Merge pull request #868 from saschagrunert/sign-recursive

Use recursive signing for multi-arch images
kubernetes-sigs · May 17, 2023 · ec74d14 · ec74d14
2 parents 38c86b3 + 40076eb
commit ec74d14
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/internal/promoter/image/sign.go b/internal/promoter/image/sign.go
@@ -114,6 +114,9 @@ func (di *DefaultPromoterImplementation) SignImages(
 	}
 	signOpts.IdentityToken = token
 
+	// We want to sign all entities for multi-arch images
+	signOpts.Recursive = true
+
 	// Creating a new Signer after setting the identity token is MANDATORY
 	// because that's the only way to propagate the identity token to the
 	// internal Signer structs. Without that, the identity token wouldn't be

diff --git a/internal/promoter/image/signcheck.go b/internal/promoter/image/signcheck.go
@@ -337,6 +337,10 @@ func (di *DefaultPromoterImplementation) signReference(opts *options.Options, re
 		return fmt.Errorf("generating identity token: %w", err)
 	}
 	signOpts.IdentityToken = token
+
+	// We want to sign all entities for multi-arch images
+	signOpts.Recursive = true
+
 	di.signer = sign.New(signOpts)
 
 	// Add an annotation recording the kpromo version to ensure we

diff --git a/test-e2e/cip/e2e.go b/test-e2e/cip/e2e.go
@@ -121,14 +121,11 @@ func removeSignatureLayers(snapshot *[]registry.Image) {
 	var remove []image.Digest
 	for i := range *snapshot {
 		remove = []image.Digest{}
-		for dgst := range (*snapshot)[i].Dmap {
-			// Signature layers only have one tag
-			if len((*snapshot)[i].Dmap[dgst]) != 1 || !strings.HasSuffix(
-				string((*snapshot)[i].Dmap[dgst][0]), ".sig",
-			) {
-				continue
+		for dgst, tags := range (*snapshot)[i].Dmap {
+			if len(tags) == 0 || // Recursive signing may add additional layers without tags
+				(len(tags) == 1 && strings.HasSuffix(string(tags[0]), ".sig")) { // Signature layers only have one tag
+				remove = append(remove, dgst)
 			}
-			remove = append(remove, dgst)
 		}
 		for _, dgst := range remove {
 			delete((*snapshot)[i].Dmap, dgst)
@@ -152,6 +149,7 @@ func checkSnapshot(
 	// to compare them, we remove the signature layers from the current
 	// snapshot to ensure the original images were promoted.
 	removeSignatureLayers(&got)
+	removeSignatureLayers(&expected)
 
 	diff := cmp.Diff(got, expected)
 	if diff != "" {