
 		report.SystemRegistriesDirPath = options.RegistryPath
 	}
-	policyContentStruct, err := trust.GetPolicy(policyPath)
-	if err != nil {
-		return nil, fmt.Errorf("could not read trust policies: %w", err)
-	}
-	report.Policies, err = getPolicyShowOutput(policyContentStruct, report.SystemRegistriesDirPath)
+	report.Policies, err = trust.PolicyDescription(policyPath, report.SystemRegistriesDirPath)
 	if err != nil {
 		return nil, fmt.Errorf("could not show trust policies: %w", err)
 	}
 	return &report, nil
 }
 
 func (ir *ImageEngine) SetTrust(ctx context.Context, args []string, options entities.SetTrustOptions) error {
-	var (
-		policyContentStruct trust.PolicyContent
-		newReposContent     []trust.RepoContent
-	)
-	trustType := options.Type
-	if trustType == "accept" {
-		trustType = "insecureAcceptAnything"
-	}
-
-	pubkeysfile := options.PubKeysFile
-	if len(pubkeysfile) == 0 && trustType == "signedBy" {
-		return errors.New("at least one public key must be defined for type 'signedBy'")
+	if len(args) != 1 {
+		return fmt.Errorf("SetTrust called with unexpected %d args", len(args))
 	}
+	scope := args[0]
 
 	policyPath := trust.DefaultPolicyPath(ir.Libpod.SystemContext())
 	if len(options.PolicyPath) > 0 {
 		policyPath = options.PolicyPath
 	}
-	_, err := os.Stat(policyPath)
-	if !os.IsNotExist(err) {
-		policyContent, err := ioutil.ReadFile(policyPath)
-		if err != nil {
-			return err
-		}
-		if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
-			return errors.New("could not read trust policies")
-		}
-	}
-	if len(pubkeysfile) != 0 {
-		for _, filepath := range pubkeysfile {
-			newReposContent = append(newReposContent, trust.RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
-		}
-	} else {
-		newReposContent = append(newReposContent, trust.RepoContent{Type: trustType})
-	}
-	if args[0] == "default" {
-		policyContentStruct.Default = newReposContent
-	} else {
-		if len(policyContentStruct.Default) == 0 {
-			return errors.New("default trust policy must be set")
-		}
-		registryExists := false
-		for transport, transportval := range policyContentStruct.Transports {
-			_, registryExists = transportval[args[0]]
-			if registryExists {
-				policyContentStruct.Transports[transport][args[0]] = newReposContent
-				break
-			}
-		}
-		if !registryExists {
-			if policyContentStruct.Transports == nil {
-				policyContentStruct.Transports = make(map[string]trust.RepoMap)
-			}
-			if policyContentStruct.Transports["docker"] == nil {
-				policyContentStruct.Transports["docker"] = make(map[string][]trust.RepoContent)
-			}
-			policyContentStruct.Transports["docker"][args[0]] = append(policyContentStruct.Transports["docker"][args[0]], newReposContent...)
-		}
-	}
-
-	data, err := json.MarshalIndent(policyContentStruct, "", "    ")
-	if err != nil {
-		return fmt.Errorf("error setting trust policy: %w", err)
-	}
-	return ioutil.WriteFile(policyPath, data, 0644)
-}
-
-func getPolicyShowOutput(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) ([]*trust.Policy, error) {
-	var output []*trust.Policy
-
-	registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(policyContentStruct.Default) > 0 {
-		defaultPolicyStruct := trust.Policy{
-			Transport: "all",
-			Name:      "* (default)",
-			RepoName:  "default",
-			Type:      trustTypeDescription(policyContentStruct.Default[0].Type),
-		}
-		output = append(output, &defaultPolicyStruct)
-	}
-	for transport, transval := range policyContentStruct.Transports {
-		if transport == "docker" {
-			transport = "repository"
-		}
 
-		for repo, repoval := range transval {
-			tempTrustShowOutput := trust.Policy{
-				Name:      repo,
-				RepoName:  repo,
-				Transport: transport,
-				Type:      trustTypeDescription(repoval[0].Type),
-			}
-			// TODO - keyarr is not used and I don't know its intent; commenting out for now for someone to fix later
-			// keyarr := []string{}
-			uids := []string{}
-			for _, repoele := range repoval {
-				if len(repoele.KeyPath) > 0 {
-					// keyarr = append(keyarr, repoele.KeyPath)
-					uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...)
-				}
-				if len(repoele.KeyData) > 0 {
-					// keyarr = append(keyarr, string(repoele.KeyData))
-					uids = append(uids, trust.GetGPGIdFromKeyData(repoele.KeyData)...)
-				}
-			}
-			tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
-
-			registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs)
-			if registryNamespace != nil {
-				tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
-			}
-			output = append(output, &tempTrustShowOutput)
-		}
-	}
-	return output, nil
-}
-
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
-
-func trustTypeDescription(trustType string) string {
-	trustDescription, exist := typeDescription[trustType]
-	if !exist {
-		logrus.Warnf("Invalid trust type %s", trustType)
-	}
-	return trustDescription
+	return trust.AddPolicyEntries(policyPath, trust.AddPolicyEntriesInput{
+		Scope:       scope,
+		Type:        options.Type,
+		PubKeyFiles: options.PubKeysFile,
+	})
 }
diff --git a/pkg/trust/config.go b/pkg/trust/config.go