-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
image-rs: Support simple signing with X-R-S-S #372
image-rs: Support simple signing with X-R-S-S #372
Conversation
0625429
to
92c94fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mattarnoatibm for the contribution! Could you do some refactoring to the code for better maintainance in future?
#[cfg(feature = "signature-simple")] | ||
use base64::Engine; | ||
|
||
#[cfg(feature = "signature-simple-xrss")] | ||
use oci_distribution::Reference; | ||
#[cfg(feature = "signature-simple-xrss")] | ||
use reqwest::Client; | ||
|
||
#[cfg(feature = "signature-simple-xrss")] | ||
use crate::signature::image::digest::Digest; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are many #[cfg(feature = "signature-simple-xrss")]
sentences in this file. If these feature-specific sentences can be put into a separate file, it can be better for reading and maintaining. We only need to mark the mod xrss;
sentence with #[cfg(feature = "signature-simple-xrss")]
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @Xynnn007 I moved most of the code in simple/mod.rs
that was behind the signature-simple-xrss
feature to a new file, xrss.rs
. I marked 2 sentences with #[cfg(feature = "signature-simple-xrss")]
in addition to the mod xrss;
sentence in mod.rs
:
If the XRSS feature is used then crate::resource::get_resource(&config.sigstore_config).await
can return an error, otherwise we cannot allow it to return an error, so I left if sig_store_config_file.is_err() { return Ok(()); }
marked with #[cfg(feature = "signature-simple-xrss")]
.
If XRSS is not used then we don't want to create an xrss::RegistryClient
and try to get signatures from the registry. So I created a code block where the xrss::RegistryClient
is created and used to try and get signatures from the registry, and I marked that code block with #[cfg(feature = "signature-simple-xrss")]
.
} | ||
} | ||
|
||
pub async fn get_signatures_from_registry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we can send the PR in parallel to https://github.com/krustlet/oci-distribution to extend the Client
API to support pull signatures from registry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll take at look at the OCI Distribution library.
55b8d5b
to
4ea27d6
Compare
a731302
to
c28adf0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One last step for the integration test from myside :-)
image-rs/tests/credential.rs
Outdated
@@ -19,7 +19,7 @@ pub mod common; | |||
#[tokio::test] | |||
#[serial] | |||
async fn test_use_credential(#[case] image_ref: &str, #[case] auth_file_uri: &str) { | |||
common::prepare_test().await; | |||
common::prepare_test("aa-offline_fs_kbc-resources.json").await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to declare this as a const
, or we add the parameter to #[case]
macro. How do you like?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I went with adding some constants to common/mod.rs
as the signature verification tests do not use the #[case]
macro.
image-rs/tests/image_decryption.rs
Outdated
@@ -30,7 +30,7 @@ const OCICRYPT_CONFIG: &str = "test_data/ocicrypt_keyprovider_ttrpc.conf"; | |||
#[tokio::test] | |||
#[serial] | |||
async fn test_decrypt_layers(#[case] image: &str) { | |||
common::prepare_test().await; | |||
common::prepare_test("aa-offline_fs_kbc-resources.json").await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to declare this as a const
, or we add the parameter to #[case]
macro. How do you like?
@@ -93,13 +118,53 @@ const SIGSTORE_CONFIG_URI: &str = "kbs:///default/sigstore-config/test"; | |||
#[tokio::test] | |||
#[serial] | |||
async fn signature_verification() { | |||
common::prepare_test().await; | |||
do_signature_verification_tests(&_TESTS, "aa-offline_fs_kbc-resources.json", &None).await; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to declare this as a const
, or we add the parameter to #[case]
macro. How do you like?
let auth_info = &Some(auth.as_str()); | ||
do_signature_verification_tests( | ||
&_TESTS_XRSS, | ||
"aa-offline_fs_kbc-resources-for-icr.json", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to declare this as a const
, or we add the parameter to #[case]
macro. How do you like?
Support getting simple signing signatures from registry that supports X-R-S-S extension. Refactor into separate tests for XRSS and others. Fixes: confidential-containers#12 Signed-off-by: Matthew Arnold <[email protected]>
1812db1
to
43227e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. Thanks!
@arronwy - hey Arron, we are keen to try and get this feature into the 0.8 release before |
sure, I though we already code freeze for v0.8.0 and merge after the release, it's ok from my side to merge for v0.8.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mattarnoatibm
Support getting simple signing signatures from
registry that supports X-R-S-S extension.
Refactor into separate tests for XRSS and others.
Fixes: #12