image-rs: Support simple signing with X-R-S-S #372
Conversation
mattarnoatibm
requested review from
sameo,
jiangliu,
arronwy,
lumjjb,
jialez0 and
Xynnn007
as code owners
mattarnoatibm
force-pushed
the
simple-signing-xrss
branch
3 times, most recently
from
0625429
to
92c94fa
Compare
There was a problem hiding this comment.
Thanks @mattarnoatibm for the contribution! Could you do some refactoring to the code for better maintainance in future?
| #[cfg(feature = "signature-simple")] | ||
| use base64::Engine; | ||
|
|
||
| #[cfg(feature = "signature-simple-xrss")] | ||
| use oci_distribution::Reference; | ||
| #[cfg(feature = "signature-simple-xrss")] | ||
| use reqwest::Client; | ||
|
|
||
| #[cfg(feature = "signature-simple-xrss")] | ||
| use crate::signature::image::digest::Digest; | ||
|
|
There was a problem hiding this comment.
There are many #[cfg(feature = "signature-simple-xrss")] sentences in this file. If these feature-specific sentences can be put into a separate file, it can be better for reading and maintaining. We only need to mark the mod xrss; sentence with #[cfg(feature = "signature-simple-xrss")].
There was a problem hiding this comment.
Hi @Xynnn007 I moved most of the code in simple/mod.rs that was behind the signature-simple-xrss feature to a new file, xrss.rs. I marked 2 sentences with #[cfg(feature = "signature-simple-xrss")] in addition to the mod xrss; sentence in mod.rs:
If the XRSS feature is used then crate::resource::get_resource(&config.sigstore_config).await can return an error, otherwise we cannot allow it to return an error, so I left if sig_store_config_file.is_err() { return Ok(()); } marked with #[cfg(feature = "signature-simple-xrss")].
If XRSS is not used then we don't want to create an xrss::RegistryClient and try to get signatures from the registry. So I created a code block where the xrss::RegistryClient is created and used to try and get signatures from the registry, and I marked that code block with #[cfg(feature = "signature-simple-xrss")].
| } | ||
| } | ||
|
|
||
| pub async fn get_signatures_from_registry( |
There was a problem hiding this comment.
maybe we can send the PR in parallel to https://github.com/krustlet/oci-distribution to extend the Client API to support pull signatures from registry
There was a problem hiding this comment.
I'll take at look at the OCI Distribution library.
mattarnoatibm
force-pushed
the
simple-signing-xrss
branch
from
55b8d5b
to
4ea27d6
Compare
mattarnoatibm
force-pushed
the
simple-signing-xrss
branch
2 times, most recently
from
a731302
to
c28adf0
Compare
image-rs/tests/credential.rs
Outdated
| @@ -19,7 +19,7 @@ pub mod common; | |||
| #[tokio::test] | |||
| #[serial] | |||
| async fn test_use_credential(#[case] image_ref: &str, #[case] auth_file_uri: &str) { | |||
| common::prepare_test().await; | |||
| common::prepare_test("aa-offline_fs_kbc-resources.json").await; | |||
There was a problem hiding this comment.
I think it would be better to declare this as a const, or we add the parameter to #[case] macro. How do you like?
There was a problem hiding this comment.
Done. I went with adding some constants to common/mod.rs as the signature verification tests do not use the #[case] macro.
image-rs/tests/image_decryption.rs
Outdated
| @@ -30,7 +30,7 @@ const OCICRYPT_CONFIG: &str = "test_data/ocicrypt_keyprovider_ttrpc.conf"; | |||
| #[tokio::test] | |||
| #[serial] | |||
| async fn test_decrypt_layers(#[case] image: &str) { | |||
| common::prepare_test().await; | |||
| common::prepare_test("aa-offline_fs_kbc-resources.json").await; | |||
There was a problem hiding this comment.
I think it would be better to declare this as a const, or we add the parameter to #[case] macro. How do you like?
| @@ -93,13 +118,53 @@ const SIGSTORE_CONFIG_URI: &str = "kbs:///default/sigstore-config/test"; | |||
| #[tokio::test] | |||
| #[serial] | |||
| async fn signature_verification() { | |||
| common::prepare_test().await; | |||
| do_signature_verification_tests(&_TESTS, "aa-offline_fs_kbc-resources.json", &None).await; | |||
There was a problem hiding this comment.
I think it would be better to declare this as a const, or we add the parameter to #[case] macro. How do you like?
| let auth_info = &Some(auth.as_str()); | ||
| do_signature_verification_tests( | ||
| &_TESTS_XRSS, | ||
| "aa-offline_fs_kbc-resources-for-icr.json", |
There was a problem hiding this comment.
I think it would be better to declare this as a const, or we add the parameter to #[case] macro. How do you like?
Support getting simple signing signatures from registry that supports X-R-S-S extension. Refactor into separate tests for XRSS and others. Fixes: confidential-containers#12 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
mattarnoatibm
force-pushed
the
simple-signing-xrss
branch
from
1812db1
to
43227e4
Compare
|
@arronwy - hey Arron, we are keen to try and get this feature into the 0.8 release before |
sure, I though we already code freeze for v0.8.0 and merge after the release, it's ok from my side to merge for v0.8.0 |
Support getting simple signing signatures from
registry that supports X-R-S-S extension.
Refactor into separate tests for XRSS and others.
Fixes: #12