Closed STARRY-S closed 1 month ago
generate-sigstore-key
command to generate sigstore key-pair.sign
, sign validate
commands to sign images & validate the signed images by sigstore keypair.--sigstore-private-key
, --sigstore-passphrase
options for mirror & load commands to sign images when copy images.--remove-signature
option for mirror command to do-not-copy the image signature if the source image have sigstore signature.Available to test on v1.8.0-rc3
.
Docs: https://hangar.cnrancher.com/docs/v1.8/sign/
When harbor
is used as the image repository, the container image fails to be signed.
ip-172-31-33-62:/hangar # hangar generate-sigstore-key --prefix="sigstore"
Enter the passphrase for key "sigstore.key":
Enter the passphrase again:
[03:15:40] [INFO] Write sigstore key-pair to "sigstore.pub", "sigstore.key"
ip-172-31-33-62:/hangar # hangar sign \
> --file="aaa.txt" \
> --sigstore-key="sigstore.key" \
> --arch amd64 \
> --os linux \
> --registry="harbor.wujing.fun" \
> --jobs=1
Enter the passphrase for key "sigstore.key":
[03:15:57] [INFO] Arch List: [amd64]
[03:15:57] [INFO] OS List: [linux]
[03:15:57] [INFO] Signing images in "aaa.txt" with sigstore priv-key "sigstore.key".
[03:15:58] [INFO] [IMG:1] Signing [harbor.wujing.fun/cnrancher/hangar:latest]
[03:15:58] [WARN] Failed, retrying in 100µs ... (1/3). Error: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:58] [WARN] Failed, retrying in 100µs ... (2/3). Error: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:58] [WARN] Failed, retrying in 100µs ... (3/3). Error: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:59] [ERRO] error occurred when sign [harbor.wujing.fun/cnrancher/hangar:latest]: failed to sign [docker://harbor.wujing.fun/cnrancher/hangar:latest]: error occurred when sign image [docker://harbor.wujing.fun/cnrancher/hangar:latest]: reading signatures: reading manifest sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig in harbor.wujing.fun/cnrancher/hangar: unknown: artifact cnrancher/hangar:sha256-984c80e10467af70f618cce216472f64147ac1258c1581b975ebafc3bcd5dec1.sig not found
[03:15:59] [ERRO] Sign failed image list:
cnrancher/hangar:latest
[03:15:59] [INFO] Failed image list exported to "sign-failed.txt"
[03:15:59] [FATA] some images failed to sign
ip-172-31-33-62:/hangar #
Version: v1.8.0-rc3
This problem exists when the registry is harbor. The following test uses registry:2 for verification. After the problem is fixed, use harbor for testing.
Verification passed, the test content is as follows:
Test Case | Command | Steps | Expected | Results |
---|---|---|---|---|
Generate sigstore key | hangar generate-sigstore-key | 1. Setup registry server. 2. Run Hangar v1.8.0-rc3docker run -it -v $(pwd):/hangar --network=host cnrancher/hangar:v1.8.0-rc3 3. Run generate-sigstore-key command to generate sigstore key-pairhangar generate-sigstore-key --prefix="sigstore" |
The generated sigstore key-pair is sigstore.pub and sigstore.key |
PASS |
Sign images with sigstore key-pair | hangar sign | 1. Use mirror command to copy container images to private registry2. Sign container images with sigstore private key3. use inspect command to view the signed sigstore signature. | Sigstore signature is correct | PASS |
Validate the signed image signature | hangar sign validate | 4.Use hangar sign validate command for validate the signed image sigstore signature. | The verification is successful and the result is PASS. | PASS |
Validate the mirrored image signature | --exact-repository | Verify according to documentation instructionsValidate the copied image signature with --exact-repository | It can be verified and the result is returned PASS. | PASS |
Use cosign to verify the signed image signature | cosign verify | Verify according to documentation instructionsUse cosign verify to verify the Hangar signed image. | Can be verified successfully | PASS |
do not copy image signatures when mirror images | mirror --remove-signature | 1. use the --remove-signatures option of mirror command to disable signature copy2. Use hangar inspect to query to confirm that the image is not signed3. use the sign command to re-sign the container images with your own sigstore signature.4. Use hangar inspect to query to confirm that the image has been signed | --remove-signatures parameter takes effect | PASS |
Is your feature request related to a problem?
Original Issue: https://github.com/cnrancher/hangar/issues/15
Split the container image sign & verify functionality into this separate issue.
Describe the solution you'd like
Add container image signing functions (signed by sigstore private key) and validate the signed container image functions (sigstore public key).
The container image sign & verify functionality will based on the containers/image library, no other third-party dependencies were introduced.