read image config from docker v2s1 manifests

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-04-03 09:22:44 +02:00
parent bbe2dea0a6
commit a0071de607
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
39 changed files with 1272 additions and 506 deletions

View file

@ -1,5 +1,5 @@
{ {
"memo": "c69b3d661a6a19376099d94142598a44f109f155bc519d9b7943ac86e8ebcb8a", "memo": "1290be673a75036ce5bea81021073dd7041dc3f421446912b6b7ae0ed511fe93",
"projects": [ "projects": [
{ {
"name": "github.com/BurntSushi/toml", "name": "github.com/BurntSushi/toml",
@ -50,7 +50,7 @@
{ {
"name": "github.com/containers/image", "name": "github.com/containers/image",
"branch": "master", "branch": "master",
"revision": "1d7e25b91705e4d1cddb5396baf112caeb1119f3", "revision": "9fcd2ba2c6983f74026db5f2c0f79b529a098dee",
"packages": [ "packages": [
"copy", "copy",
"directory", "directory",
@ -159,10 +159,13 @@
"api/types/versions", "api/types/versions",
"api/types/volume", "api/types/volume",
"client", "client",
"pkg/longpath",
"pkg/random", "pkg/random",
"pkg/registrar", "pkg/registrar",
"pkg/stringid", "pkg/stringid",
"pkg/stringutils", "pkg/stringutils",
"pkg/symlink",
"pkg/system",
"pkg/tlsconfig", "pkg/tlsconfig",
"pkg/truncindex", "pkg/truncindex",
"utils/templates" "utils/templates"

View file

@ -210,19 +210,11 @@ func (r *runtimeService) createContainerOrPodSandbox(systemContext *types.System
return ContainerInfo{}, err return ContainerInfo{}, err
} }
defer image.Close() defer image.Close()
var imageConfig *v1.Image
configBlob, err := image.ConfigBlob() imageConfig, err := image.OCIConfig()
if err != nil { if err != nil {
return ContainerInfo{}, err return ContainerInfo{}, err
} }
if len(configBlob) > 0 {
config := v1.Image{}
err = json.Unmarshal(configBlob, &config)
if err != nil {
return ContainerInfo{}, err
}
imageConfig = &config
}
// Update the image name and ID. // Update the image name and ID.
if imageName == "" && len(img.Names) > 0 { if imageName == "" && len(img.Names) > 0 {

View file

@ -5,7 +5,10 @@
email: false email: false
go: go:
- 1.7 - 1.7
script: make tools .gitvalidation validate test test-skopeo env:
- BUILDTAGS='btrfs_noversion libdm_no_deferred_remove'
- BUILDTAGS='btrfs_noversion libdm_no_deferred_remove containers_image_openpgp'
script: make tools .gitvalidation validate test test-skopeo BUILDTAGS="$BUILDTAGS"
dist: trusty dist: trusty
os: os:
- linux - linux

View file

@ -44,7 +44,7 @@ test-skopeo:
rm -rf $${vendor_path} && cp -r . $${vendor_path} && rm -rf $${vendor_path}/vendor && \ rm -rf $${vendor_path} && cp -r . $${vendor_path} && rm -rf $${vendor_path}/vendor && \
cd $${skopeo_path} && \ cd $${skopeo_path} && \
make BUILDTAGS="$(BUILDTAGS)" binary-local test-all-local && \ make BUILDTAGS="$(BUILDTAGS)" binary-local test-all-local && \
$(SUDO) make check && \ $(SUDO) make BUILDTAGS="$(BUILDTAGS)" check && \
rm -rf $${skopeo_path} rm -rf $${skopeo_path}
validate: lint validate: lint

View file

@ -32,6 +32,16 @@ libraries you should use with this package in your own projects.
What this project tests against dependencies-wise is located What this project tests against dependencies-wise is located
[here](https://github.com/containers/image/blob/master/vendor.conf). [here](https://github.com/containers/image/blob/master/vendor.conf).
## Building
For ordinary use, `go build ./...` is sufficient.
When developing this library, please use `make` to take advantage of the tests and validation.
Optionally, you can use the `containers_image_openpgp` build tag (using `go build -tags …`, or `make … BUILDTAGS=…`).
This will use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
the primary downside is that creating new signatures with the Golang-only implementation is not supported.
## License ## License
ASL 2.0 ASL 2.0

View file

@ -235,6 +235,11 @@ func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageRe
if err != nil { if err != nil {
return errors.Wrap(err, "Error initializing GPG") return errors.Wrap(err, "Error initializing GPG")
} }
defer mech.Close()
if err := mech.SupportsSigning(); err != nil {
return errors.Wrap(err, "Signing not supported")
}
dockerReference := dest.Reference().DockerReference() dockerReference := dest.Reference().DockerReference()
if dockerReference == nil { if dockerReference == nil {
return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference())) return errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))
@ -349,7 +354,7 @@ type diffIDResult struct {
func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) { func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) {
// Check if we already have a blob with this digest // Check if we already have a blob with this digest
haveBlob, extantBlobSize, err := ic.dest.HasBlob(srcInfo) haveBlob, extantBlobSize, err := ic.dest.HasBlob(srcInfo)
if err != nil && err != types.ErrBlobNotFound { if err != nil {
return types.BlobInfo{}, "", errors.Wrapf(err, "Error checking for blob %s at destination", srcInfo.Digest) return types.BlobInfo{}, "", errors.Wrapf(err, "Error checking for blob %s at destination", srcInfo.Digest)
} }
// If we already have a cached diffID for this blob, we don't need to compute it // If we already have a cached diffID for this blob, we don't need to compute it

View file

@ -95,6 +95,10 @@ func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
return types.BlobInfo{Digest: computedDigest, Size: size}, nil return types.BlobInfo{Digest: computedDigest, Size: size}, nil
} }
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) { func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
if info.Digest == "" { if info.Digest == "" {
return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`) return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
@ -102,7 +106,7 @@ func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error)
blobPath := d.ref.layerPath(info.Digest) blobPath := d.ref.layerPath(info.Digest)
finfo, err := os.Stat(blobPath) finfo, err := os.Stat(blobPath)
if err != nil && os.IsNotExist(err) { if err != nil && os.IsNotExist(err) {
return false, -1, types.ErrBlobNotFound return false, -1, nil
} }
if err != nil { if err != nil {
return false, -1, err return false, -1, err

View file

@ -151,7 +151,11 @@ func (d *daemonImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
return types.BlobInfo{}, errors.Errorf(`Can not stream a blob with unknown digest to "docker-daemon:"`) return types.BlobInfo{}, errors.Errorf(`Can not stream a blob with unknown digest to "docker-daemon:"`)
} }
if ok, size, err := d.HasBlob(inputInfo); err == nil && ok { ok, size, err := d.HasBlob(inputInfo)
if err != nil {
return types.BlobInfo{}, err
}
if ok {
return types.BlobInfo{Digest: inputInfo.Digest, Size: size}, nil return types.BlobInfo{Digest: inputInfo.Digest, Size: size}, nil
} }
@ -186,6 +190,10 @@ func (d *daemonImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
return types.BlobInfo{Digest: digester.Digest(), Size: inputInfo.Size}, nil return types.BlobInfo{Digest: digester.Digest(), Size: inputInfo.Size}, nil
} }
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
func (d *daemonImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) { func (d *daemonImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
if info.Digest == "" { if info.Digest == "" {
return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`) return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
@ -193,7 +201,7 @@ func (d *daemonImageDestination) HasBlob(info types.BlobInfo) (bool, int64, erro
if blob, ok := d.blobs[info.Digest]; ok { if blob, ok := d.blobs[info.Digest]; ok {
return true, blob.Size, nil return true, blob.Size, nil
} }
return false, -1, types.ErrBlobNotFound return false, -1, nil
} }
func (d *daemonImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) { func (d *daemonImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {

View file

@ -18,8 +18,10 @@ import (
"github.com/containers/image/docker/reference" "github.com/containers/image/docker/reference"
"github.com/containers/image/types" "github.com/containers/image/types"
"github.com/containers/storage/pkg/homedir" "github.com/containers/storage/pkg/homedir"
"github.com/docker/distribution/registry/client"
"github.com/docker/go-connections/sockets" "github.com/docker/go-connections/sockets"
"github.com/docker/go-connections/tlsconfig" "github.com/docker/go-connections/tlsconfig"
"github.com/opencontainers/go-digest"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
@ -32,20 +34,38 @@ const (
dockerCfgFileName = "config.json" dockerCfgFileName = "config.json"
dockerCfgObsolete = ".dockercfg" dockerCfgObsolete = ".dockercfg"
baseURL = "%s://%s/v2/" resolvedPingV2URL = "%s://%s/v2/"
baseURLV1 = "%s://%s/v1/_ping" resolvedPingV1URL = "%s://%s/v1/_ping"
tagsURL = "%s/tags/list" tagsPath = "/v2/%s/tags/list"
manifestURL = "%s/manifests/%s" manifestPath = "/v2/%s/manifests/%s"
blobsURL = "%s/blobs/%s" blobsPath = "/v2/%s/blobs/%s"
blobUploadURL = "%s/blobs/uploads/" blobUploadPath = "/v2/%s/blobs/uploads/"
extensionsSignaturePath = "/extensions/v2/%s/signatures/%s"
minimumTokenLifetimeSeconds = 60 minimumTokenLifetimeSeconds = 60
extensionSignatureSchemaVersion = 2 // extensionSignature.Version
extensionSignatureTypeAtomic = "atomic" // extensionSignature.Type
) )
// ErrV1NotSupported is returned when we're trying to talk to a // ErrV1NotSupported is returned when we're trying to talk to a
// docker V1 registry. // docker V1 registry.
var ErrV1NotSupported = errors.New("can't talk to a V1 docker registry") var ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
// extensionSignature and extensionSignatureList come from github.com/openshift/origin/pkg/dockerregistry/server/signaturedispatcher.go:
// signature represents a Docker image signature.
type extensionSignature struct {
Version int `json:"schemaVersion"` // Version specifies the schema version
Name string `json:"name"` // Name must be in "sha256:<digest>@signatureName" format
Type string `json:"type"` // Type is optional, of not set it will be defaulted to "AtomicImageV1"
Content []byte `json:"content"` // Content contains the signature
}
// signatureList represents list of Docker image signatures.
type extensionSignatureList struct {
Signatures []extensionSignature `json:"signatures"`
}
type bearerToken struct { type bearerToken struct {
Token string `json:"token"` Token string `json:"token"`
ExpiresIn int `json:"expires_in"` ExpiresIn int `json:"expires_in"`
@ -54,15 +74,20 @@ type bearerToken struct {
// dockerClient is configuration for dealing with a single Docker registry. // dockerClient is configuration for dealing with a single Docker registry.
type dockerClient struct { type dockerClient struct {
// The following members are set by newDockerClient and do not change afterwards.
ctx *types.SystemContext ctx *types.SystemContext
registry string registry string
username string username string
password string password string
scheme string // Cache of a value returned by a successful ping() if not empty
client *http.Client client *http.Client
signatureBase signatureStorageBase signatureBase signatureStorageBase
challenges []challenge
scope authScope scope authScope
// The following members are detected registry properties:
// They are set after a successful detectProperties(), and never change afterwards.
scheme string // Empty value also used to indicate detectProperties() has not yet succeeded.
challenges []challenge
supportsSignatures bool
// The following members are private state for setupRequestAuth, both are valid if token != nil.
token *bearerToken token *bearerToken
tokenExpiration time.Time tokenExpiration time.Time
} }
@ -209,15 +234,13 @@ func newDockerClient(ctx *types.SystemContext, ref dockerReference, write bool,
} }
// makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client. // makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
// url is NOT an absolute URL, but a path relative to the /v2/ top-level API path. The host name and schema is taken from the client or autodetected. // The host name and schema is taken from the client or autodetected, and the path is relative to it, i.e. the path usually starts with /v2/.
func (c *dockerClient) makeRequest(method, url string, headers map[string][]string, stream io.Reader) (*http.Response, error) { func (c *dockerClient) makeRequest(method, path string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
if c.scheme == "" { if err := c.detectProperties(); err != nil {
if err := c.ping(); err != nil {
return nil, err return nil, err
} }
}
url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url url := fmt.Sprintf("%s://%s%s", c.scheme, c.registry, path)
return c.makeRequestToResolvedURL(method, url, headers, stream, -1, true) return c.makeRequestToResolvedURL(method, url, headers, stream, -1, true)
} }
@ -398,21 +421,28 @@ func getAuth(ctx *types.SystemContext, registry string) (string, string, error)
return "", "", nil return "", "", nil
} }
func (c *dockerClient) ping() error { // detectProperties detects various properties of the registry.
// See the dockerClient documentation for members which are affected by this.
func (c *dockerClient) detectProperties() error {
if c.scheme != "" {
return nil
}
ping := func(scheme string) error { ping := func(scheme string) error {
url := fmt.Sprintf(baseURL, scheme, c.registry) url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)
resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true) resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
logrus.Debugf("Ping %s err %#v", url, err) logrus.Debugf("Ping %s err %#v", url, err)
if err != nil { if err != nil {
return err return err
} }
defer resp.Body.Close() defer resp.Body.Close()
logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode) logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized { if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
return errors.Errorf("error pinging repository, response code %d", resp.StatusCode) return errors.Errorf("error pinging repository, response code %d", resp.StatusCode)
} }
c.challenges = parseAuthHeader(resp.Header) c.challenges = parseAuthHeader(resp.Header)
c.scheme = scheme c.scheme = scheme
c.supportsSignatures = resp.Header.Get("X-Registry-Supports-Signatures") == "1"
return nil return nil
} }
err := ping("https") err := ping("https")
@ -426,14 +456,14 @@ func (c *dockerClient) ping() error {
} }
// best effort to understand if we're talking to a V1 registry // best effort to understand if we're talking to a V1 registry
pingV1 := func(scheme string) bool { pingV1 := func(scheme string) bool {
url := fmt.Sprintf(baseURLV1, scheme, c.registry) url := fmt.Sprintf(resolvedPingV1URL, scheme, c.registry)
resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true) resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
logrus.Debugf("Ping %s err %#v", url, err) logrus.Debugf("Ping %s err %#v", url, err)
if err != nil { if err != nil {
return false return false
} }
defer resp.Body.Close() defer resp.Body.Close()
logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v1/_ping", resp.StatusCode) logrus.Debugf("Ping %s status %d", url, resp.StatusCode)
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized { if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
return false return false
} }
@ -450,6 +480,30 @@ func (c *dockerClient) ping() error {
return err return err
} }
// getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension,
// using the original data structures.
func (c *dockerClient) getExtensionsSignatures(ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest)
res, err := c.makeRequest("GET", path, nil, nil)
if err != nil {
return nil, err
}
defer res.Body.Close()
if res.StatusCode != http.StatusOK {
return nil, client.HandleErrorResponse(res)
}
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return nil, err
}
var parsedBody extensionSignatureList
if err := json.Unmarshal(body, &parsedBody); err != nil {
return nil, errors.Wrapf(err, "Error decoding signature list")
}
return &parsedBody, nil
}
func getDefaultConfigDir(confPath string) string { func getDefaultConfigDir(confPath string) string {
return filepath.Join(homedir.Get(), confPath) return filepath.Join(homedir.Get(), confPath)
} }

View file

@ -40,8 +40,8 @@ func (i *Image) SourceRefFullName() string {
// GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any. // GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
func (i *Image) GetRepositoryTags() ([]string, error) { func (i *Image) GetRepositoryTags() ([]string, error) {
url := fmt.Sprintf(tagsURL, reference.Path(i.src.ref.ref)) path := fmt.Sprintf(tagsPath, reference.Path(i.src.ref.ref))
res, err := i.src.c.makeRequest("GET", url, nil, nil) res, err := i.src.c.makeRequest("GET", path, nil, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View file

@ -2,6 +2,8 @@ package docker
import ( import (
"bytes" "bytes"
"crypto/rand"
"encoding/json"
"fmt" "fmt"
"io" "io"
"io/ioutil" "io/ioutil"
@ -42,7 +44,7 @@ type dockerImageDestination struct {
// newImageDestination creates a new ImageDestination for the specified image reference. // newImageDestination creates a new ImageDestination for the specified image reference.
func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) { func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
c, err := newDockerClient(ctx, ref, true, "push") c, err := newDockerClient(ctx, ref, true, "pull,push")
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -70,7 +72,17 @@ func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures. // SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil. // Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
func (d *dockerImageDestination) SupportsSignatures() error { func (d *dockerImageDestination) SupportsSignatures() error {
return errors.Errorf("Pushing signatures to a Docker Registry is not supported") if err := d.c.detectProperties(); err != nil {
return err
}
switch {
case d.c.signatureBase != nil:
return nil
case d.c.supportsSignatures:
return nil
default:
return errors.Errorf("X-Registry-Supports-Signatures extension not supported, and lookaside is not configured")
}
} }
// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination. // ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
@ -101,26 +113,25 @@ func (c *sizeCounter) Write(p []byte) (n int, err error) {
func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) { func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
if inputInfo.Digest.String() != "" { if inputInfo.Digest.String() != "" {
haveBlob, size, err := d.HasBlob(inputInfo) haveBlob, size, err := d.HasBlob(inputInfo)
if err != nil && err != types.ErrBlobNotFound { if err != nil {
return types.BlobInfo{}, err return types.BlobInfo{}, err
} }
// Now err == nil || err == types.ErrBlobNotFound if haveBlob {
if err == nil && haveBlob {
return types.BlobInfo{Digest: inputInfo.Digest, Size: size}, nil return types.BlobInfo{Digest: inputInfo.Digest, Size: size}, nil
} }
} }
// FIXME? Chunked upload, progress reporting, etc. // FIXME? Chunked upload, progress reporting, etc.
uploadURL := fmt.Sprintf(blobUploadURL, reference.Path(d.ref.ref)) uploadPath := fmt.Sprintf(blobUploadPath, reference.Path(d.ref.ref))
logrus.Debugf("Uploading %s", uploadURL) logrus.Debugf("Uploading %s", uploadPath)
res, err := d.c.makeRequest("POST", uploadURL, nil, nil) res, err := d.c.makeRequest("POST", uploadPath, nil, nil)
if err != nil { if err != nil {
return types.BlobInfo{}, err return types.BlobInfo{}, err
} }
defer res.Body.Close() defer res.Body.Close()
if res.StatusCode != http.StatusAccepted { if res.StatusCode != http.StatusAccepted {
logrus.Debugf("Error initiating layer upload, response %#v", *res) logrus.Debugf("Error initiating layer upload, response %#v", *res)
return types.BlobInfo{}, errors.Errorf("Error initiating layer upload to %s, status %d", uploadURL, res.StatusCode) return types.BlobInfo{}, errors.Errorf("Error initiating layer upload to %s, status %d", uploadPath, res.StatusCode)
} }
uploadLocation, err := res.Location() uploadLocation, err := res.Location()
if err != nil { if err != nil {
@ -132,7 +143,7 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
tee := io.TeeReader(stream, io.MultiWriter(digester.Hash(), sizeCounter)) tee := io.TeeReader(stream, io.MultiWriter(digester.Hash(), sizeCounter))
res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true) res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
if err != nil { if err != nil {
logrus.Debugf("Error uploading layer chunked, response %#v", *res) logrus.Debugf("Error uploading layer chunked, response %#v", res)
return types.BlobInfo{}, err return types.BlobInfo{}, err
} }
defer res.Body.Close() defer res.Body.Close()
@ -163,14 +174,18 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
return types.BlobInfo{Digest: computedDigest, Size: sizeCounter.size}, nil return types.BlobInfo{Digest: computedDigest, Size: sizeCounter.size}, nil
} }
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) { func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
if info.Digest == "" { if info.Digest == "" {
return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`) return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
} }
checkURL := fmt.Sprintf(blobsURL, reference.Path(d.ref.ref), info.Digest.String()) checkPath := fmt.Sprintf(blobsPath, reference.Path(d.ref.ref), info.Digest.String())
logrus.Debugf("Checking %s", checkURL) logrus.Debugf("Checking %s", checkPath)
res, err := d.c.makeRequest("HEAD", checkURL, nil, nil) res, err := d.c.makeRequest("HEAD", checkPath, nil, nil)
if err != nil { if err != nil {
return false, -1, err return false, -1, err
} }
@ -184,7 +199,7 @@ func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, erro
return false, -1, errors.Errorf("not authorized to read from destination repository %s", reference.Path(d.ref.ref)) return false, -1, errors.Errorf("not authorized to read from destination repository %s", reference.Path(d.ref.ref))
case http.StatusNotFound: case http.StatusNotFound:
logrus.Debugf("... not present") logrus.Debugf("... not present")
return false, -1, types.ErrBlobNotFound return false, -1, nil
default: default:
return false, -1, errors.Errorf("failed to read from destination repository %s: %v", reference.Path(d.ref.ref), http.StatusText(res.StatusCode)) return false, -1, errors.Errorf("failed to read from destination repository %s: %v", reference.Path(d.ref.ref), http.StatusText(res.StatusCode))
} }
@ -205,14 +220,14 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
if err != nil { if err != nil {
return err return err
} }
url := fmt.Sprintf(manifestURL, reference.Path(d.ref.ref), refTail) path := fmt.Sprintf(manifestPath, reference.Path(d.ref.ref), refTail)
headers := map[string][]string{} headers := map[string][]string{}
mimeType := manifest.GuessMIMEType(m) mimeType := manifest.GuessMIMEType(m)
if mimeType != "" { if mimeType != "" {
headers["Content-Type"] = []string{mimeType} headers["Content-Type"] = []string{mimeType}
} }
res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(m)) res, err := d.c.makeRequest("PUT", path, headers, bytes.NewReader(m))
if err != nil { if err != nil {
return err return err
} }
@ -223,12 +238,32 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
logrus.Debugf("Error body %s", string(body)) logrus.Debugf("Error body %s", string(body))
} }
logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res) logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res)
return errors.Errorf("Error uploading manifest to %s, status %d", url, res.StatusCode) return errors.Errorf("Error uploading manifest to %s, status %d", path, res.StatusCode)
} }
return nil return nil
} }
func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error { func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
// Do not fail if we dont really need to support signatures.
if len(signatures) == 0 {
return nil
}
if err := d.c.detectProperties(); err != nil {
return err
}
switch {
case d.c.signatureBase != nil:
return d.putSignaturesToLookaside(signatures)
case d.c.supportsSignatures:
return d.putSignaturesToAPIExtension(signatures)
default:
return errors.Errorf("X-Registry-Supports-Signatures extension not supported, and lookaside is not configured")
}
}
// putSignaturesToLookaside implements PutSignatures() from the lookaside location configured in s.c.signatureBase,
// which is not nil.
func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte) error {
// FIXME? This overwrites files one at a time, definitely not atomic. // FIXME? This overwrites files one at a time, definitely not atomic.
// A failure when updating signatures with a reordered copy could lose some of them. // A failure when updating signatures with a reordered copy could lose some of them.
@ -236,15 +271,13 @@ func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
if len(signatures) == 0 { if len(signatures) == 0 {
return nil return nil
} }
if d.c.signatureBase == nil {
return errors.Errorf("Pushing signatures to a Docker Registry is not supported, and there is no applicable signature storage configured")
}
if d.manifestDigest.String() == "" { if d.manifestDigest.String() == "" {
// This shouldnt happen, ImageDestination users are required to call PutManifest before PutSignatures // This shouldnt happen, ImageDestination users are required to call PutManifest before PutSignatures
return errors.Errorf("Unknown manifest digest, can't add signatures") return errors.Errorf("Unknown manifest digest, can't add signatures")
} }
// NOTE: Keep this in sync with docs/signature-protocols.md!
for i, signature := range signatures { for i, signature := range signatures {
url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i) url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
if url == nil { if url == nil {
@ -278,6 +311,7 @@ func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
} }
// putOneSignature stores one signature to url. // putOneSignature stores one signature to url.
// NOTE: Keep this in sync with docs/signature-protocols.md!
func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte) error { func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte) error {
switch url.Scheme { switch url.Scheme {
case "file": case "file":
@ -301,6 +335,7 @@ func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte)
// deleteOneSignature deletes a signature from url, if it exists. // deleteOneSignature deletes a signature from url, if it exists.
// If it successfully determines that the signature does not exist, returns (true, nil) // If it successfully determines that the signature does not exist, returns (true, nil)
// NOTE: Keep this in sync with docs/signature-protocols.md!
func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error) { func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error) {
switch url.Scheme { switch url.Scheme {
case "file": case "file":
@ -318,6 +353,82 @@ func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error
} }
} }
// putSignaturesToAPIExtension implements PutSignatures() using the X-Registry-Supports-Signatures API extension.
func (d *dockerImageDestination) putSignaturesToAPIExtension(signatures [][]byte) error {
// Skip dealing with the manifest digest, or reading the old state, if not necessary.
if len(signatures) == 0 {
return nil
}
if d.manifestDigest.String() == "" {
// This shouldnt happen, ImageDestination users are required to call PutManifest before PutSignatures
return errors.Errorf("Unknown manifest digest, can't add signatures")
}
// Because image signatures are a shared resource in Atomic Registry, the default upload
// always adds signatures. Eventually we should also allow removing signatures,
// but the X-Registry-Supports-Signatures API extension does not support that yet.
existingSignatures, err := d.c.getExtensionsSignatures(d.ref, d.manifestDigest)
if err != nil {
return err
}
existingSigNames := map[string]struct{}{}
for _, sig := range existingSignatures.Signatures {
existingSigNames[sig.Name] = struct{}{}
}
sigExists:
for _, newSig := range signatures {
for _, existingSig := range existingSignatures.Signatures {
if existingSig.Version == extensionSignatureSchemaVersion && existingSig.Type == extensionSignatureTypeAtomic && bytes.Equal(existingSig.Content, newSig) {
continue sigExists
}
}
// The API expect us to invent a new unique name. This is racy, but hopefully good enough.
var signatureName string
for {
randBytes := make([]byte, 16)
n, err := rand.Read(randBytes)
if err != nil || n != 16 {
return errors.Wrapf(err, "Error generating random signature len %d", n)
}
signatureName = fmt.Sprintf("%s@%032x", d.manifestDigest.String(), randBytes)
if _, ok := existingSigNames[signatureName]; !ok {
break
}
}
sig := extensionSignature{
Version: extensionSignatureSchemaVersion,
Name: signatureName,
Type: extensionSignatureTypeAtomic,
Content: newSig,
}
body, err := json.Marshal(sig)
if err != nil {
return err
}
path := fmt.Sprintf(extensionsSignaturePath, reference.Path(d.ref.ref), d.manifestDigest.String())
res, err := d.c.makeRequest("PUT", path, nil, bytes.NewReader(body))
if err != nil {
return err
}
defer res.Body.Close()
if res.StatusCode != http.StatusCreated {
body, err := ioutil.ReadAll(res.Body)
if err == nil {
logrus.Debugf("Error body %s", string(body))
}
logrus.Debugf("Error uploading signature, status %d, %#v", res.StatusCode, res)
return errors.Errorf("Error uploading signature to %s, status %d", path, res.StatusCode)
}
}
return nil
}
// Commit marks the process of storing the image as successful and asks for the image to be persisted. // Commit marks the process of storing the image as successful and asks for the image to be persisted.
// WARNING: This does not have any transactional semantics: // WARNING: This does not have any transactional semantics:
// - Uploaded data MAY be visible to others before Commit() is called // - Uploaded data MAY be visible to others before Commit() is called

View file

@ -93,10 +93,10 @@ func (s *dockerImageSource) GetManifest() ([]byte, string, error) {
} }
func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, error) { func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, error) {
url := fmt.Sprintf(manifestURL, reference.Path(s.ref.ref), tagOrDigest) path := fmt.Sprintf(manifestPath, reference.Path(s.ref.ref), tagOrDigest)
headers := make(map[string][]string) headers := make(map[string][]string)
headers["Accept"] = s.requestedManifestMIMETypes headers["Accept"] = s.requestedManifestMIMETypes
res, err := s.c.makeRequest("GET", url, headers, nil) res, err := s.c.makeRequest("GET", path, headers, nil)
if err != nil { if err != nil {
return nil, "", err return nil, "", err
} }
@ -179,9 +179,9 @@ func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64,
return s.getExternalBlob(info.URLs) return s.getExternalBlob(info.URLs)
} }
url := fmt.Sprintf(blobsURL, reference.Path(s.ref.ref), info.Digest.String()) path := fmt.Sprintf(blobsPath, reference.Path(s.ref.ref), info.Digest.String())
logrus.Debugf("Downloading %s", url) logrus.Debugf("Downloading %s", path)
res, err := s.c.makeRequest("GET", url, nil, nil) res, err := s.c.makeRequest("GET", path, nil, nil)
if err != nil { if err != nil {
return nil, 0, err return nil, 0, err
} }
@ -193,10 +193,22 @@ func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64,
} }
func (s *dockerImageSource) GetSignatures() ([][]byte, error) { func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
if s.c.signatureBase == nil { // Skip dealing with the manifest digest if not necessary. if err := s.c.detectProperties(); err != nil {
return nil, err
}
switch {
case s.c.signatureBase != nil:
return s.getSignaturesFromLookaside()
case s.c.supportsSignatures:
return s.getSignaturesFromAPIExtension()
default:
return [][]byte{}, nil return [][]byte{}, nil
} }
}
// getSignaturesFromLookaside implements GetSignatures() from the lookaside location configured in s.c.signatureBase,
// which is not nil.
func (s *dockerImageSource) getSignaturesFromLookaside() ([][]byte, error) {
if err := s.ensureManifestIsLoaded(); err != nil { if err := s.ensureManifestIsLoaded(); err != nil {
return nil, err return nil, err
} }
@ -205,6 +217,7 @@ func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
return nil, err return nil, err
} }
// NOTE: Keep this in sync with docs/signature-protocols.md!
signatures := [][]byte{} signatures := [][]byte{}
for i := 0; ; i++ { for i := 0; ; i++ {
url := signatureStorageURL(s.c.signatureBase, manifestDigest, i) url := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
@ -225,6 +238,7 @@ func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
// getOneSignature downloads one signature from url. // getOneSignature downloads one signature from url.
// If it successfully determines that the signature does not exist, returns with missing set to true and error set to nil. // If it successfully determines that the signature does not exist, returns with missing set to true and error set to nil.
// NOTE: Keep this in sync with docs/signature-protocols.md!
func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, missing bool, err error) { func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, missing bool, err error) {
switch url.Scheme { switch url.Scheme {
case "file": case "file":
@ -261,6 +275,30 @@ func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, mis
} }
} }
// getSignaturesFromAPIExtension implements GetSignatures() using the X-Registry-Supports-Signatures API extension.
func (s *dockerImageSource) getSignaturesFromAPIExtension() ([][]byte, error) {
if err := s.ensureManifestIsLoaded(); err != nil {
return nil, err
}
manifestDigest, err := manifest.Digest(s.cachedManifest)
if err != nil {
return nil, err
}
parsedBody, err := s.c.getExtensionsSignatures(s.ref, manifestDigest)
if err != nil {
return nil, err
}
var sigs [][]byte
for _, sig := range parsedBody.Signatures {
if sig.Version == extensionSignatureSchemaVersion && sig.Type == extensionSignatureTypeAtomic {
sigs = append(sigs, sig.Content)
}
}
return sigs, nil
}
// deleteImage deletes the named image from the registry, if supported. // deleteImage deletes the named image from the registry, if supported.
func deleteImage(ctx *types.SystemContext, ref dockerReference) error { func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
c, err := newDockerClient(ctx, ref, true, "push") c, err := newDockerClient(ctx, ref, true, "push")
@ -277,8 +315,8 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
if err != nil { if err != nil {
return err return err
} }
getURL := fmt.Sprintf(manifestURL, reference.Path(ref.ref), refTail) getPath := fmt.Sprintf(manifestPath, reference.Path(ref.ref), refTail)
get, err := c.makeRequest("GET", getURL, headers, nil) get, err := c.makeRequest("GET", getPath, headers, nil)
if err != nil { if err != nil {
return err return err
} }
@ -296,11 +334,11 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
} }
digest := get.Header.Get("Docker-Content-Digest") digest := get.Header.Get("Docker-Content-Digest")
deleteURL := fmt.Sprintf(manifestURL, reference.Path(ref.ref), digest) deletePath := fmt.Sprintf(manifestPath, reference.Path(ref.ref), digest)
// When retrieving the digest from a registry >= 2.3 use the following header: // When retrieving the digest from a registry >= 2.3 use the following header:
// "Accept": "application/vnd.docker.distribution.manifest.v2+json" // "Accept": "application/vnd.docker.distribution.manifest.v2+json"
delete, err := c.makeRequest("DELETE", deleteURL, headers, nil) delete, err := c.makeRequest("DELETE", deletePath, headers, nil)
if err != nil { if err != nil {
return err return err
} }
@ -311,7 +349,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
return err return err
} }
if delete.StatusCode != http.StatusAccepted { if delete.StatusCode != http.StatusAccepted {
return errors.Errorf("Failed to delete %v: %s (%v)", deleteURL, string(body), delete.Status) return errors.Errorf("Failed to delete %v: %s (%v)", deletePath, string(body), delete.Status)
} }
if c.signatureBase != nil { if c.signatureBase != nil {

View file

@ -9,12 +9,12 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/Sirupsen/logrus"
"github.com/containers/image/docker/reference"
"github.com/containers/image/types"
"github.com/ghodss/yaml" "github.com/ghodss/yaml"
"github.com/opencontainers/go-digest" "github.com/opencontainers/go-digest"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/Sirupsen/logrus"
"github.com/containers/image/types"
) )
// systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage. // systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage.
@ -63,8 +63,9 @@ func configuredSignatureStorageBase(ctx *types.SystemContext, ref dockerReferenc
if err != nil { if err != nil {
return nil, errors.Wrapf(err, "Invalid signature storage URL %s", topLevel) return nil, errors.Wrapf(err, "Invalid signature storage URL %s", topLevel)
} }
// NOTE: Keep this in sync with docs/signature-protocols.md!
// FIXME? Restrict to explicitly supported schemes? // FIXME? Restrict to explicitly supported schemes?
repo := ref.ref.Name() // Note that this is without a tag or digest. repo := reference.Path(ref.ref) // Note that this is without a tag or digest.
if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", ref.ref.String()) return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", ref.ref.String())
} }
@ -190,11 +191,12 @@ func (ns registryNamespace) signatureTopLevel(write bool) string {
// signatureStorageURL returns an URL usable for acessing signature index in base with known manifestDigest, or nil if not applicable. // signatureStorageURL returns an URL usable for acessing signature index in base with known manifestDigest, or nil if not applicable.
// Returns nil iff base == nil. // Returns nil iff base == nil.
// NOTE: Keep this in sync with docs/signature-protocols.md!
func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL { func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL {
if base == nil { if base == nil {
return nil return nil
} }
url := *base url := *base
url.Path = fmt.Sprintf("%s@%s/signature-%d", url.Path, manifestDigest.String(), index+1) url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1)
return &url return &url
} }

View file

@ -46,7 +46,7 @@ func TestConfiguredSignatureStorageBase(t *testing.T) {
dockerRefFromString(t, "//example.com/my/project"), false) dockerRefFromString(t, "//example.com/my/project"), false)
assert.NoError(t, err) assert.NoError(t, err)
require.NotNil(t, base) require.NotNil(t, base)
assert.Equal(t, "https://sigstore.example.com/example.com/my/project", (*url.URL)(base).String()) assert.Equal(t, "https://sigstore.example.com/my/project", (*url.URL)(base).String())
} }
func TestRegistriesDirPath(t *testing.T) { func TestRegistriesDirPath(t *testing.T) {
@ -252,26 +252,27 @@ func TestRegistryNamespaceSignatureTopLevel(t *testing.T) {
} }
func TestSignatureStorageBaseSignatureStorageURL(t *testing.T) { func TestSignatureStorageBaseSignatureStorageURL(t *testing.T) {
const md = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" const mdInput = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
const mdMapped = "sha256=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
assert.True(t, signatureStorageURL(nil, md, 0) == nil) assert.True(t, signatureStorageURL(nil, mdInput, 0) == nil)
for _, c := range []struct { for _, c := range []struct {
base string base string
index int index int
expected string expected string
}{ }{
{"file:///tmp", 0, "file:///tmp@" + md + "/signature-1"}, {"file:///tmp", 0, "file:///tmp@" + mdMapped + "/signature-1"},
{"file:///tmp", 1, "file:///tmp@" + md + "/signature-2"}, {"file:///tmp", 1, "file:///tmp@" + mdMapped + "/signature-2"},
{"https://localhost:5555/root", 0, "https://localhost:5555/root@" + md + "/signature-1"}, {"https://localhost:5555/root", 0, "https://localhost:5555/root@" + mdMapped + "/signature-1"},
{"https://localhost:5555/root", 1, "https://localhost:5555/root@" + md + "/signature-2"}, {"https://localhost:5555/root", 1, "https://localhost:5555/root@" + mdMapped + "/signature-2"},
{"http://localhost:5555/root", 0, "http://localhost:5555/root@" + md + "/signature-1"}, {"http://localhost:5555/root", 0, "http://localhost:5555/root@" + mdMapped + "/signature-1"},
{"http://localhost:5555/root", 1, "http://localhost:5555/root@" + md + "/signature-2"}, {"http://localhost:5555/root", 1, "http://localhost:5555/root@" + mdMapped + "/signature-2"},
} { } {
url, err := url.Parse(c.base) url, err := url.Parse(c.base)
require.NoError(t, err) require.NoError(t, err)
expectedURL, err := url.Parse(c.expected) expectedURL, err := url.Parse(c.expected)
require.NoError(t, err) require.NoError(t, err)
res := signatureStorageURL(url, md, c.index) res := signatureStorageURL(url, mdInput, c.index)
assert.Equal(t, expectedURL, res, c.expected) assert.Equal(t, expectedURL, res, c.expected)
} }
} }

View file

@ -0,0 +1,136 @@
# Signature access protocols
The `github.com/containers/image` library supports signatures implemented as blobs “attached to” an image.
Some image transports (local storage formats and remote procotocols) implement these signatures natively
or trivially; for others, the protocol extensions described below are necessary.
## docker/distribution registries—separate storage
### Usage
Any existing docker/distribution registry, whether or not it natively supports signatures,
can be augmented with separate signature storage by configuring a signature storage URL in [`registries.d`](registries.d.md).
`registries.d` can be configured to use one storage URL for a whole docker/distribution server,
or also separate URLs for smaller namespaces or individual repositories within the server
(which e.g. allows image authors to manage their own signature storage while publishing
the images on the public `docker.io` server).
The signature storage URL defines a root of a path hierarchy.
It can be either a `file:///…` URL, pointing to a local directory structure,
or a `http`/`https` URL, pointing to a remote server.
`file:///` signature storage can be both read and written, `http`/`https` only supports reading.
The same path hierarchy is used in both cases, so the HTTP/HTTPS server can be
a simple static web server serving a directory structure created by writing to a `file:///` signature storage.
(This of course does not prevent other server implementations,
e.g. a HTTP server reading signatures from a database.)
The usual workflow for producing and distributing images using the separate storage mechanism
is to configure the repository in `registries.d` with `sigstore-staging` URL pointing to a private
`file:///` staging area, and a `sigstore` URL pointing to a public web server.
To publish an image, the image author would sign the image as necessary (e.g. using `skopeo copy`),
and then copy the created directory structure from the `file:///` staging area
to a subdirectory of a webroot of the public web server so that they are accessible using the public `sigstore` URL.
The author would also instruct consumers of the image to, or provide a `registries.d` configuration file to,
set up a `sigstore` URL pointing to the public web server.
### Path structure
Given a _base_ signature storage URL configured in `registries.d` as mentioned above,
and a container image stored in a docker/distribution registry using the _fully-expanded_ name
_hostname_`/`_namespaces_`/`_name_{`@`_digest_,`:`_tag_} (e.g. for `docker.io/library/busybox:latest`,
_namespaces_ is `library`, even if the user refers to the image using the shorter syntax as `busybox:latest`),
signatures are accessed using URLs of the form
> _base_`/`_namespaces_`/`_name_`@`_digest-algo_`=`_digest-value_`/signature-`_index_
where _digest-algo_`:`_digest-value_ is a manifest digest usable for referencing the relevant image manifest
(i.e. even if the user referenced the image using a tag,
the signature storage is always disambiguated using digest references).
Note that in the URLs used for signatures,
_digest-algo_ and _digest-value_ are separated using the `=` character,
not `:` like when acessing the manifest using the docker/distribution API.
Within the URL, _index_ is a decimal integer (in the canonical form), starting with 1.
Signatures are stored at URLs with successive _index_ values; to read all of them, start with _index_=1,
and continue reading signatures and increasing _index_ as long as signatures with these _index_ values exist.
Similarly, to add one more signature to an image, find the first _index_ which does not exist, and
then store the new signature using that _index_ value.
There is no way to list existing signatures other than iterating through the successive _index_ values,
and no way to download all of the signatures at once.
### Examples
For a docker/distribution image available as `busybox@sha256:817a12c32a39bbe394944ba49de563e085f1d3c5266eb8e9723256bc4448680e`
(or as `busybox:latest` if the `latest` tag points to to a manifest with the same digest),
and with a `registries.d` configuration specifying a `sigstore` URL `https://example.com/sigstore` for the same image,
the following URLs would be accessed to download all signatures:
> - `https://example.com/sigstore/library/busybox@sha256=817a12c32a39bbe394944ba49de563e085f1d3c5266eb8e9723256bc4448680e/signature-1`
> - `https://example.com/sigstore/library/busybox@sha256=817a12c32a39bbe394944ba49de563e085f1d3c5266eb8e9723256bc4448680e/signature-2`
> - …
For a docker/distribution image available as `example.com/ns1/ns2/ns3/repo@somedigest:digestvalue` and the same
`sigstore` URL, the signatures would be available at
> `https://example.com/sigstore/ns1/ns2/ns3/repo@somedigest=digestvalue/signature-1`
and so on.
## (OpenShift) docker/distribution API extension
As of https://github.com/openshift/origin/pull/12504/ , the OpenShift-embedded registry also provides
an extension of the docker/distribution API which allows simpler access to the signatures,
using only the docker/distribution API endpoint.
This API is not inherently OpenShift-specific (e.g. the client does not need to know the OpenShift API endpoint,
and credentials sufficient to access the docker/distribution API server are sufficient to access signatures as well),
and it is the preferred way implement signature storage in registries.
See https://github.com/openshift/openshift-docs/pull/3556 for the upstream documentation of the API.
To read the signature, any user with access to an image can use the `/extensions/v2/…/signatures/…`
path to read an array of signatures. Use only the signature objects
which have `version` equal to `2`, `type` equal to `atomic`, and read the signature from `content`;
ignore the other fields of the signature object.
To add a single signature, `PUT` a new object with `version` set to `2`, `type` set to `atomic`,
and `content` set to the signature. Also set `name` to an unique name with the form
_digest_`@`_per-image-name_, where _digest_ is an image manifest digest (also used in the URL),
and _per-image-name_ is any unique identifier.
To add more than one signature, add them one at a time. This API does not allow deleting signatures.
Note that because signatures are stored within the cluster-wide image objects,
i.e. different namespaces can not associate different sets of signatures to the same image,
updating signatures requires a cluster-wide access to the `imagesignatures` resource
(by default available to the `system:image-signer` role),
## OpenShift-embedded registries
The OpenShift-embedded registry implements the ordinary docker/distribution API,
and it also exposes images through the OpenShift REST API (available through the “API master” servers).
Note: OpenShift versions 1.5 and later support the above-described [docker/distribution API extension](#openshift-dockerdistribution-api-extension),
which is easier to set up and should usually be preferred.
Continue reading for details on using older versions of OpenShift.
As of https://github.com/openshift/origin/pull/9181,
signatures are exposed through the OpenShift API
(i.e. to access the complete image, it is necessary to use both APIs,
in particular to know the URLs for both the docker/distribution and the OpenShift API master endpoints).
To read the signature, any user with access to an image can use the `imagestreamimages` namespaced
resource to read an `Image` object and its `Signatures` array. Use only the `ImageSignature` objects
which have `Type` equal to `atomic`, and read the signature from `Content`; ignore the other fields of
the `ImageSignature` object.
To add or remove signatures, use the cluster-wide (non-namespaced) `imagesignatures` resource,
with `Type` set to `atomic` and `Content` set to the signature. Signature names must have the form
_digest_`@`_per-image-name_, where _digest_ is an image manifest digest (OpenShift “image name”),
and _per-image-name_ is any unique identifier.
Note that because signatures are stored within the cluster-wide image objects,
i.e. different namespaces can not associate different sets of signatures to the same image,
updating signatures requires a cluster-wide access to the `imagesignatures` resource
(by default available to the `system:image-signer` role),
and deleting signatures is strongly discouraged
(it deletes the signature from all namespaces which contain the same image).

View file

@ -10,6 +10,7 @@ import (
"github.com/containers/image/manifest" "github.com/containers/image/manifest"
"github.com/containers/image/types" "github.com/containers/image/types"
"github.com/opencontainers/go-digest" "github.com/opencontainers/go-digest"
imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
@ -112,6 +113,17 @@ func (m *manifestSchema1) ConfigBlob() ([]byte, error) {
return nil, nil return nil, nil
} }
// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
// layers in the resulting configuration isn't guaranteed to be returned to due how
// old image manifests work (docker v2s1 especially).
func (m *manifestSchema1) OCIConfig() (*imgspecv1.Image, error) {
v2s2, err := m.convertToManifestSchema2(nil, nil)
if err != nil {
return nil, err
}
return v2s2.OCIConfig()
}
// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers). // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
// The Digest field is guaranteed to be provided; Size may be -1. // The Digest field is guaranteed to be provided; Size may be -1.
// WARNING: The list may contain duplicates, and they are semantically relevant. // WARNING: The list may contain duplicates, and they are semantically relevant.
@ -243,10 +255,10 @@ func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.Bl
if len(m.History) != len(m.FSLayers) { if len(m.History) != len(m.FSLayers) {
return nil, errors.Errorf("Inconsistent schema 1 manifest: %d history entries, %d fsLayers entries", len(m.History), len(m.FSLayers)) return nil, errors.Errorf("Inconsistent schema 1 manifest: %d history entries, %d fsLayers entries", len(m.History), len(m.FSLayers))
} }
if len(uploadedLayerInfos) != len(m.FSLayers) { if uploadedLayerInfos != nil && len(uploadedLayerInfos) != len(m.FSLayers) {
return nil, errors.Errorf("Internal error: uploaded %d blobs, but schema1 manifest has %d fsLayers", len(uploadedLayerInfos), len(m.FSLayers)) return nil, errors.Errorf("Internal error: uploaded %d blobs, but schema1 manifest has %d fsLayers", len(uploadedLayerInfos), len(m.FSLayers))
} }
if len(layerDiffIDs) != len(m.FSLayers) { if layerDiffIDs != nil && len(layerDiffIDs) != len(m.FSLayers) {
return nil, errors.Errorf("Internal error: collected %d DiffID values, but schema1 manifest has %d fsLayers", len(layerDiffIDs), len(m.FSLayers)) return nil, errors.Errorf("Internal error: collected %d DiffID values, but schema1 manifest has %d fsLayers", len(layerDiffIDs), len(m.FSLayers))
} }
@ -273,12 +285,20 @@ func (m *manifestSchema1) convertToManifestSchema2(uploadedLayerInfos []types.Bl
} }
if !v1compat.ThrowAway { if !v1compat.ThrowAway {
var size int64
if uploadedLayerInfos != nil {
size = uploadedLayerInfos[v2Index].Size
}
var d digest.Digest
if layerDiffIDs != nil {
d = layerDiffIDs[v2Index]
}
layers = append(layers, descriptor{ layers = append(layers, descriptor{
MediaType: "application/vnd.docker.image.rootfs.diff.tar.gzip", MediaType: "application/vnd.docker.image.rootfs.diff.tar.gzip",
Size: uploadedLayerInfos[v2Index].Size, Size: size,
Digest: m.FSLayers[v1Index].BlobSum, Digest: m.FSLayers[v1Index].BlobSum,
}) })
rootFS.DiffIDs = append(rootFS.DiffIDs, layerDiffIDs[v2Index]) rootFS.DiffIDs = append(rootFS.DiffIDs, d)
} }
} }
configJSON, err := configJSONFromV1Config([]byte(m.History[0].V1Compatibility), rootFS, history) configJSON, err := configJSONFromV1Config([]byte(m.History[0].V1Compatibility), rootFS, history)

View file

@ -0,0 +1,26 @@
package image
import (
"io/ioutil"
"path/filepath"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func manifestSchema1FromFixture(t *testing.T, fixture string) genericManifest {
manifest, err := ioutil.ReadFile(filepath.Join("fixtures", fixture))
require.NoError(t, err)
m, err := manifestSchema1FromManifest(manifest)
require.NoError(t, err)
return m
}
func TestManifestSchema1ToOCIConfig(t *testing.T) {
m := manifestSchema1FromFixture(t, "schema1-to-oci-config.json")
configOCI, err := m.OCIConfig()
require.NoError(t, err)
assert.Equal(t, "/pause", configOCI.Config.Entrypoint[0])
}

View file

@ -78,6 +78,24 @@ func (m *manifestSchema2) ConfigInfo() types.BlobInfo {
return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size} return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
} }
// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
// layers in the resulting configuration isn't guaranteed to be returned to due how
// old image manifests work (docker v2s1 especially).
func (m *manifestSchema2) OCIConfig() (*imgspecv1.Image, error) {
configBlob, err := m.ConfigBlob()
if err != nil {
return nil, err
}
// docker v2s2 and OCI v1 are mostly compatible but v2s2 contains more fields
// than OCI v1. This unmarshal makes sure we drop docker v2s2
// fields that aren't needed in OCI v1.
configOCI := &imgspecv1.Image{}
if err := json.Unmarshal(configBlob, configOCI); err != nil {
return nil, err
}
return configOCI, nil
}
// ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise. // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
// The result is cached; it is OK to call this however often you need. // The result is cached; it is OK to call this however often you need.
func (m *manifestSchema2) ConfigBlob() ([]byte, error) { func (m *manifestSchema2) ConfigBlob() ([]byte, error) {
@ -177,17 +195,10 @@ func (m *manifestSchema2) UpdatedImage(options types.ManifestUpdateOptions) (typ
} }
func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) { func (m *manifestSchema2) convertToManifestOCI1() (types.Image, error) {
configBlob, err := m.ConfigBlob() configOCI, err := m.OCIConfig()
if err != nil { if err != nil {
return nil, err return nil, err
} }
// docker v2s2 and OCI v1 are mostly compatible but v2s2 contains more fields
// than OCI v1. This unmarshal, then re-marshal makes sure we drop docker v2s2
// fields that aren't needed in OCI v1.
configOCI := &imgspecv1.Image{}
if err := json.Unmarshal(configBlob, configOCI); err != nil {
return nil, err
}
configOCIBytes, err := json.Marshal(configOCI) configOCIBytes, err := json.Marshal(configOCI)
if err != nil { if err != nil {
return nil, err return nil, err

View file

@ -0,0 +1,29 @@
{
"schemaVersion": 1,
"name": "google_containers/pause-amd64",
"tag": "3.0",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:f112334343777b75be77ec1f835e3bbbe7d7bd46e27b6a2ae35c6b3cfea0987c"
},
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
}
],
"history": [
{
"v1Compatibility": "{\"id\":\"bb497e16a2d55195649174d1fadac52b00fa2c14124d73009712606909286bc5\",\"parent\":\"f8e2eec424cf985b4e41d6423991433fb7a93c90f9acc73a5e7bee213b789c52\",\"created\":\"2016-05-04T06:26:41.522308365Z\",\"container\":\"a9873535145fe72b464d3055efbac36aab70d059914e221cbbd7fe3cac53ef6b\",\"container_config\":{\"Hostname\":\"95722352e41d\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT \\u0026{[\\\"/pause\\\"]}\"],\"Image\":\"f8e2eec424cf985b4e41d6423991433fb7a93c90f9acc73a5e7bee213b789c52\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":[\"/pause\"],\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"95722352e41d\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"f8e2eec424cf985b4e41d6423991433fb7a93c90f9acc73a5e7bee213b789c52\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":[\"/pause\"],\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\"}"
},
{
"v1Compatibility": "{\"id\":\"f8e2eec424cf985b4e41d6423991433fb7a93c90f9acc73a5e7bee213b789c52\",\"parent\":\"bdb43c586e887b513a056722b50553727b255e3a3d9166f318632d4209963464\",\"created\":\"2016-05-04T06:26:41.091672218Z\",\"container\":\"e1b38778b023f25642273ed9e7f4846b4bf38b22a8b55755880b2e6ab6019811\",\"container_config\":{\"Hostname\":\"95722352e41d\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ADD file:b7eb6a5df9d5fbe509cac16ed89f8d6513a4362017184b14c6a5fae151eee5c5 in /pause\"],\"Image\":\"bdb43c586e887b513a056722b50553727b255e3a3d9166f318632d4209963464\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"95722352e41d\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"bdb43c586e887b513a056722b50553727b255e3a3d9166f318632d4209963464\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":746888}"
},
{
"v1Compatibility": "{\"id\":\"bdb43c586e887b513a056722b50553727b255e3a3d9166f318632d4209963464\",\"created\":\"2016-05-04T06:26:40.628395649Z\",\"container\":\"95722352e41d57660259fbede4413d06889a28eb07a7302d2a7b3f9c71ceaa46\",\"container_config\":{\"Hostname\":\"95722352e41d\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ARG ARCH\"],\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"docker_version\":\"1.9.1\",\"config\":{\"Hostname\":\"95722352e41d\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"architecture\":\"amd64\",\"os\":\"linux\"}"
}
],"signatures":[{"header":{"alg":"ES256","jwk":{"crv":"P-256","kid":"ORN4:M47W:3KP3:TZRZ:C3UF:5MFQ:INZV:TCMY:LHNV:EYQU:IRGJ:IJLJ","kty":"EC","x":"yJ0ZQ19NBZUQn8LV60sFEabhlgky9svozfK0VGVou7Y","y":"gOJScOkkLVY1f8aAx-6XXpVM5rJaDYLkCNJ1dvcQGMs"}},"protected":"eyJmb3JtYXRMZW5ndGgiOjQxMzMsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNi0wNS0wNFQwNjoyODo1MVoifQ","signature":"77_7DVx1IZ3PiKNnO7QnvoF7Sgik4GI4bnlVJdtQW461dSyYzd-nSdBmky8Jew3InEW8Cuv_t5w4GmOSwXvL7g"}]
}

View file

@ -64,6 +64,10 @@ type genericManifest interface {
// ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise. // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
// The result is cached; it is OK to call this however often you need. // The result is cached; it is OK to call this however often you need.
ConfigBlob() ([]byte, error) ConfigBlob() ([]byte, error)
// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
// layers in the resulting configuration isn't guaranteed to be returned to due how
// old image manifests work (docker v2s1 especially).
OCIConfig() (*imgspecv1.Image, error)
// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers). // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
// The Digest field is guaranteed to be provided; Size may be -1. // The Digest field is guaranteed to be provided; Size may be -1.
// WARNING: The list may contain duplicates, and they are semantically relevant. // WARNING: The list may contain duplicates, and they are semantically relevant.

View file

@ -81,6 +81,21 @@ func (m *manifestOCI1) ConfigBlob() ([]byte, error) {
return m.configBlob, nil return m.configBlob, nil
} }
// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
// layers in the resulting configuration isn't guaranteed to be returned to due how
// old image manifests work (docker v2s1 especially).
func (m *manifestOCI1) OCIConfig() (*imgspecv1.Image, error) {
cb, err := m.ConfigBlob()
if err != nil {
return nil, err
}
configOCI := &imgspecv1.Image{}
if err := json.Unmarshal(cb, configOCI); err != nil {
return nil, err
}
return configOCI, nil
}
// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers). // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
// The Digest field is guaranteed to be provided; Size may be -1. // The Digest field is guaranteed to be provided; Size may be -1.
// WARNING: The list may contain duplicates, and they are semantically relevant. // WARNING: The list may contain duplicates, and they are semantically relevant.

View file

@ -112,6 +112,10 @@ func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo
return types.BlobInfo{Digest: computedDigest, Size: size}, nil return types.BlobInfo{Digest: computedDigest, Size: size}, nil
} }
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) { func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
if info.Digest == "" { if info.Digest == "" {
return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`) return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
@ -122,7 +126,7 @@ func (d *ociImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error)
} }
finfo, err := os.Stat(blobPath) finfo, err := os.Stat(blobPath)
if err != nil && os.IsNotExist(err) { if err != nil && os.IsNotExist(err) {
return false, -1, types.ErrBlobNotFound return false, -1, nil
} }
if err != nil { if err != nil {
return false, -1, err return false, -1, err

View file

@ -371,6 +371,10 @@ func (d *openshiftImageDestination) PutBlob(stream io.Reader, inputInfo types.Bl
return d.docker.PutBlob(stream, inputInfo) return d.docker.PutBlob(stream, inputInfo)
} }
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
func (d *openshiftImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) { func (d *openshiftImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
return d.docker.HasBlob(info) return d.docker.HasBlob(info)
} }

View file

@ -11,6 +11,12 @@ import (
func TestSignDockerManifest(t *testing.T) { func TestSignDockerManifest(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
if err := mech.SupportsSigning(); err != nil {
t.Skipf("Signing not supported: %v", err)
}
manifest, err := ioutil.ReadFile("fixtures/image.manifest.json") manifest, err := ioutil.ReadFile("fixtures/image.manifest.json")
require.NoError(t, err) require.NoError(t, err)
@ -41,6 +47,7 @@ func TestSignDockerManifest(t *testing.T) {
func TestVerifyDockerManifestSignature(t *testing.T) { func TestVerifyDockerManifestSignature(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
manifest, err := ioutil.ReadFile("fixtures/image.manifest.json") manifest, err := ioutil.ReadFile("fixtures/image.manifest.json")
require.NoError(t, err) require.NoError(t, err)
signature, err := ioutil.ReadFile("fixtures/image.signature") signature, err := ioutil.ReadFile("fixtures/image.signature")

View file

@ -14,64 +14,6 @@ func (err jsonFormatError) Error() string {
return string(err) return string(err)
} }
// validateExactMapKeys returns an error if the keys of m are not exactly expectedKeys, which must be pairwise distinct
func validateExactMapKeys(m map[string]interface{}, expectedKeys ...string) error {
if len(m) != len(expectedKeys) {
return jsonFormatError("Unexpected keys in a JSON object")
}
for _, k := range expectedKeys {
if _, ok := m[k]; !ok {
return jsonFormatError(fmt.Sprintf("Key %s missing in a JSON object", k))
}
}
// Assuming expectedKeys are pairwise distinct, we know m contains len(expectedKeys) different values in expectedKeys.
return nil
}
// int64Field returns a member fieldName of m, if it is an int64, or an error.
func int64Field(m map[string]interface{}, fieldName string) (int64, error) {
untyped, ok := m[fieldName]
if !ok {
return -1, jsonFormatError(fmt.Sprintf("Field %s missing", fieldName))
}
f, ok := untyped.(float64)
if !ok {
return -1, jsonFormatError(fmt.Sprintf("Field %s is not a number", fieldName))
}
v := int64(f)
if float64(v) != f {
return -1, jsonFormatError(fmt.Sprintf("Field %s is not an integer", fieldName))
}
return v, nil
}
// mapField returns a member fieldName of m, if it is a JSON map, or an error.
func mapField(m map[string]interface{}, fieldName string) (map[string]interface{}, error) {
untyped, ok := m[fieldName]
if !ok {
return nil, jsonFormatError(fmt.Sprintf("Field %s missing", fieldName))
}
v, ok := untyped.(map[string]interface{})
if !ok {
return nil, jsonFormatError(fmt.Sprintf("Field %s is not a JSON object", fieldName))
}
return v, nil
}
// stringField returns a member fieldName of m, if it is a string, or an error.
func stringField(m map[string]interface{}, fieldName string) (string, error) {
untyped, ok := m[fieldName]
if !ok {
return "", jsonFormatError(fmt.Sprintf("Field %s missing", fieldName))
}
v, ok := untyped.(string)
if !ok {
return "", jsonFormatError(fmt.Sprintf("Field %s is not a string", fieldName))
}
return v, nil
}
// paranoidUnmarshalJSONObject unmarshals data as a JSON object, but failing on the slightest unexpected aspect // paranoidUnmarshalJSONObject unmarshals data as a JSON object, but failing on the slightest unexpected aspect
// (including duplicated keys, unrecognized keys, and non-matching types). Uses fieldResolver to // (including duplicated keys, unrecognized keys, and non-matching types). Uses fieldResolver to
// determine the destination for a field value, which should return a pointer to the destination if valid, or nil if the key is rejected. // determine the destination for a field value, which should return a pointer to the destination if valid, or nil if the key is rejected.
@ -122,3 +64,25 @@ func paranoidUnmarshalJSONObject(data []byte, fieldResolver func(string) interfa
} }
return nil return nil
} }
// paranoidUnmarshalJSONObject unmarshals data as a JSON object, but failing on the slightest unexpected aspect
// (including duplicated keys, unrecognized keys, and non-matching types). Each of the fields in exactFields
// must be present exactly once, and none other fields are accepted.
func paranoidUnmarshalJSONObjectExactFields(data []byte, exactFields map[string]interface{}) error {
seenKeys := map[string]struct{}{}
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} {
if valuePtr, ok := exactFields[key]; ok {
seenKeys[key] = struct{}{}
return valuePtr
}
return nil
}); err != nil {
return err
}
for key := range exactFields {
if _, ok := seenKeys[key]; !ok {
return jsonFormatError(fmt.Sprintf(`Key "%s" missing in a JSON object`, key))
}
}
return nil
}

View file

@ -2,8 +2,6 @@ package signature
import ( import (
"encoding/json" "encoding/json"
"fmt"
"math"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -24,91 +22,6 @@ func x(m mSI, fields ...string) mSI {
return m return m
} }
func TestValidateExactMapKeys(t *testing.T) {
// Empty map and keys
err := validateExactMapKeys(mSI{})
assert.NoError(t, err)
// Success
err = validateExactMapKeys(mSI{"a": nil, "b": 1}, "b", "a")
assert.NoError(t, err)
// Extra map keys
err = validateExactMapKeys(mSI{"a": nil, "b": 1}, "a")
assert.Error(t, err)
// Extra expected keys
err = validateExactMapKeys(mSI{"a": 1}, "b", "a")
assert.Error(t, err)
// Unexpected key values
err = validateExactMapKeys(mSI{"a": 1}, "b")
assert.Error(t, err)
}
func TestInt64Field(t *testing.T) {
// Field not found
_, err := int64Field(mSI{"a": "x"}, "b")
assert.Error(t, err)
// Field has a wrong type
_, err = int64Field(mSI{"a": "string"}, "a")
assert.Error(t, err)
for _, value := range []float64{
0.5, // Fractional input
math.Inf(1), // Infinity
math.NaN(), // NaN
} {
_, err = int64Field(mSI{"a": value}, "a")
assert.Error(t, err, fmt.Sprintf("%f", value))
}
// Success
// The float64 type has 53 bits of effective precision, so ±1FFFFFFFFFFFFF is the
// range of integer values which can all be represented exactly (beyond that,
// some are representable if they are divisible by a high enough power of 2,
// but most are not).
for _, value := range []int64{0, 1, -1, 0x1FFFFFFFFFFFFF, -0x1FFFFFFFFFFFFF} {
testName := fmt.Sprintf("%d", value)
v, err := int64Field(mSI{"a": float64(value), "b": nil}, "a")
require.NoError(t, err, testName)
assert.Equal(t, value, v, testName)
}
}
func TestMapField(t *testing.T) {
// Field not found
_, err := mapField(mSI{"a": mSI{}}, "b")
assert.Error(t, err)
// Field has a wrong type
_, err = mapField(mSI{"a": 1}, "a")
assert.Error(t, err)
// Success
// FIXME? We can't use mSI as the type of child, that type apparently can't be converted to the raw map type.
child := map[string]interface{}{"b": mSI{}}
m, err := mapField(mSI{"a": child, "b": nil}, "a")
require.NoError(t, err)
assert.Equal(t, child, m)
}
func TestStringField(t *testing.T) {
// Field not found
_, err := stringField(mSI{"a": "x"}, "b")
assert.Error(t, err)
// Field has a wrong type
_, err = stringField(mSI{"a": 1}, "a")
assert.Error(t, err)
// Success
s, err := stringField(mSI{"a": "x", "b": nil}, "a")
require.NoError(t, err)
assert.Equal(t, "x", s)
}
// implementsUnmarshalJSON is a minimalistic type used to detect that // implementsUnmarshalJSON is a minimalistic type used to detect that
// paranoidUnmarshalJSONObject uses the json.Unmarshaler interface of resolved // paranoidUnmarshalJSONObject uses the json.Unmarshaler interface of resolved
// pointers. // pointers.
@ -180,3 +93,45 @@ func TestParanoidUnmarshalJSONObject(t *testing.T) {
assert.Error(t, err, input) assert.Error(t, err, input)
} }
} }
func TestParanoidUnmarshalJSONObjectExactFields(t *testing.T) {
var stringValue string
var float64Value float64
var rawValue json.RawMessage
var unmarshallCalled implementsUnmarshalJSON
exactFields := map[string]interface{}{
"string": &stringValue,
"float64": &float64Value,
"raw": &rawValue,
"unmarshaller": &unmarshallCalled,
}
// Empty object
err := paranoidUnmarshalJSONObjectExactFields([]byte(`{}`), map[string]interface{}{})
require.NoError(t, err)
// Success
err = paranoidUnmarshalJSONObjectExactFields([]byte(`{"string": "a", "float64": 3.5, "raw": {"a":"b"}, "unmarshaller": true}`), exactFields)
require.NoError(t, err)
assert.Equal(t, "a", stringValue)
assert.Equal(t, 3.5, float64Value)
assert.Equal(t, json.RawMessage(`{"a":"b"}`), rawValue)
assert.Equal(t, implementsUnmarshalJSON(true), unmarshallCalled)
// Various kinds of invalid input
for _, input := range []string{
``, // Empty input
`&`, // Entirely invalid JSON
`1`, // Not an object
`{&}`, // Invalid key JSON
`{1:1}`, // Key not a string
`{"string": "a", "string": "a", "float64": 3.5, "raw": {"a":"b"}, "unmarshaller": true}`, // Duplicate key
`{"string": "a", "float64": 3.5, "raw": {"a":"b"}, "unmarshaller": true, "thisisunknown", 1}`, // Unknown key
`{"string": &, "float64": 3.5, "raw": {"a":"b"}, "unmarshaller": true}`, // Invalid value JSON
`{"string": 1, "float64": 3.5, "raw": {"a":"b"}, "unmarshaller": true}`, // Type mismatch
`{"string": "a", "float64": 3.5, "raw": {"a":"b"}, "unmarshaller": true}{}`, // Extra data after object
} {
err := paranoidUnmarshalJSONObjectExactFields([]byte(input), exactFields)
assert.Error(t, err, input)
}
}

View file

@ -9,19 +9,20 @@ import (
"io/ioutil" "io/ioutil"
"strings" "strings"
"github.com/mtrmac/gpgme"
"golang.org/x/crypto/openpgp" "golang.org/x/crypto/openpgp"
) )
// SigningMechanism abstracts a way to sign binary blobs and verify their signatures. // SigningMechanism abstracts a way to sign binary blobs and verify their signatures.
// Each mechanism should eventually be closed by calling Close().
// FIXME: Eventually expand on keyIdentity (namespace them between mechanisms to // FIXME: Eventually expand on keyIdentity (namespace them between mechanisms to
// eliminate ambiguities, support CA signatures and perhaps other key properties) // eliminate ambiguities, support CA signatures and perhaps other key properties)
type SigningMechanism interface { type SigningMechanism interface {
// ImportKeysFromBytes imports public keys from the supplied blob and returns their identities. // Close removes resources associated with the mechanism, if any.
// The blob is assumed to have an appropriate format (the caller is expected to know which one). Close() error
// NOTE: This may modify long-term state (e.g. key storage in a directory underlying the mechanism). // SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
ImportKeysFromBytes(blob []byte) ([]string, error) SupportsSigning() error
// Sign creates a (non-detached) signature of input using keyidentity // Sign creates a (non-detached) signature of input using keyIdentity.
// Fails with a SigningNotSupportedError if the mechanism does not support signing.
Sign(input []byte, keyIdentity string) ([]byte, error) Sign(input []byte, keyIdentity string) ([]byte, error)
// Verify parses unverifiedSignature and returns the content and the signer's identity // Verify parses unverifiedSignature and returns the content and the signer's identity
Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error)
@ -33,109 +34,34 @@ type SigningMechanism interface {
UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error)
} }
// A GPG/OpenPGP signing mechanism. // SigningNotSupportedError is returned when trying to sign using a mechanism which does not support that.
type gpgSigningMechanism struct { type SigningNotSupportedError string
ctx *gpgme.Context
func (err SigningNotSupportedError) Error() string {
return string(err)
} }
// NewGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism. // NewGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism for the users default
// GPG configuration ($GNUPGHOME / ~/.gnupg)
// The caller must call .Close() on the returned SigningMechanism.
func NewGPGSigningMechanism() (SigningMechanism, error) { func NewGPGSigningMechanism() (SigningMechanism, error) {
return newGPGSigningMechanismInDirectory("") return newGPGSigningMechanismInDirectory("")
} }
// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty. // NewEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which
func newGPGSigningMechanismInDirectory(optionalDir string) (SigningMechanism, error) { // recognizes _only_ public keys from the supplied blob, and returns the identities
ctx, err := gpgme.New() // of these keys.
if err != nil { // The caller must call .Close() on the returned SigningMechanism.
return nil, err func NewEphemeralGPGSigningMechanism(blob []byte) (SigningMechanism, []string, error) {
} return newEphemeralGPGSigningMechanism(blob)
if err = ctx.SetProtocol(gpgme.ProtocolOpenPGP); err != nil {
return nil, err
}
if optionalDir != "" {
err := ctx.SetEngineInfo(gpgme.ProtocolOpenPGP, "", optionalDir)
if err != nil {
return nil, err
}
}
ctx.SetArmor(false)
ctx.SetTextMode(false)
return gpgSigningMechanism{ctx: ctx}, nil
} }
// ImportKeysFromBytes implements SigningMechanism.ImportKeysFromBytes // gpgUntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
func (m gpgSigningMechanism) ImportKeysFromBytes(blob []byte) ([]string, error) {
inputData, err := gpgme.NewDataBytes(blob)
if err != nil {
return nil, err
}
res, err := m.ctx.Import(inputData)
if err != nil {
return nil, err
}
keyIdentities := []string{}
for _, i := range res.Imports {
if i.Result == nil {
keyIdentities = append(keyIdentities, i.Fingerprint)
}
}
return keyIdentities, nil
}
// Sign implements SigningMechanism.Sign
func (m gpgSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) {
key, err := m.ctx.GetKey(keyIdentity, true)
if err != nil {
return nil, err
}
inputData, err := gpgme.NewDataBytes(input)
if err != nil {
return nil, err
}
var sigBuffer bytes.Buffer
sigData, err := gpgme.NewDataWriter(&sigBuffer)
if err != nil {
return nil, err
}
if err = m.ctx.Sign([]*gpgme.Key{key}, inputData, sigData, gpgme.SigModeNormal); err != nil {
return nil, err
}
return sigBuffer.Bytes(), nil
}
// Verify implements SigningMechanism.Verify
func (m gpgSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
signedBuffer := bytes.Buffer{}
signedData, err := gpgme.NewDataWriter(&signedBuffer)
if err != nil {
return nil, "", err
}
unverifiedSignatureData, err := gpgme.NewDataBytes(unverifiedSignature)
if err != nil {
return nil, "", err
}
_, sigs, err := m.ctx.Verify(unverifiedSignatureData, nil, signedData)
if err != nil {
return nil, "", err
}
if len(sigs) != 1 {
return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Unexpected GPG signature count %d", len(sigs))}
}
sig := sigs[0]
// This is sig.Summary == gpgme.SigSumValid except for key trust, which we handle ourselves
if sig.Status != nil || sig.Validity == gpgme.ValidityNever || sig.ValidityReason != nil || sig.WrongKeyUsage {
// FIXME: Better error reporting eventually
return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", sig)}
}
return signedBuffer.Bytes(), sig.Fingerprint, nil
}
// UntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
// along with a short identifier of the key used for signing. // along with a short identifier of the key used for signing.
// WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys) // WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
// is NOT the same as a "key identity" used in other calls ot this interface, and // is NOT the same as a "key identity" used in other calls ot this interface, and
// the values may have no recognizable relationship if the public key is not available. // the values may have no recognizable relationship if the public key is not available.
func (m gpgSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) { func gpgUntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
// This uses the Golang-native OpenPGP implementation instead of gpgme because we are not doing any cryptography. // This uses the Golang-native OpenPGP implementation instead of gpgme because we are not doing any cryptography.
md, err := openpgp.ReadMessage(bytes.NewReader(untrustedSignature), openpgp.EntityList{}, nil, nil) md, err := openpgp.ReadMessage(bytes.NewReader(untrustedSignature), openpgp.EntityList{}, nil, nil)
if err != nil { if err != nil {

View file

@ -0,0 +1,175 @@
// +build !containers_image_openpgp
package signature
import (
"bytes"
"fmt"
"io/ioutil"
"os"
"github.com/mtrmac/gpgme"
)
// A GPG/OpenPGP signing mechanism, implemented using gpgme.
type gpgmeSigningMechanism struct {
ctx *gpgme.Context
ephemeralDir string // If not "", a directory to be removed on Close()
}
// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty.
// The caller must call .Close() on the returned SigningMechanism.
func newGPGSigningMechanismInDirectory(optionalDir string) (SigningMechanism, error) {
ctx, err := newGPGMEContext(optionalDir)
if err != nil {
return nil, err
}
return &gpgmeSigningMechanism{
ctx: ctx,
ephemeralDir: "",
}, nil
}
// newEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which
// recognizes _only_ public keys from the supplied blob, and returns the identities
// of these keys.
// The caller must call .Close() on the returned SigningMechanism.
func newEphemeralGPGSigningMechanism(blob []byte) (SigningMechanism, []string, error) {
dir, err := ioutil.TempDir("", "containers-ephemeral-gpg-")
if err != nil {
return nil, nil, err
}
removeDir := true
defer func() {
if removeDir {
os.RemoveAll(dir)
}
}()
ctx, err := newGPGMEContext(dir)
if err != nil {
return nil, nil, err
}
mech := &gpgmeSigningMechanism{
ctx: ctx,
ephemeralDir: dir,
}
keyIdentities, err := mech.importKeysFromBytes(blob)
if err != nil {
return nil, nil, err
}
removeDir = false
return mech, keyIdentities, nil
}
// newGPGMEContext returns a new *gpgme.Context, using optionalDir if not empty.
func newGPGMEContext(optionalDir string) (*gpgme.Context, error) {
ctx, err := gpgme.New()
if err != nil {
return nil, err
}
if err = ctx.SetProtocol(gpgme.ProtocolOpenPGP); err != nil {
return nil, err
}
if optionalDir != "" {
err := ctx.SetEngineInfo(gpgme.ProtocolOpenPGP, "", optionalDir)
if err != nil {
return nil, err
}
}
ctx.SetArmor(false)
ctx.SetTextMode(false)
return ctx, nil
}
func (m *gpgmeSigningMechanism) Close() error {
if m.ephemeralDir != "" {
os.RemoveAll(m.ephemeralDir) // Ignore an error, if any
}
return nil
}
// importKeysFromBytes imports public keys from the supplied blob and returns their identities.
// The blob is assumed to have an appropriate format (the caller is expected to know which one).
// NOTE: This may modify long-term state (e.g. key storage in a directory underlying the mechanism);
// but we do not make this public, it can only be used through newEphemeralGPGSigningMechanism.
func (m *gpgmeSigningMechanism) importKeysFromBytes(blob []byte) ([]string, error) {
inputData, err := gpgme.NewDataBytes(blob)
if err != nil {
return nil, err
}
res, err := m.ctx.Import(inputData)
if err != nil {
return nil, err
}
keyIdentities := []string{}
for _, i := range res.Imports {
if i.Result == nil {
keyIdentities = append(keyIdentities, i.Fingerprint)
}
}
return keyIdentities, nil
}
// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
func (m *gpgmeSigningMechanism) SupportsSigning() error {
return nil
}
// Sign creates a (non-detached) signature of input using keyIdentity.
// Fails with a SigningNotSupportedError if the mechanism does not support signing.
func (m *gpgmeSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) {
key, err := m.ctx.GetKey(keyIdentity, true)
if err != nil {
return nil, err
}
inputData, err := gpgme.NewDataBytes(input)
if err != nil {
return nil, err
}
var sigBuffer bytes.Buffer
sigData, err := gpgme.NewDataWriter(&sigBuffer)
if err != nil {
return nil, err
}
if err = m.ctx.Sign([]*gpgme.Key{key}, inputData, sigData, gpgme.SigModeNormal); err != nil {
return nil, err
}
return sigBuffer.Bytes(), nil
}
// Verify parses unverifiedSignature and returns the content and the signer's identity
func (m gpgmeSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
signedBuffer := bytes.Buffer{}
signedData, err := gpgme.NewDataWriter(&signedBuffer)
if err != nil {
return nil, "", err
}
unverifiedSignatureData, err := gpgme.NewDataBytes(unverifiedSignature)
if err != nil {
return nil, "", err
}
_, sigs, err := m.ctx.Verify(unverifiedSignatureData, nil, signedData)
if err != nil {
return nil, "", err
}
if len(sigs) != 1 {
return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Unexpected GPG signature count %d", len(sigs))}
}
sig := sigs[0]
// This is sig.Summary == gpgme.SigSumValid except for key trust, which we handle ourselves
if sig.Status != nil || sig.Validity == gpgme.ValidityNever || sig.ValidityReason != nil || sig.WrongKeyUsage {
// FIXME: Better error reporting eventually
return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", sig)}
}
return signedBuffer.Bytes(), sig.Fingerprint, nil
}
// UntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
// along with a short identifier of the key used for signing.
// WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
// is NOT the same as a "key identity" used in other calls ot this interface, and
// the values may have no recognizable relationship if the public key is not available.
func (m gpgmeSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
return gpgUntrustedSignatureContents(untrustedSignature)
}

View file

@ -0,0 +1,37 @@
// +build !containers_image_openpgp
package signature
import (
"os"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGPGMESigningMechanismClose(t *testing.T) {
// Closing an ephemeral mechanism removes the directory.
// (The non-ephemeral case is tested in the common TestGPGSigningMechanismClose)
mech, _, err := NewEphemeralGPGSigningMechanism([]byte{})
require.NoError(t, err)
gpgMech, ok := mech.(*gpgmeSigningMechanism)
require.True(t, ok)
dir := gpgMech.ephemeralDir
assert.NotEmpty(t, dir)
_, err = os.Lstat(dir)
require.NoError(t, err)
err = mech.Close()
assert.NoError(t, err)
_, err = os.Lstat(dir)
require.Error(t, err)
assert.True(t, os.IsNotExist(err))
}
func TestGPGMESigningMechanismSupportsSigning(t *testing.T) {
mech, _, err := NewEphemeralGPGSigningMechanism([]byte{})
require.NoError(t, err)
defer mech.Close()
err = mech.SupportsSigning()
assert.NoError(t, err)
}

View file

@ -0,0 +1,153 @@
// +build containers_image_openpgp
package signature
import (
"bytes"
"errors"
"fmt"
"io/ioutil"
"os"
"path"
"strings"
"time"
"github.com/containers/storage/pkg/homedir"
"golang.org/x/crypto/openpgp"
)
// A GPG/OpenPGP signing mechanism, implemented using x/crypto/openpgp.
type openpgpSigningMechanism struct {
keyring openpgp.EntityList
}
// newGPGSigningMechanismInDirectory returns a new GPG/OpenPGP signing mechanism, using optionalDir if not empty.
// The caller must call .Close() on the returned SigningMechanism.
func newGPGSigningMechanismInDirectory(optionalDir string) (SigningMechanism, error) {
m := &openpgpSigningMechanism{
keyring: openpgp.EntityList{},
}
gpgHome := optionalDir
if gpgHome == "" {
gpgHome = os.Getenv("GNUPGHOME")
if gpgHome == "" {
gpgHome = path.Join(homedir.Get(), ".gnupg")
}
}
pubring, err := ioutil.ReadFile(path.Join(gpgHome, "pubring.gpg"))
if err != nil {
if !os.IsNotExist(err) {
return nil, err
}
} else {
_, err := m.importKeysFromBytes(pubring)
if err != nil {
return nil, err
}
}
return m, nil
}
// newEphemeralGPGSigningMechanism returns a new GPG/OpenPGP signing mechanism which
// recognizes _only_ public keys from the supplied blob, and returns the identities
// of these keys.
// The caller must call .Close() on the returned SigningMechanism.
func newEphemeralGPGSigningMechanism(blob []byte) (SigningMechanism, []string, error) {
m := &openpgpSigningMechanism{
keyring: openpgp.EntityList{},
}
keyIdentities, err := m.importKeysFromBytes(blob)
if err != nil {
return nil, nil, err
}
return m, keyIdentities, nil
}
func (m *openpgpSigningMechanism) Close() error {
return nil
}
// importKeysFromBytes imports public keys from the supplied blob and returns their identities.
// The blob is assumed to have an appropriate format (the caller is expected to know which one).
func (m *openpgpSigningMechanism) importKeysFromBytes(blob []byte) ([]string, error) {
keyring, err := openpgp.ReadKeyRing(bytes.NewReader(blob))
if err != nil {
k, e2 := openpgp.ReadArmoredKeyRing(bytes.NewReader(blob))
if e2 != nil {
return nil, err // The original error -- FIXME: is this better?
}
keyring = k
}
keyIdentities := []string{}
for _, entity := range keyring {
if entity.PrimaryKey == nil {
// Coverage: This should never happen, openpgp.ReadEntity fails with a
// openpgp.errors.StructuralError instead of returning an entity with this
// field set to nil.
continue
}
// Uppercase the fingerprint to be compatible with gpgme
keyIdentities = append(keyIdentities, strings.ToUpper(fmt.Sprintf("%x", entity.PrimaryKey.Fingerprint)))
m.keyring = append(m.keyring, entity)
}
return keyIdentities, nil
}
// SupportsSigning returns nil if the mechanism supports signing, or a SigningNotSupportedError.
func (m *openpgpSigningMechanism) SupportsSigning() error {
return SigningNotSupportedError("signing is not supported in github.com/containers/image built with the containers_image_openpgp build tag")
}
// Sign creates a (non-detached) signature of input using keyIdentity.
// Fails with a SigningNotSupportedError if the mechanism does not support signing.
func (m *openpgpSigningMechanism) Sign(input []byte, keyIdentity string) ([]byte, error) {
return nil, SigningNotSupportedError("signing is not supported in github.com/containers/image built with the containers_image_openpgp build tag")
}
// Verify parses unverifiedSignature and returns the content and the signer's identity
func (m *openpgpSigningMechanism) Verify(unverifiedSignature []byte) (contents []byte, keyIdentity string, err error) {
md, err := openpgp.ReadMessage(bytes.NewReader(unverifiedSignature), m.keyring, nil, nil)
if err != nil {
return nil, "", err
}
if !md.IsSigned {
return nil, "", errors.New("not signed")
}
content, err := ioutil.ReadAll(md.UnverifiedBody)
if err != nil {
// Coverage: md.UnverifiedBody.Read only fails if the body is encrypted
// (and possibly also signed, but it _must_ be encrypted) and the signing
// “modification detection code” detects a mismatch. But in that case,
// we would expect the signature verification to fail as well, and that is checked
// first. Besides, we are not supplying any decryption keys, so we really
// can never reach this “encrypted data MDC mismatch” path.
return nil, "", err
}
if md.SignatureError != nil {
return nil, "", fmt.Errorf("signature error: %v", md.SignatureError)
}
if md.SignedBy == nil {
return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Invalid GPG signature: %#v", md.Signature)}
}
if md.Signature.SigLifetimeSecs != nil {
expiry := md.Signature.CreationTime.Add(time.Duration(*md.Signature.SigLifetimeSecs) * time.Second)
if time.Now().After(expiry) {
return nil, "", InvalidSignatureError{msg: fmt.Sprintf("Signature expired on %s", expiry)}
}
}
// Uppercase the fingerprint to be compatible with gpgme
return content, strings.ToUpper(fmt.Sprintf("%x", md.SignedBy.PublicKey.Fingerprint)), nil
}
// UntrustedSignatureContents returns UNTRUSTED contents of the signature WITHOUT ANY VERIFICATION,
// along with a short identifier of the key used for signing.
// WARNING: The short key identifier (which correponds to "Key ID" for OpenPGP keys)
// is NOT the same as a "key identity" used in other calls ot this interface, and
// the values may have no recognizable relationship if the public key is not available.
func (m openpgpSigningMechanism) UntrustedSignatureContents(untrustedSignature []byte) (untrustedContents []byte, shortKeyIdentifier string, err error) {
return gpgUntrustedSignatureContents(untrustedSignature)
}

View file

@ -0,0 +1,28 @@
// +build containers_image_openpgp
package signature
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestOpenpgpSigningMechanismSupportsSigning(t *testing.T) {
mech, _, err := NewEphemeralGPGSigningMechanism([]byte{})
require.NoError(t, err)
defer mech.Close()
err = mech.SupportsSigning()
assert.Error(t, err)
assert.IsType(t, SigningNotSupportedError(""), err)
}
func TestOpenpgpSigningMechanismSign(t *testing.T) {
mech, _, err := NewEphemeralGPGSigningMechanism([]byte{})
require.NoError(t, err)
defer mech.Close()
_, err = mech.Sign([]byte{}, TestKeyFingerprint)
assert.Error(t, err)
assert.IsType(t, SigningNotSupportedError(""), err)
}

View file

@ -1,9 +1,12 @@
package signature package signature
// These tests are expected to pass unmodified for _both_ mechanism_gpgme.go and mechanism_openpgp.go.
import ( import (
"bytes" "bytes"
"io/ioutil" "io/ioutil"
"os" "os"
"path/filepath"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -14,27 +17,88 @@ const (
testGPGHomeDirectory = "./fixtures" testGPGHomeDirectory = "./fixtures"
) )
func TestSigningNotSupportedError(t *testing.T) {
// A stupid test just to keep code coverage
s := "test"
err := SigningNotSupportedError(s)
assert.Equal(t, s, err.Error())
}
func TestNewGPGSigningMechanism(t *testing.T) { func TestNewGPGSigningMechanism(t *testing.T) {
// A dumb test just for code coverage. We test more with newGPGSigningMechanismInDirectory(). // A dumb test just for code coverage. We test more with newGPGSigningMechanismInDirectory().
_, err := NewGPGSigningMechanism() mech, err := NewGPGSigningMechanism()
assert.NoError(t, err) assert.NoError(t, err)
mech.Close()
} }
func TestNewGPGSigningMechanismInDirectory(t *testing.T) { func TestNewGPGSigningMechanismInDirectory(t *testing.T) {
// A dumb test just for code coverage. // A dumb test just for code coverage.
_, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
assert.NoError(t, err) assert.NoError(t, err)
mech.Close()
// The various GPG failure cases are not obviously easy to reach. // The various GPG failure cases are not obviously easy to reach.
// Test that using the default directory (presumably in users home)
// cannot use TestKeyFingerprint.
signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature")
require.NoError(t, err)
mech, err = newGPGSigningMechanismInDirectory("")
require.NoError(t, err)
defer mech.Close()
_, _, err = mech.Verify(signature)
assert.Error(t, err)
// Similarly, using a newly created empty directory makes TestKeyFingerprint
// unavailable
emptyDir, err := ioutil.TempDir("", "signing-empty-directory")
require.NoError(t, err)
defer os.RemoveAll(emptyDir)
mech, err = newGPGSigningMechanismInDirectory(emptyDir)
require.NoError(t, err)
defer mech.Close()
_, _, err = mech.Verify(signature)
assert.Error(t, err)
// If pubring.gpg is unreadable in the directory, either initializing
// the mechanism fails (with openpgp), or it succeeds (sadly, gpgme) and
// later verification fails.
unreadableDir, err := ioutil.TempDir("", "signing-unreadable-directory")
require.NoError(t, err)
defer os.RemoveAll(unreadableDir)
f, err := os.OpenFile(filepath.Join(unreadableDir, "pubring.gpg"), os.O_RDONLY|os.O_CREATE, 0000)
require.NoError(t, err)
f.Close()
mech, err = newGPGSigningMechanismInDirectory(unreadableDir)
if err == nil {
defer mech.Close()
_, _, err = mech.Verify(signature)
}
assert.Error(t, err)
// Setting the directory parameter to testGPGHomeDirectory makes the key available.
mech, err = newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err)
defer mech.Close()
_, _, err = mech.Verify(signature)
assert.NoError(t, err)
// If we use the default directory mechanism, GNUPGHOME is respected.
origGNUPGHOME := os.Getenv("GNUPGHOME")
defer os.Setenv("GNUPGHOME", origGNUPGHOME)
os.Setenv("GNUPGHOME", testGPGHomeDirectory)
mech, err = newGPGSigningMechanismInDirectory("")
require.NoError(t, err)
defer mech.Close()
_, _, err = mech.Verify(signature)
assert.NoError(t, err)
} }
func TestGPGSigningMechanismImportKeysFromBytes(t *testing.T) { func TestNewEphemeralGPGSigningMechanism(t *testing.T) {
testDir, err := ioutil.TempDir("", "gpg-import-keys") // Empty input: This is accepted anyway by GPG, just returns no keys.
mech, keyIdentities, err := NewEphemeralGPGSigningMechanism([]byte{})
require.NoError(t, err) require.NoError(t, err)
defer os.RemoveAll(testDir) defer mech.Close()
assert.Empty(t, keyIdentities)
mech, err := newGPGSigningMechanismInDirectory(testDir)
require.NoError(t, err)
// Try validating a signature when the key is unknown. // Try validating a signature when the key is unknown.
signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature") signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature")
require.NoError(t, err) require.NoError(t, err)
@ -44,31 +108,57 @@ func TestGPGSigningMechanismImportKeysFromBytes(t *testing.T) {
// Successful import // Successful import
keyBlob, err := ioutil.ReadFile("./fixtures/public-key.gpg") keyBlob, err := ioutil.ReadFile("./fixtures/public-key.gpg")
require.NoError(t, err) require.NoError(t, err)
keyIdentities, err := mech.ImportKeysFromBytes(keyBlob) mech, keyIdentities, err = NewEphemeralGPGSigningMechanism(keyBlob)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
assert.Equal(t, []string{TestKeyFingerprint}, keyIdentities) assert.Equal(t, []string{TestKeyFingerprint}, keyIdentities)
// After import, the signature should validate. // After import, the signature should validate.
content, signingFingerprint, err = mech.Verify(signature) content, signingFingerprint, err = mech.Verify(signature)
require.NoError(t, err) require.NoError(t, err)
assert.Equal(t, []byte("This is not JSON\n"), content) assert.Equal(t, []byte("This is not JSON\n"), content)
assert.Equal(t, TestKeyFingerprint, signingFingerprint) assert.Equal(t, TestKeyFingerprint, signingFingerprint)
// Two keys: just concatenate the valid input twice. // Two keys: Read the binary-format pubring.gpg, and concatenate it twice.
keyIdentities, err = mech.ImportKeysFromBytes(bytes.Join([][]byte{keyBlob, keyBlob}, nil)) // (Using two copies of public-key.gpg, in the ASCII-armored format, works with
// gpgmeSigningMechanism but not openpgpSigningMechanism.)
keyBlob, err = ioutil.ReadFile("./fixtures/pubring.gpg")
require.NoError(t, err) require.NoError(t, err)
mech, keyIdentities, err = NewEphemeralGPGSigningMechanism(bytes.Join([][]byte{keyBlob, keyBlob}, nil))
require.NoError(t, err)
defer mech.Close()
assert.Equal(t, []string{TestKeyFingerprint, TestKeyFingerprint}, keyIdentities) assert.Equal(t, []string{TestKeyFingerprint, TestKeyFingerprint}, keyIdentities)
// Invalid input: This is accepted anyway by GPG, just returns no keys. // Invalid input: This is, sadly, accepted anyway by GPG, just returns no keys.
keyIdentities, err = mech.ImportKeysFromBytes([]byte("This is invalid")) // For openpgpSigningMechanism we can detect this and fail.
require.NoError(t, err) mech, keyIdentities, err = NewEphemeralGPGSigningMechanism([]byte("This is invalid"))
assert.Equal(t, []string{}, keyIdentities) assert.True(t, err != nil || len(keyIdentities) == 0)
if err == nil {
mech.Close()
}
assert.Empty(t, keyIdentities)
// The various GPG/GPGME failures cases are not obviously easy to reach. // The various GPG/GPGME failures cases are not obviously easy to reach.
} }
func TestGPGSigningMechanismClose(t *testing.T) {
// Closing a non-ephemeral mechanism does not remove anything in the directory.
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err)
err = mech.Close()
assert.NoError(t, err)
_, err = os.Lstat(testGPGHomeDirectory)
assert.NoError(t, err)
_, err = os.Lstat(filepath.Join(testGPGHomeDirectory, "pubring.gpg"))
assert.NoError(t, err)
}
func TestGPGSigningMechanismSign(t *testing.T) { func TestGPGSigningMechanismSign(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
if err := mech.SupportsSigning(); err != nil {
t.Skipf("Signing not supported: %v", err)
}
// Successful signing // Successful signing
content := []byte("content") content := []byte("content")
@ -95,6 +185,7 @@ func assertSigningError(t *testing.T, content []byte, fingerprint string, err er
func TestGPGSigningMechanismVerify(t *testing.T) { func TestGPGSigningMechanismVerify(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
// Successful verification // Successful verification
signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature") signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature")
@ -149,8 +240,9 @@ func TestGPGSigningMechanismVerify(t *testing.T) {
} }
func TestGPGSigningMechanismUntrustedSignatureContents(t *testing.T) { func TestGPGSigningMechanismUntrustedSignatureContents(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, _, err := NewEphemeralGPGSigningMechanism([]byte{})
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
// A valid signature // A valid signature
signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature") signature, err := ioutil.ReadFile("./fixtures/invalid-blob.signature")

View file

@ -255,13 +255,8 @@ var _ json.Unmarshaler = (*prInsecureAcceptAnything)(nil)
func (pr *prInsecureAcceptAnything) UnmarshalJSON(data []byte) error { func (pr *prInsecureAcceptAnything) UnmarshalJSON(data []byte) error {
*pr = prInsecureAcceptAnything{} *pr = prInsecureAcceptAnything{}
var tmp prInsecureAcceptAnything var tmp prInsecureAcceptAnything
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type":
return &tmp.Type
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -290,13 +285,8 @@ var _ json.Unmarshaler = (*prReject)(nil)
func (pr *prReject) UnmarshalJSON(data []byte) error { func (pr *prReject) UnmarshalJSON(data []byte) error {
*pr = prReject{} *pr = prReject{}
var tmp prReject var tmp prReject
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type":
return &tmp.Type
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -465,15 +455,9 @@ func (pr *prSignedBaseLayer) UnmarshalJSON(data []byte) error {
*pr = prSignedBaseLayer{} *pr = prSignedBaseLayer{}
var tmp prSignedBaseLayer var tmp prSignedBaseLayer
var baseLayerIdentity json.RawMessage var baseLayerIdentity json.RawMessage
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type": "baseLayerIdentity": &baseLayerIdentity,
return &tmp.Type
case "baseLayerIdentity":
return &baseLayerIdentity
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -481,9 +465,6 @@ func (pr *prSignedBaseLayer) UnmarshalJSON(data []byte) error {
if tmp.Type != prTypeSignedBaseLayer { if tmp.Type != prTypeSignedBaseLayer {
return InvalidPolicyFormatError(fmt.Sprintf("Unexpected policy requirement type \"%s\"", tmp.Type)) return InvalidPolicyFormatError(fmt.Sprintf("Unexpected policy requirement type \"%s\"", tmp.Type))
} }
if baseLayerIdentity == nil {
return InvalidPolicyFormatError(fmt.Sprintf("baseLayerIdentity not specified"))
}
bli, err := newPolicyReferenceMatchFromJSON(baseLayerIdentity) bli, err := newPolicyReferenceMatchFromJSON(baseLayerIdentity)
if err != nil { if err != nil {
return err return err
@ -541,13 +522,8 @@ var _ json.Unmarshaler = (*prmMatchExact)(nil)
func (prm *prmMatchExact) UnmarshalJSON(data []byte) error { func (prm *prmMatchExact) UnmarshalJSON(data []byte) error {
*prm = prmMatchExact{} *prm = prmMatchExact{}
var tmp prmMatchExact var tmp prmMatchExact
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type":
return &tmp.Type
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -576,13 +552,8 @@ var _ json.Unmarshaler = (*prmMatchRepoDigestOrExact)(nil)
func (prm *prmMatchRepoDigestOrExact) UnmarshalJSON(data []byte) error { func (prm *prmMatchRepoDigestOrExact) UnmarshalJSON(data []byte) error {
*prm = prmMatchRepoDigestOrExact{} *prm = prmMatchRepoDigestOrExact{}
var tmp prmMatchRepoDigestOrExact var tmp prmMatchRepoDigestOrExact
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type":
return &tmp.Type
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -611,13 +582,8 @@ var _ json.Unmarshaler = (*prmMatchRepository)(nil)
func (prm *prmMatchRepository) UnmarshalJSON(data []byte) error { func (prm *prmMatchRepository) UnmarshalJSON(data []byte) error {
*prm = prmMatchRepository{} *prm = prmMatchRepository{}
var tmp prmMatchRepository var tmp prmMatchRepository
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type":
return &tmp.Type
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -656,15 +622,9 @@ var _ json.Unmarshaler = (*prmExactReference)(nil)
func (prm *prmExactReference) UnmarshalJSON(data []byte) error { func (prm *prmExactReference) UnmarshalJSON(data []byte) error {
*prm = prmExactReference{} *prm = prmExactReference{}
var tmp prmExactReference var tmp prmExactReference
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type": "dockerReference": &tmp.DockerReference,
return &tmp.Type
case "dockerReference":
return &tmp.DockerReference
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }
@ -704,15 +664,9 @@ var _ json.Unmarshaler = (*prmExactRepository)(nil)
func (prm *prmExactRepository) UnmarshalJSON(data []byte) error { func (prm *prmExactRepository) UnmarshalJSON(data []byte) error {
*prm = prmExactRepository{} *prm = prmExactRepository{}
var tmp prmExactRepository var tmp prmExactRepository
if err := paranoidUnmarshalJSONObject(data, func(key string) interface{} { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
switch key { "type": &tmp.Type,
case "type": "dockerRepository": &tmp.DockerRepository,
return &tmp.Type
case "dockerRepository":
return &tmp.DockerRepository
default:
return nil
}
}); err != nil { }); err != nil {
return err return err
} }

View file

@ -297,8 +297,8 @@ func TestPolicyUnmarshalJSON(t *testing.T) {
// Various allowed modifications to the policy // Various allowed modifications to the policy
allowedModificationFns := []func(mSI){ allowedModificationFns := []func(mSI){
// Delete the map of specific policies // Delete the map of transport-specific scopes
func(v mSI) { delete(v, "specific") }, func(v mSI) { delete(v, "transports") },
// Use an empty map of transport-specific scopes // Use an empty map of transport-specific scopes
func(v mSI) { v["transports"] = map[string]PolicyTransportScopes{} }, func(v mSI) { v["transports"] = map[string]PolicyTransportScopes{} },
} }

View file

@ -5,7 +5,6 @@ package signature
import ( import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os"
"strings" "strings"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -42,20 +41,11 @@ func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig [
} }
// FIXME: move this to per-context initialization // FIXME: move this to per-context initialization
dir, err := ioutil.TempDir("", "skopeo-signedBy-") mech, trustedIdentities, err := NewEphemeralGPGSigningMechanism(data)
if err != nil {
return sarRejected, nil, err
}
defer os.RemoveAll(dir)
mech, err := newGPGSigningMechanismInDirectory(dir)
if err != nil {
return sarRejected, nil, err
}
trustedIdentities, err := mech.ImportKeysFromBytes(data)
if err != nil { if err != nil {
return sarRejected, nil, err return sarRejected, nil, err
} }
defer mech.Close()
if len(trustedIdentities) == 0 { if len(trustedIdentities) == 0 {
return sarRejected, nil, PolicyRequirementError("No public keys imported") return sarRejected, nil, PolicyRequirementError("No public keys imported")
} }

View file

@ -120,78 +120,69 @@ func (s *untrustedSignature) UnmarshalJSON(data []byte) error {
// strictUnmarshalJSON is UnmarshalJSON, except that it may return the internal jsonFormatError error type. // strictUnmarshalJSON is UnmarshalJSON, except that it may return the internal jsonFormatError error type.
// Splitting it into a separate function allows us to do the jsonFormatError → InvalidSignatureError in a single place, the caller. // Splitting it into a separate function allows us to do the jsonFormatError → InvalidSignatureError in a single place, the caller.
func (s *untrustedSignature) strictUnmarshalJSON(data []byte) error { func (s *untrustedSignature) strictUnmarshalJSON(data []byte) error {
var untyped interface{} var critical, optional json.RawMessage
if err := json.Unmarshal(data, &untyped); err != nil { if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
return err "critical": &critical,
} "optional": &optional,
o, ok := untyped.(map[string]interface{}) }); err != nil {
if !ok {
return InvalidSignatureError{msg: "Invalid signature format"}
}
if err := validateExactMapKeys(o, "critical", "optional"); err != nil {
return err return err
} }
c, err := mapField(o, "critical") var creatorID string
if err != nil { var timestamp float64
return err var gotCreatorID, gotTimestamp = false, false
} if err := paranoidUnmarshalJSONObject(optional, func(key string) interface{} {
if err := validateExactMapKeys(c, "type", "image", "identity"); err != nil { switch key {
return err case "creator":
} gotCreatorID = true
return &creatorID
optional, err := mapField(o, "optional") case "timestamp":
if err != nil { gotTimestamp = true
return err return &timestamp
} default:
if _, ok := optional["creator"]; ok { var ignore interface{}
creatorID, err := stringField(optional, "creator") return &ignore
if err != nil { }
}); err != nil {
return err return err
} }
if gotCreatorID {
s.UntrustedCreatorID = &creatorID s.UntrustedCreatorID = &creatorID
} }
if _, ok := optional["timestamp"]; ok { if gotTimestamp {
timestamp, err := int64Field(optional, "timestamp") intTimestamp := int64(timestamp)
if err != nil { if float64(intTimestamp) != timestamp {
return err return InvalidSignatureError{msg: "Field optional.timestamp is not is not an integer"}
} }
s.UntrustedTimestamp = &timestamp s.UntrustedTimestamp = &intTimestamp
} }
t, err := stringField(c, "type") var t string
if err != nil { var image, identity json.RawMessage
if err := paranoidUnmarshalJSONObjectExactFields(critical, map[string]interface{}{
"type": &t,
"image": &image,
"identity": &identity,
}); err != nil {
return err return err
} }
if t != signatureType { if t != signatureType {
return InvalidSignatureError{msg: fmt.Sprintf("Unrecognized signature type %s", t)} return InvalidSignatureError{msg: fmt.Sprintf("Unrecognized signature type %s", t)}
} }
image, err := mapField(c, "image") var digestString string
if err != nil { if err := paranoidUnmarshalJSONObjectExactFields(image, map[string]interface{}{
return err "docker-manifest-digest": &digestString,
} }); err != nil {
if err := validateExactMapKeys(image, "docker-manifest-digest"); err != nil {
return err
}
digestString, err := stringField(image, "docker-manifest-digest")
if err != nil {
return err return err
} }
s.UntrustedDockerManifestDigest = digest.Digest(digestString) s.UntrustedDockerManifestDigest = digest.Digest(digestString)
identity, err := mapField(c, "identity") if err := paranoidUnmarshalJSONObjectExactFields(identity, map[string]interface{}{
if err != nil { "docker-reference": &s.UntrustedDockerReference,
}); err != nil {
return err return err
} }
if err := validateExactMapKeys(identity, "docker-reference"); err != nil {
return err
}
reference, err := stringField(identity, "docker-reference")
if err != nil {
return err
}
s.UntrustedDockerReference = reference
return nil return nil
} }
@ -261,10 +252,11 @@ func verifyAndExtractSignature(mech SigningMechanism, unverifiedSignature []byte
// (including things like “✅ Verified by $authority”) // (including things like “✅ Verified by $authority”)
func GetUntrustedSignatureInformationWithoutVerifying(untrustedSignatureBytes []byte) (*UntrustedSignatureInformation, error) { func GetUntrustedSignatureInformationWithoutVerifying(untrustedSignatureBytes []byte) (*UntrustedSignatureInformation, error) {
// NOTE: This should eventualy do format autodetection. // NOTE: This should eventualy do format autodetection.
mech, err := NewGPGSigningMechanism() mech, _, err := NewEphemeralGPGSigningMechanism([]byte{})
if err != nil { if err != nil {
return nil, err return nil, err
} }
defer mech.Close()
untrustedContents, shortKeyIdentifier, err := mech.UntrustedSignatureContents(untrustedSignatureBytes) untrustedContents, shortKeyIdentifier, err := mech.UntrustedSignatureContents(untrustedSignatureBytes)
if err != nil { if err != nil {

View file

@ -153,6 +153,7 @@ func TestUnmarshalJSON(t *testing.T) {
func(v mSI) { x(v, "optional")["creator"] = 1 }, func(v mSI) { x(v, "optional")["creator"] = 1 },
// Invalid "timestamp" // Invalid "timestamp"
func(v mSI) { x(v, "optional")["timestamp"] = "unexpected" }, func(v mSI) { x(v, "optional")["timestamp"] = "unexpected" },
func(v mSI) { x(v, "optional")["timestamp"] = 0.5 }, // Fractional input
} }
for _, fn := range breakFns { for _, fn := range breakFns {
err = tryUnmarshalModifiedSignature(t, &s, validJSON, fn) err = tryUnmarshalModifiedSignature(t, &s, validJSON, fn)
@ -188,6 +189,11 @@ func TestUnmarshalJSON(t *testing.T) {
func TestSign(t *testing.T) { func TestSign(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
if err := mech.SupportsSigning(); err != nil {
t.Skipf("Signing not supported: %v", err)
}
sig := newUntrustedSignature("digest!@#", "reference#@!") sig := newUntrustedSignature("digest!@#", "reference#@!")
@ -232,6 +238,7 @@ func TestSign(t *testing.T) {
func TestVerifyAndExtractSignature(t *testing.T) { func TestVerifyAndExtractSignature(t *testing.T) {
mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory) mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
require.NoError(t, err) require.NoError(t, err)
defer mech.Close()
type triple struct { type triple struct {
keyIdentity string keyIdentity string

View file

@ -290,6 +290,10 @@ func (s *storageImageDestination) PutBlob(stream io.Reader, blobinfo types.BlobI
return s.putBlob(stream, blobinfo, true) return s.putBlob(stream, blobinfo, true)
} }
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
func (s *storageImageDestination) HasBlob(blobinfo types.BlobInfo) (bool, int64, error) { func (s *storageImageDestination) HasBlob(blobinfo types.BlobInfo) (bool, int64, error) {
if blobinfo.Digest == "" { if blobinfo.Digest == "" {
return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`) return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
@ -299,7 +303,7 @@ func (s *storageImageDestination) HasBlob(blobinfo types.BlobInfo) (bool, int64,
return true, blob.Size, nil return true, blob.Size, nil
} }
} }
return false, -1, types.ErrBlobNotFound return false, -1, nil
} }
func (s *storageImageDestination) ReapplyBlob(blobinfo types.BlobInfo) (types.BlobInfo, error) { func (s *storageImageDestination) ReapplyBlob(blobinfo types.BlobInfo) (types.BlobInfo, error) {

View file

@ -6,7 +6,7 @@ import (
"github.com/containers/image/docker/reference" "github.com/containers/image/docker/reference"
"github.com/opencontainers/go-digest" "github.com/opencontainers/go-digest"
"github.com/pkg/errors" "github.com/opencontainers/image-spec/specs-go/v1"
) )
// ImageTransport is a top-level namespace for ways to to store/load an image. // ImageTransport is a top-level namespace for ways to to store/load an image.
@ -160,7 +160,10 @@ type ImageDestination interface {
// to any other readers for download using the supplied digest. // to any other readers for download using the supplied digest.
// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far. // If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
PutBlob(stream io.Reader, inputInfo BlobInfo) (BlobInfo, error) PutBlob(stream io.Reader, inputInfo BlobInfo) (BlobInfo, error)
// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob. Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned. A false result will often be accompanied by an ErrBlobNotFound error. // HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
// Unlike PutBlob, the digest can not be empty. If HasBlob returns true, the size of the blob must also be returned.
// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
// it returns a non-nil error only on an unexpected failure.
HasBlob(info BlobInfo) (bool, int64, error) HasBlob(info BlobInfo) (bool, int64, error)
// ReapplyBlob informs the image destination that a blob for which HasBlob previously returned true would have been passed to PutBlob if it had returned false. Like HasBlob and unlike PutBlob, the digest can not be empty. If the blob is a filesystem layer, this signifies that the changes it describes need to be applied again when composing a filesystem tree. // ReapplyBlob informs the image destination that a blob for which HasBlob previously returned true would have been passed to PutBlob if it had returned false. Like HasBlob and unlike PutBlob, the digest can not be empty. If the blob is a filesystem layer, this signifies that the changes it describes need to be applied again when composing a filesystem tree.
ReapplyBlob(info BlobInfo) (BlobInfo, error) ReapplyBlob(info BlobInfo) (BlobInfo, error)
@ -202,6 +205,10 @@ type Image interface {
// ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise. // ConfigBlob returns the blob described by ConfigInfo, iff ConfigInfo().Digest != ""; nil otherwise.
// The result is cached; it is OK to call this however often you need. // The result is cached; it is OK to call this however often you need.
ConfigBlob() ([]byte, error) ConfigBlob() ([]byte, error)
// OCIConfig returns the image configuration as per OCI v1 image-spec. Information about
// layers in the resulting configuration isn't guaranteed to be returned to due how
// old image manifests work (docker v2s1 especially).
OCIConfig() (*v1.Image, error)
// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers). // LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
// The Digest field is guaranteed to be provided; Size may be -1. // The Digest field is guaranteed to be provided; Size may be -1.
// WARNING: The list may contain duplicates, and they are semantically relevant. // WARNING: The list may contain duplicates, and they are semantically relevant.
@ -300,8 +307,3 @@ type ProgressProperties struct {
Artifact BlobInfo Artifact BlobInfo
Offset uint64 Offset uint64
} }
var (
// ErrBlobNotFound can be returned by an ImageDestination's HasBlob() method
ErrBlobNotFound = errors.New("no such blob present")
)