Add --sign-by-sq-fingerprint and an integration test

Signed-off-by: Miloslav Trmač <[email protected]>

Author: mtrmac

cmd/skopeo/utils.go

@@ -20,6 +20,7 @@ import (
 	"github.com/containers/image/v5/pkg/cli/sigstore"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/signature/signer"
+	"github.com/containers/image/v5/signature/simplesequoia"
 	"github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
@@ -327,6 +328,7 @@ func (opts *imageDestOptions) warnAboutIneffectiveOptions(destTransport types.Im
 type sharedCopyOptions struct {
 	removeSignatures         bool                      // Do not copy signatures from the source image
 	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySequoiaFingerprint string                    // Sign the image using a Sequoia-PGP key with the specified fingerprint
 	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
 	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
 	signPassphraseFile       string                    // Path pointing to a passphrase file when signing
@@ -340,6 +342,7 @@ func sharedCopyFlags() (pflag.FlagSet, *sharedCopyOptions) {
 	fs := pflag.FlagSet{}
 	fs.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from source")
 	fs.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	fs.StringVar(&opts.signBySequoiaFingerprint, "sign-by-sq-fingerprint", "", "Sign the image using a Sequoia-PGP key with the specified `FINGERPRINT`")
 	fs.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
 	fs.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
 	fs.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "Read a passphrase for signing an image from `PATH`")
@@ -363,8 +366,20 @@ func (opts *sharedCopyOptions) copyOptions(stdout io.Writer) (*copy.Options, fun
 	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
 	// with independent passphrases, but that would make the CLI probably too confusing.
 	// For now, use the passphrase with either, but only one of them.
-	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
-		return nil, nil, fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	if opts.signPassphraseFile != "" {
+		count := 0
+		if opts.signByFingerprint != "" {
+			count++
+		}
+		if opts.signBySequoiaFingerprint != "" {
+			count++
+		}
+		if opts.signBySigstorePrivateKey != "" {
+			count++
+		}
+		if count > 1 {
+			return nil, nil, fmt.Errorf("Only one of --sign-by, --sign-by-sq-fingerprint and --sign-by-sigstore-private-key can be used with --sign-passphrase-file")
+		}
 	}
 	var passphrase string
 	if opts.signPassphraseFile != "" {
@@ -380,6 +395,7 @@ func (opts *sharedCopyOptions) copyOptions(stdout io.Writer) (*copy.Options, fun
 		}
 		passphrase = p
 	} // opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
+	// With opts.signBySequoiaFingerprint, we don’t prompt for a passphrase (for now??): We don’t know whether the key requires a passphrase.
 	var passphraseBytes []byte
 	if passphrase != "" {
 		passphraseBytes = []byte(passphrase)
@@ -410,6 +426,19 @@ func (opts *sharedCopyOptions) copyOptions(stdout io.Writer) (*copy.Options, fun
 		}
 		signers = append(signers, signer)
 	}
+	if opts.signBySequoiaFingerprint != "" {
+		opts := []simplesequoia.Option{
+			simplesequoia.WithKeyFingerprint(opts.signBySequoiaFingerprint),
+		}
+		if passphrase != "" {
+			opts = append(opts, simplesequoia.WithPassphrase(passphrase))
+		}
+		signer, err := simplesequoia.NewSigner(opts...)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Error using --sign-by-sq-fingerprint: %w", err)
+		}
+		signers = append(signers, signer)
+	}
 
 	succeeded = true
 	return &copy.Options{

cmd/skopeo/utils_nosequoia_test.go

@@ -0,0 +1,5 @@
+//go:build !containers_image_sequoia
+
+package main
+
+const buildWithSequoia = false

cmd/skopeo/utils_sequoia_test.go

@@ -0,0 +1,5 @@
+//go:build containers_image_sequoia
+
+package main
+
+const buildWithSequoia = true

cmd/skopeo/utils_test.go

@@ -378,6 +378,7 @@ func TestSharedCopyOptionsCopyOptions(t *testing.T) {
 	// Set most flags to non-default values
 	// This should also test --sign-by-sigstore and --sign-by-sigstore-private-key; we would have
 	// to create test keys for that.
+	// This does not test --sign-by-sq-fingerprint, because that needs to be conditional based on buildWithSequoia.
 	opts = fakeSharedCopyOptions(t, []string{
 		"--remove-signatures",
 		"--sign-by", "gpgFingerprint",
@@ -395,12 +396,13 @@ func TestSharedCopyOptionsCopyOptions(t *testing.T) {
 		ForceManifestMIMEType: imgspecv1.MediaTypeImageManifest,
 	}, res)
 
-	// --sign-passphrase-file + --sign-by work
+	// --sign-passphrase-file:
 	passphraseFile, err := os.CreateTemp("", "passphrase") // Eventually we could refer to a passphrase fixture instead
 	require.NoError(t, err)
 	defer os.Remove(passphraseFile.Name())
 	_, err = passphraseFile.WriteString("test-passphrase")
 	require.NoError(t, err)
+	// --sign-passphrase-file + --sign-by work
 	opts = fakeSharedCopyOptions(t, []string{
 		"--sign-by", "gpgFingerprint",
 		"--sign-passphrase-file", passphraseFile.Name(),
@@ -414,14 +416,39 @@ func TestSharedCopyOptionsCopyOptions(t *testing.T) {
 		SignSigstorePrivateKeyPassphrase: []byte("test-passphrase"),
 		ReportWriter:                     &someStdout,
 	}, res)
-	// --sign-passphrase-file + --sign-by-sigstore-private-key should be tested here.
+	// If Sequoia is supported, --sign-passphrase-file + --sign-by-sq-fingerprint work
+	if buildWithSequoia {
+		// --sign-passphrase-file + --sign-by-sq-fingerprint work
+		opts = fakeSharedCopyOptions(t, []string{
+			"--sign-by-sq-fingerprint", "sqFingerprint",
+			"--sign-passphrase-file", passphraseFile.Name(),
+		})
+		res, cleanup, err = opts.copyOptions(&someStdout)
+		require.NoError(t, err)
+		defer cleanup()
+		assert.NotNil(t, res.Signers) // Contains a Sequoia signer
+		res.Signers = nil             // To allow the comparison below
+		assert.Equal(t, &copy.Options{
+			SignPassphrase:                   "test-passphrase",
+			SignSigstorePrivateKeyPassphrase: []byte("test-passphrase"),
+			ReportWriter:                     &someStdout,
+		}, res)
+	}
 
 	// Invalid --format
 	opts = fakeSharedCopyOptions(t, []string{"--format", "invalid"})
 	_, _, err = opts.copyOptions(&someStdout)
 	assert.Error(t, err)
 
 	// More --sign-passphrase-file, --sign-by-sigstore-private-key, --sign-by-sigstore failure cases should be tested here.
+	// --sign-passphrase-file + several key options (other combinations should be tested here)
+	opts = fakeSharedCopyOptions(t, []string{
+		"--sign-by", "gpgFingerprint",
+		"--sign-by-sq-fingerprint", "sqFingerprint",
+		"--sign-passphrase-file", passphraseFile.Name(),
+	})
+	_, _, err = opts.copyOptions(&someStdout)
+	assert.Error(t, err)
 
 	// --sign-passphrase-file not found
 	opts = fakeSharedCopyOptions(t, []string{

docs/skopeo-copy.1.md

@@ -107,6 +107,10 @@ See containers-sigstore-signing-params.yaml(5) for details about the file format
 
 Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
 
+**--sign-by-sq-fingerprint** _path_
+
+Add a “simple signing” signature using a Sequoia-PGP key with the specified _fingerprint_.
+
 **--sign-passphrase-file** _path_
 
 The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

docs/skopeo-sync.1.md

@@ -103,6 +103,10 @@ See containers-sigstore-signing-params.yaml(5) for details about the file format
 
 Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
 
+**--sign-by-sq-fingerprint** _path_
+
+Add a “simple signing” signature using a Sequoia-PGP key with the specified _fingerprint_.
+
 **--sign-passphrase-file** _path_
 
 The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

integration/copy_test.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/signature"
+	"github.com/containers/image/v5/signature/simplesequoia"
 	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@@ -106,7 +107,9 @@ func (s *copySuite) TearDownSuite() {
 // and returns a path to a policy, which will be automatically removed when the test completes.
 func (s *copySuite) policyFixture(extraSubstitutions map[string]string) string {
 	t := s.T()
-	edits := map[string]string{"@keydir@": s.gpgHome}
+	fixtureDir, err := filepath.Abs("fixtures")
+	require.NoError(t, err)
+	edits := map[string]string{"@keydir@": s.gpgHome, "@fixturedir@": fixtureDir}
 	maps.Copy(edits, extraSubstitutions)
 	policyPath := fileFromFixture(t, "fixtures/policy.json", edits)
 	return policyPath
@@ -846,6 +849,39 @@ func (s *copySuite) TestCopyDirSignatures() {
 		"--policy", policy, "copy", topDirDest+"/restricted/badidentity", topDirDest+"/dest")
 }
 
+func (s *copySuite) TestCopySequoiaSignatures() {
+	t := s.T()
+	signer, err := simplesequoia.NewSigner(simplesequoia.WithSequoiaHome(testSequoiaHome), simplesequoia.WithKeyFingerprint(testSequoiaKeyFingerprint))
+	if err != nil {
+		t.Skipf("Sequoia not supported: %v", err)
+	}
+	signer.Close()
+
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	dirDest := "dir:" + t.TempDir()
+
+	policy := s.policyFixture(nil)
+	registriesDir := t.TempDir()
+	registriesFile := fileFromFixture(t, "fixtures/registries.yaml",
+		map[string]string{"@lookaside@": t.TempDir(), "@split-staging@": "/var/empty", "@split-read@": "file://var/empty"})
+	err = os.Symlink(registriesFile, filepath.Join(registriesDir, "registries.yaml"))
+	require.NoError(t, err)
+
+	// Sign the images
+	absSequoiaHome, err := filepath.Abs(testSequoiaHome)
+	require.NoError(t, err)
+	t.Setenv("SEQUOIA_HOME", absSequoiaHome)
+	assertSkopeoSucceeds(t, "", "copy", "--retry-times", "3", "--dest-tls-verify=false", "--sign-by-sq-fingerprint", testSequoiaKeyFingerprint,
+		testFQIN+":1.26", ourRegistry+"sequoia-no-passphrase")
+	assertSkopeoSucceeds(t, "", "copy", "--retry-times", "3", "--dest-tls-verify=false", "--sign-by-sq-fingerprint", testSequoiaKeyFingerprintWithPassphrase,
+		"--sign-passphrase-file", filepath.Join(absSequoiaHome, "with-passphrase.passphrase"),
+		testFQIN+":1.26.1", ourRegistry+"sequoia-with-passphrase")
+	// Verify that we can pull them
+	assertSkopeoSucceeds(t, "", "--policy", policy, "copy", "--src-tls-verify=false", ourRegistry+"sequoia-no-passphrase", dirDest)
+	assertSkopeoSucceeds(t, "", "--policy", policy, "copy", "--src-tls-verify=false", ourRegistry+"sequoia-with-passphrase", dirDest)
+}
+
 // Compression during copy
 func (s *copySuite) TestCopyCompression() {
 	t := s.T()

integration/fixtures/.gitignore

@@ -0,0 +1 @@
+/data/pgp.cert.d/_sequoia*