image-rs: Support simple signing with X-R-S-S

Support getting simple signing signatures from registry that supports X-R-S-S extension. Refactor into separate tests for XRSS and others. Fixes: confidential-containers#12 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
mattarnoatibm · Oct 3, 2023 · 08087e5 · 08087e5
1 parent f4f89da
commit 08087e5
Show file tree

Hide file tree

Showing 9 changed files with 345 additions and 24 deletions.
diff --git a/.github/workflows/image_rs_build.yml b/.github/workflows/image_rs_build.yml
@@ -74,6 +74,7 @@ jobs:
           cargo clippy -p image-rs --all-targets --features=kata-cc-native-tls --no-default-features -- -D warnings
           cargo clippy -p image-rs --all-targets --features=enclave-cc-eaakbc-native-tls --no-default-features -- -D warnings
           cargo clippy -p image-rs --all-targets --features=enclave-cc-cckbc-native-tls --no-default-features -- -D warnings
+          cargo clippy -p image-rs --all-targets --features=kata-cc-native-tls,signature-simple-xrss --no-default-features -- -D warnings
 
       - name: Run cargo build
         uses: actions-rs/cargo@v1
@@ -100,3 +101,9 @@ jobs:
       - name: Run cargo test - kata-cc (native-tls version) with keywrap-ttrpc (default) + keywrap-jwe
         run: |
           sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=kata-cc-native-tls,keywrap-jwe
+
+      - name: Run cargo test - kata-cc (native-tls version) with keywrap-ttrpc (default) + keywrap-jwe and with signatures from XRSS registry extension
+        env:
+          AUTH: "iamapikey:${{ secrets.SH_ICR_API_KEY }}"
+        run: |
+          sudo -E PATH=$PATH -s cargo test -p image-rs --no-default-features --features=kata-cc-native-tls,keywrap-jwe,signature-simple-xrss
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/image-rs/Cargo.toml b/image-rs/Cargo.toml
@@ -32,6 +32,7 @@ oci-spec = "0.6.2"
 ocicrypt-rs = { path = "../ocicrypt-rs", default-features = false, features = ["async-io"], optional = true }
 prost = { workspace = true, optional = true }
 protobuf = { workspace = true, optional = true }
+reqwest = { workspace = true, features = ["json"], optional = true }
 sequoia-openpgp = { version = "1.7.0", default-features = false, features = ["compression", "crypto-rust", "allow-experimental-crypto", "allow-variable-time-crypto"], optional = true }
 serde = { workspace = true, features = ["serde_derive", "rc"] }
 serde_json.workspace = true
@@ -111,6 +112,7 @@ signature-cosign-native = ["signature-cosign", "sigstore/cosign-native-tls"]
 oci-distribution-rustls = ["oci-distribution/rustls-tls"]
 oci-distribution-native = ["oci-distribution/native-tls"]
 
+signature-simple-xrss = ["signature-simple", "dep:reqwest"]
 signature-simple = ["signature", "sequoia-openpgp", "serde_yaml"]
 
 snapshot-overlayfs = ["nix"]