Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 5.32.2 #2531

Merged
merged 8 commits into from
Aug 20, 2024
Merged

Release 5.32.2 #2531

merged 8 commits into from
Aug 20, 2024

Conversation

mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Aug 20, 2024

This backports #2524 and #2526 :

This adds the ability to accept sigstore signatures signed by any key from a set of several (huge thanks to @dcermak and @danishprakash for doing almost all the work), and Rekor log presence proofs signed by any key from a set of several keys.

Cc: @TomSweeneyRedHat

mtrmac and others added 8 commits August 20, 2024 17:46
@mtrmac
Use InvalidPolicyFormatError for invalid sigstore options
c0c8d34 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Turn loadBytesFromDataOrPath into loadBytesFromConfigSources
03550b4 
Use a struct as an input, so that the parameters are named and
we minimize risk of inconsistencies, and make it easier to add more sources.

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Use loadBytesFromConfigSources in prSignedBy.isSignatureAuthorAccepted
a5ea016 
Extend loadBytesFromConfigSources to return multiple values, and to support
reading the from files; then share the code.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Split verifySigstorePayloadBlobSignature from VerifySigstorePayload
d42de59 
because we will want to support multiple public keys, and that's
easier to do in a separate function.

Should not change behavior except for order of error checks.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@dcermak @danishprakash @mtrmac
Add field KeyPaths and KeyDatas to prSigstoreSigned
95c0635 
The new fields `KeyPaths` and `KeyDatas` is taken directly from
`/etc/containers/policy.json` and allows users to provide multiple signature
keys to be used to verify images. Only one of the keys has to verify, thereby
this mechanism allows us to have support seamless key rotation on a registry.

This fixes containers#2319

Signed-off-by: Dan Čermák <dcermak@suse.com>
Co-authored-by: Danish Prakash <danish.prakash@suse.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Support accepting multiple Rekor public keys
2a87b21 
Add rekorPublicKeyPaths and rekorPublicKeyDatas , similar to the primary
root of trust public keys.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Release 5.32.2
0b425a4 
This adds the ability to accept sigstore signatures signed by
any key from a set of several (huge thanks to @dcermak and
@danishprakash for doing almost all the work), and Rekor log
presence proofs signed by any key from a set of several keys.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac
Bump to 5.32.3-dev
46bde10 
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@TomSweeneyRedHat
Copy link
Member

LGTM

1 similar comment
@mheon
Copy link
Member

mheon commented Aug 20, 2024

LGTM

@TomSweeneyRedHat TomSweeneyRedHat merged commit 51d37e8 into containers:release-5.32 Aug 20, 2024
9 checks passed
@mtrmac mtrmac deleted the 5.32-backport branch August 20, 2024 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mtrmac @TomSweeneyRedHat @mheon @dcermak