image sign using per user registries.d

[QiWang19]

Support per user ~/.config/containers/registries.d to allow rootless image sign configurations.

Signed-off-by: Qi Wang qiwan@redhat.com

[rhatdan]

@QiWang19 Rebase and you should be able to pass the tests.

[QiWang19]

@mtrmac @rhatdan PTAL

[rhatdan]

LGTM
@mtrmac PTAL

[rhatdan]

@mtrmac @vrothberg PTAL

[vrothberg]

I really want a head nod from @mtrmac. I may very well miss details/side effects I am may not be aware of.

[vrothberg]

Suggested change

	configuration files in /etc/containers/registries.d/ for root user, or $HOME/.config/containers/registries.d for non-root user. When you sign
	configuration files in /etc/containers/registries.d/ for root, or $HOME/.config/containers/registries.d for non-root users. When you sign

[vrothberg]

The comment doesn't seem to match the code. We don't seem to check for permissions but use the rootless paths if they exist even for root.

[mtrmac]

I’d prefer for this to be merged only after or together with containers/image#1035 to make sure the two are consistent.

Right now, the code LGTM, though the documentation does not match the code and needs updating.

---

The path lookup logic is complex enough that it probably makes sense to export c/image/docker.configuredSignatureStorageBase (with a better name) now, and use it here instead of maintaining a second copy of the code. (While overall we do want readers/writers to use the c/image API to access signatures instead of raw access, this has clearly not stopped podman sign, and modifying podman sign to use a c/image/docker ImageDestination would now incompatibly introduce a requirement to be able to connect to the registry.)

[mtrmac]

Should these two be a top-level commented variables like the others?

[mtrmac]

Dealing with URLs here seems to be an unnecessary complication; move the localPathFromURI call to the registryInfo != nil case, and this can just work with the sigStoreDir path.

[github-actions]

A friendly reminder that this PR had no activity for 30 days.

[rhatdan]

@QiWang19 This needs a rebase. Is this still being worked on?

[QiWang19]

@rhatdan still being worked on, waiting to get this commit from c/image containers/image@1a0dda7

[rhatdan]

@QiWang19 you should have the containers/image PR in podman now.

[QiWang19]

@mtrmac @vrothberg PTAL

[QiWang19]

@mtrmac PTAL

[QiWang19]

@containers/podman-maintainers PTAL

[TomSweeneyRedHat]

Suggested change

	derived from the registry configuration files in `$HOME/.config/containers/registries.d` if exists,
	derived from the registry configuration files in `$HOME/.config/containers/registries.d` if it exists,

[TomSweeneyRedHat]

looks like we don't list containers-registries-d(5) at the bottom of this man page and I think we should.

[mtrmac]

These code changes LGTM.

To be consistent, though, I think this PR should also update getPolicyShowOutput, the other user of trust.LoadAndMergeConfig+trust.HaveMatchRegistry (and then delete them), so that that function also correctly shows the new built-in default paths.

A downside to that is that that function will now always show a sigstore, even for X-R-S-S registries (and there isn’t a way to tell whether a registry supports X-R-S-S without connecting to it), but that’s probably better than not showing a default sigstore path that would get used.

[mtrmac]

Non-blocking: This can just be an else.

[QiWang19]

These code changes LGTM.

To be consistent, though, I think this PR should also update getPolicyShowOutput, the other user of trust.LoadAndMergeConfig+trust.HaveMatchRegistry (and then delete them), so that that function also correctly shows the new built-in default paths.

replace the above with docker.SignatureStorageBaseURL needs pass in an ImageReference, is there a good way to form an imageReference from the transports configurations in policy.json?

[mtrmac]

These code changes LGTM.
To be consistent, though, I think this PR should also update getPolicyShowOutput, the other user of trust.LoadAndMergeConfig+trust.HaveMatchRegistry (and then delete them), so that that function also correctly shows the new built-in default paths.

replace the above with docker.SignatureStorageBaseURL needs pass in an ImageReference, is there a good way to form an imageReference from the transports configurations in policy.json?

Ouch… no. There is one case that works ( a policy.json scope that includes a tag or digest); all the rest does not:

• For a host[:port]/…/repo scope, it would be possible to look up e.g. …/repo:latest, but that might not be correct if :latest has a different configuration section from the rest of the repo.
• For a host[:port], it is impossible to look up without inventing a repo+tag/digest, and that again could clash with a more specific configuration section.
• In the worst case, there will be new support for *.domain.com and the like in policy.json, so there could be multiple equally right answers if a.domain.com and b.domain.com are configured with different sigstores.

The last one is essentially unfixable given the current trust.Policy data structure and CLI output, so I suppose returning nothing if the existing code doesn’t find an exact match is as close as we can get.

[mtrmac]

LGTM.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtrmac, QiWang19, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[umohnani8]

Changes LGTM, @QiWang19 needs a rebase though

[QiWang19]

Needs lgtm label.

[umohnani8]

/lgtm
/hold

@mheon should we hold for the github-check failure?

[mheon]

We can't do anything about the RDO check, but it's not a blocking failure, we can merge without it.
/hold cancel