Merge branch 'main' into cras

Author: github-actions

CHANGELOG.md

@@ -2,13 +2,20 @@
 
 ## Changes Since Last Release
 
+### Behaviour Changes
+
+- Skip attempting to bind inaccessible mount points when handling the
+  `mount hostfs = yes` configuration option.
+
 ### Bug Fixes
 
 - Use correct username (not user's name) when computing `singularity oci` conmon
   / singularity state dir.
 - Write StdErr messages from starter to terminal StdErr when an instance fails
   to start. Previously incorrectly written to terminal StdOut.
 - Fix incorrect debug message in Cgroups checks.
+- Skip invalid environment variables when pulling pulling OCI images to
+  native SIF, so environment sourcing does not fail.
 
 ### New Features & Functionality
 
@@ -28,6 +35,15 @@
   payloads of all valid signatures are displayed.
 - `singularity push` now supports pushing cosign signatures in an OCI-SIF to
   an OCI registry, via the `--with-cosign` flag.
+- `singularity pull` now supports pulling cosign signatures from a registry
+  to an OCI-SIF, via the `--with-cosign` flag when `--oci` is also specified.
+  Signatures can only be pulled when the image in the registry is in SquashFS
+  format. Converting layer formats, or squashing to a single layer, modifies
+  the image manifest, and would invalidate any signatures.
+- The new `singularity key generate-cosign-key-pair` subcommand can be used
+  to generate a password-protected key-pair for signing OCI-SIF images with
+  cosign-compatible signatures.
+- Added `dnf` definition file bootstrap as an alias for `yum`.
 
 ## Requirements / Packaging
 
@@ -37,6 +53,8 @@
 - Ubuntu deb packages are built without libsubid support.
 - The RPM spec file no longer includes rules for SLES / openSUSE package builds,
   which have been untested / unsupported for some time.
+- Make binary builds more reproducible by deriving the GNU build ID
+  from the Go build ID instead of using a randomly generated one.
 
 ### Removed Features
 

cmd/internal/cli/key.go

@@ -1,5 +1,5 @@
 // Copyright (c) 2020, Control Command Inc. All rights reserved.
-// Copyright (c) 2017-2021, Sylabs Inc. All rights reserved.
+// Copyright (c) 2017-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -94,6 +94,9 @@ func init() {
 			&keyGlobalPubKeyFlag,
 			KeyImportCmd, KeyExportCmd, KeyListCmd, KeyPullCmd, KeyPushCmd, KeyRemoveCmd,
 		)
+
+		cmdManager.RegisterSubCmd(KeyCmd, KeyGenerateCosignKeyPairCmd)
+		cmdManager.RegisterFlagForCmd(&keyOutputKeyPrefixFlag, KeyGenerateCosignKeyPairCmd)
 	})
 }
 

cmd/internal/cli/key_generatecosignkeypair.go

@@ -0,0 +1,77 @@
+// Copyright (c) 2025, Sylabs Inc. All rights reserved.
+// This software is licensed under a 3-clause BSD license. Please consult the
+// LICENSE.md file distributed with the sources of this project regarding your
+// rights to use or distribute this software.
+
+package cli
+
+import (
+	"os"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/spf13/cobra"
+	"github.com/sylabs/singularity/v4/docs"
+	"github.com/sylabs/singularity/v4/internal/pkg/util/fs"
+	"github.com/sylabs/singularity/v4/pkg/cmdline"
+	"github.com/sylabs/singularity/v4/pkg/sylog"
+)
+
+var (
+	cosignKeyPairPrefix string
+
+	// --output-key-prefix
+	keyOutputKeyPrefixFlag = cmdline.Flag{
+		ID:           "keyOutputKeyPrefixFlag",
+		Value:        &cosignKeyPairPrefix,
+		DefaultValue: "singularity-cosign",
+		Name:         "output-key-prefix",
+		Usage:        "prefix for .key / .pub files",
+	}
+
+	// KeyNewPairCmd is 'singularity key newpair' and generate a new OpenPGP key pair
+	KeyGenerateCosignKeyPairCmd = &cobra.Command{
+		Args:                  cobra.ExactArgs(0),
+		DisableFlagsInUseLine: true,
+		Run:                   runGenerateCosignKeyPairCmd,
+		Use:                   docs.KeyGenerateCosignKeyPairUse,
+		Short:                 docs.KeyGenerateCosignKeyPairShort,
+		Long:                  docs.KeyGenerateCosignKeyPairLong,
+		Example:               docs.KeyGenerateCosignKeyPairExample,
+	}
+)
+
+func runGenerateCosignKeyPairCmd(_ *cobra.Command, _ []string) {
+	priKey := cosignKeyPairPrefix + ".key"
+	pubKey := cosignKeyPairPrefix + ".pub"
+
+	exists, err := fs.PathExists(priKey)
+	if err != nil {
+		sylog.Fatalf("%v", err)
+	}
+	if exists {
+		sylog.Fatalf("file exists, will not overwrite: %s", priKey)
+	}
+
+	exists, err = fs.PathExists(pubKey)
+	if err != nil {
+		sylog.Fatalf("%v", err)
+	}
+	if exists {
+		sylog.Fatalf("file exists, will not overwrite: %s", pubKey)
+	}
+
+	sylog.Infof("Creating cosign key-pair %s.key/.pub", cosignKeyPairPrefix)
+
+	kb, err := cosign.GenerateKeyPair(cryptoutils.GetPasswordFromStdIn)
+	if err != nil {
+		sylog.Fatalf("%v", err)
+	}
+
+	if err := os.WriteFile(priKey, kb.PrivateBytes, 0o600); err != nil {
+		sylog.Fatalf("%v", err)
+	}
+	if err := os.WriteFile(pubKey, kb.PublicBytes, 0o644); err != nil {
+		sylog.Fatalf("%v", err)
+	}
+}

cmd/internal/cli/pull.go

@@ -1,5 +1,5 @@
 // Copyright (c) 2020, Control Command Inc. All rights reserved.
-// Copyright (c) 2018-2023, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -51,6 +51,8 @@ var (
 	unauthenticatedPull bool
 	// pullDir is the path that the containers will be pulled to, if set.
 	pullDir string
+	// pullWithCosign sets whether cosign signatures are pushed when pushing OCI images.
+	pullWithCosign bool
 )
 
 // --library
@@ -118,6 +120,16 @@ var pullAllowUnauthenticatedFlag = cmdline.Flag{
 	Hidden:       true,
 }
 
+// --with-cosign
+var pullWithCosignFlag = cmdline.Flag{
+	ID:           "pullWithCosignFlag",
+	Value:        &pullWithCosign,
+	DefaultValue: false,
+	Name:         "with-cosign",
+	Usage:        "pull associated cosign signatures into an OCI-SIF image",
+	EnvKeys:      []string{"WITH_COSIGN"},
+}
+
 func init() {
 	addCmdInit(func(cmdManager *cmdline.CommandManager) {
 		cmdManager.RegisterCmd(PullCmd)
@@ -147,6 +159,8 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&commonPlatformFlag, PullCmd)
 
 		cmdManager.RegisterFlagForCmd(&commonAuthFileFlag, PullCmd)
+
+		cmdManager.RegisterFlagForCmd(&pullWithCosignFlag, PullCmd)
 	})
 }
 
@@ -244,6 +258,7 @@ func pullRun(cmd *cobra.Command, args []string) {
 			KeepLayers:    keepLayers,
 			TmpDir:        tmpDir,
 			Platform:      getOCIPlatform(),
+			WithCosign:    pullWithCosign,
 		}
 		_, err = library.PullToFile(ctx, imgCache, pullTo, ref, pullOpts)
 		if err != nil && err != library.ErrLibraryPullUnsigned {
@@ -309,6 +324,7 @@ func pullRun(cmd *cobra.Command, args []string) {
 			KeepLayers:  keepLayers,
 			Platform:    getOCIPlatform(),
 			ReqAuthFile: reqAuthFile,
+			WithCosign:  pullWithCosign,
 		}
 
 		_, err = oci.PullToFile(ctx, imgCache, pullTo, pullFrom, pullOpts)

cmd/internal/cli/push.go

@@ -1,5 +1,5 @@
 // Copyright (c) 2020, Control Command Inc. All rights reserved.
-// Copyright (c) 2018-2023, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.

docs/content.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2017-2024, Sylabs Inc. All rights reserved.
+// Copyright (c) 2017-2025, Sylabs Inc. All rights reserved.
 // Copyright (c) Contributors to the Apptainer project, established as
 //   Apptainer a Series of LF Projects LLC.
 // This software is licensed under a 3-clause BSD license. Please consult the
@@ -261,7 +261,7 @@ Enterprise Performance Computing (EPC)`
 	// key newpair
 	// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 	KeyNewPairUse   string = `newpair`
-	KeyNewPairShort string = `Create a new key pair`
+	KeyNewPairShort string = `Create a new PGP key-pair`
 	KeyNewPairLong  string = `
   The 'key newpair' command allows you to create a new key or public/private
   keys to be stored in the default user local keyring location (e.g., 
@@ -340,6 +340,18 @@ Enterprise Performance Computing (EPC)`
 	KeyRemoveExample string = `
   $ singularity key remove D87FE3AF5C1F063FCBCC9B02F812842B5EEE5934`
 
+	// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	// key new-cosign-pair
+	// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+	KeyGenerateCosignKeyPairUse   string = `generate-cosign-key-pair`
+	KeyGenerateCosignKeyPairShort string = `Generate a new cosign key-pair`
+	KeyGenerateCosignKeyPairLong  string = `
+  The 'key generate-cosign-key-pair' command allows you to create a new public/private
+  key-pair that can be used to sign OCI-SIF images with a cosign compatible signature.`
+	KeyGenerateCosignKeyPairExample string = `
+  $ singularity key generate-cosign-keypair
+  $ singularity key generate-cosign-keypair --output-key-prefix=mykeypair`
+
 	// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 	// delete
 	// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

e2e/key/key.go

@@ -1,5 +1,5 @@
 // Copyright (c) 2020, Control Command Inc. All rights reserved.
-// Copyright (c) 2019, Sylabs Inc. All rights reserved.
+// Copyright (c) 2019-2025, Sylabs Inc. All rights reserved.
 // Copyright (c) Contributors to the Apptainer project, established as
 //   Apptainer a Series of LF Projects LLC.
 // This software is licensed under a 3-clause BSD license. Please consult the
@@ -174,7 +174,7 @@ func (c *ctx) singularityKeyNewpair(t *testing.T) {
 		{
 			name:   "newpair help",
 			args:   []string{"newpair", "--help"},
-			stdout: "^Create a new key pair",
+			stdout: "^Create a new PGP key-pair",
 		},
 		{
 			name: "newpair",
@@ -728,6 +728,70 @@ func (c ctx) singularityKeyCmd(t *testing.T) {
 	c.singularityKeyRemove(t)
 }
 
+func (c *ctx) generateCosignKeypair(t *testing.T) {
+	testDir := t.TempDir()
+
+	tests := []struct {
+		name          string
+		args          []string
+		consoleOps    []string
+		expectExit    int
+		expectPrivate string
+		expectPublic  string
+	}{
+		{
+			name: "OK",
+			args: []string{"generate-cosign-key-pair"},
+			consoleOps: []string{
+				"test123",
+				"test123",
+			},
+			expectExit:    0,
+			expectPrivate: filepath.Join(testDir, "singularity-cosign.key"),
+			expectPublic:  filepath.Join(testDir, "singularity-cosign.pub"),
+		},
+		{
+			name:       "FilesExist",
+			args:       []string{"generate-cosign-key-pair"},
+			expectExit: 255,
+		},
+		{
+			name: "Prefix",
+			args: []string{"generate-cosign-key-pair", "--output-key-prefix", "test"},
+			consoleOps: []string{
+				"test123",
+				"test123",
+			},
+			expectExit:    0,
+			expectPrivate: filepath.Join(testDir, "test.key"),
+			expectPublic:  filepath.Join(testDir, "test.pub"),
+		},
+	}
+
+	for _, tt := range tests {
+		c.env.RunSingularity(
+			t,
+			e2e.AsSubtest(tt.name),
+			e2e.WithProfile(e2e.UserProfile),
+			e2e.ConsoleRun(buildConsoleLines(tt.consoleOps...)...),
+			e2e.WithDir(testDir),
+			e2e.WithCommand("key"),
+			e2e.WithArgs(tt.args...),
+			e2e.ExpectExit(tt.expectExit),
+		)
+		if tt.expectPrivate != "" {
+			if !e2e.PathExists(t, tt.expectPrivate) {
+				t.Errorf("Private key %q not found", tt.expectPrivate)
+			}
+		}
+		if tt.expectPublic != "" {
+			if !e2e.PathExists(t, tt.expectPublic) {
+				t.Errorf("Public key %q not found", tt.expectPublic)
+			}
+		}
+	}
+}
+
 // E2ETests is the main func to trigger the test suite
 func E2ETests(env e2e.TestEnv) testhelper.Tests {
 	c := ctx{
@@ -746,5 +810,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 			t.Run("keyCmd", c.singularityKeyCmd)                       // Run all the tests in order
 			t.Run("keyNewpairWithLen", c.singularityKeyNewpairWithLen) // We run a separate test for `key newpair --bit-length` because it requires handling a keyring a specific way
 		},
+		"cosign": c.generateCosignKeypair,
 	}
 }