Add buildtags to avoid fulcio and rekor dependencies #2180
Conversation
|
cc: @rhatdan -- as discussed at kubecon |
| func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, | ||
| interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option { | ||
| return func(s *internal.SigstoreSigner) error { | ||
| return fmt.Errorf("Fulcio disabled at compile time") |
There was a problem hiding this comment.
These are all project names.
signature/sigstore/rekor/no_rekor.go
Outdated
|
|
||
| func WithRekor(rekorURL *url.URL) signerInternal.Option { | ||
| return func(s *signerInternal.SigstoreSigner) error { | ||
| return fmt.Errorf("Rekor disabled at build time") |
| func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, | ||
| interactiveOutput io.Writer) internal.Option { | ||
| return func(s *internal.SigstoreSigner) error { | ||
| return fmt.Errorf("Fulcio disabled at compile time") |
|
|
||
| func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option { | ||
| return func(s *internal.SigstoreSigner) error { | ||
| return fmt.Errorf("Fulcio disabled at compile time") |
|
LGTM other then nits. |
There was a problem hiding this comment.
I’m fine with conditionalizing this, but note that this does not actually remove those dependencies as documented: Both Fulcio and Rekor are required by the signature verification paths.
So, is this actually useful for your goals? If it is, fine, it’s just that the build tag documentation needs to be clear that this only disables the signing path, not verification.
(Removing/conditionalizing that code from the verification paths would require a pretty good unit test coverage, so that would be rather more work.)
siretart
force-pushed
the
fulcio_rekor_stub
branch
from
199c207
to
e55832d
Compare
|
@mtrmac thanks for pointing our my oversight. The issue at core is that I don't have neither I've updated the PR to disable the verificaion paths as well. Can you please elaborate on:
What's wrong with just removing those unit tests? |
For situations where Fulcio and Rekor operations are not required, this commit provides buildtags to avoid those dependencies. Signed-off-by: Reinhard Tartler <siretart@gmail.com>
Signed-off-by: Reinhard Tartler <siretart@gmail.com>
siretart
force-pushed
the
fulcio_rekor_stub
branch
from
e55832d
to
9ca4b73
Compare
|
The policy enforcement / signature verification code is a critical security mechanism; so I think it should be tested. It’s fine not to support features, and to fail closed; but then we should have tests that the code does fail closed. I appreciate that the added implementation is trivial, but still… quite a bit of It‘s also somewhat a matter of not relaxing expectations: “the policy enforcement package code must have good test coverage”, and keeping that true will help reinforce that for other future features. |
|
@siretart Any update |
|
@rhatdan I've uploaded a very similar patch to this PR to debian, and it seems to work great. I think I understand why @mtrmac is asking to not disable the test fully, but I don't (currently) have enough time available to actually do the requested changes; right now, I'm focusing on packaging the newly required depedencies for podman 4.8. I personally think we can get away without having the full testsuite run with and without that buildflag, given that it is purely about disabling functionality (and not altering behavior). But then, I can only make this call for the debian package, not upstream. |
…1114) This PR contains the following updates: Package Change Age Adoption Passing Confidence github.com/containers/image/v5 v5.29.2 -> v5.30.0 WarningSome dependencies could not be looked up. Check the warning logs for more information. Release Notes containers/image (github.com/containers/image/v5) v5.30.0 Compare Source What's Changed A fair number of improvements when working with zstd and zstd:chunked-compressed images. Note that make install now installs policy.json and registries.d/default.yaml. Refuse compression to zstd when using schema1 by @mtrmac in containers/image#2196 Don't expose local account details in oci-archive tar files by @mtrmac in containers/image#2202 Trigger a conversion to OCI when compressing to Zstd by @mtrmac in containers/image#2204 Add buildtags to avoid fulcio and rekor dependencies by @siretart in containers/image#2180 copy: do not fail if digest mismatches by @giuseppe in containers/image#1980 Moving policy.json and default.yaml from containers/skopeo by @rahilarious in containers/image#2215 Embrace codespell: config, workflow (to alert when new typos added) and get typos fixed by @yarikoptic in containers/image#2214 Fix raspberry pi zero cpu variant recognition by @lstolcman in containers/image#2086 storage: validate images converted to zstd:chunked by @giuseppe in containers/image#2243 Make blob reuse choices manifest-format-sensitive, and allow conversions when writing to format-agnostic transports by @mtrmac in containers/image#2213 Edit the manifest when pushing uncompressed data from c/storage by @mtrmac in containers/image#2273 Random storage-related cleanups by @mtrmac in containers/image#2287 Improve storage transport documentation, primarily about locking by @mtrmac in containers/image#2291 Fix c/storage destination with partial pulls by @mtrmac in containers/image#2288 Fix manifest updates when we match a layer by TOC digest by @mtrmac in containers/image#2294 Cleanly fail when trying to obtain a DiffID of a non-OCI image by @mtrmac in containers/image#2295 Beautify TOC-related parts of storageImageSource by @mtrmac in containers/image#2296 storage: use the new ApplyStagedLayer interface by @giuseppe in containers/image#2301 Also annotate image instances using zstd:chunked as using zstd by @mtrmac in containers/image#2302 Support editing ArtifactType, preserve it in lists by @nalind in containers/image#2304 Provide data to correctly report throughput on partial pulls by @mtrmac in containers/image#2308 Add validation error to digesting reader by @saschagrunert in containers/image#2312 Fix handling of errors when fetching layers by URLs by @mtrmac in containers/image#2310 Improve handling of zstd vs. zstd:chunked matching by @mtrmac in containers/image#2317 New Contributors @rahilarious made their first contribution in containers/image#2215 @yarikoptic made their first contribution in containers/image#2214 @lstolcman made their first contribution in containers/image#2086 @bainsy88 made their first contribution in containers/image#2260 Full Changelog: containers/image@v5.29.2...v5.30.0 Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. If you want to rebase/retry this PR, check this box This PR has been generated by Mend Renovate. View repository job log here.
For situations where Fulcio and Rekor operations are not required,
this commit provides buildtags to avoid those dependencies.
Signed-off-by: Reinhard Tartler siretart@gmail.com