Merge branch 'main' into cras

Author: github-actions

CHANGELOG.md

@@ -26,6 +26,8 @@
   public key with the `--key` flag. Verification passes if at least one
   signature that can be validated with the provided key is present. The JSON
   payloads of all valid signatures are displayed.
+- `singularity push` now supports pushing cosign signatures in an OCI-SIF to
+  an OCI registry, via the `--with-cosign` flag.
 
 ## Requirements / Packaging
 

cmd/internal/cli/push.go

@@ -36,6 +36,9 @@ var (
 
 	// pushLayerFormat sets the layer format to be used when pushing OCI images.
 	pushLayerFormat string
+
+	// pushWithCosign sets whether cosign signatures are pushed when pushing OCI images.
+	pushWithCosign bool
 )
 
 // --library
@@ -79,6 +82,16 @@ var pushLayerFormatFlag = cmdline.Flag{
 	EnvKeys:      []string{"LAYER_FORMAT"},
 }
 
+// --with-cosign
+var pushWithCosignFlag = cmdline.Flag{
+	ID:           "pushWithCosignFlag",
+	Value:        &pushWithCosign,
+	DefaultValue: false,
+	Name:         "with-cosign",
+	Usage:        "push cosign signatures from OCI-SIF images",
+	EnvKeys:      []string{"WITH_COSIGN"},
+}
+
 func init() {
 	addCmdInit(func(cmdManager *cmdline.CommandManager) {
 		cmdManager.RegisterCmd(PushCmd)
@@ -95,6 +108,7 @@ func init() {
 		cmdManager.RegisterFlagForCmd(&commonTmpDirFlag, PushCmd)
 
 		cmdManager.RegisterFlagForCmd(&pushLayerFormatFlag, PushCmd)
+		cmdManager.RegisterFlagForCmd(&pushWithCosignFlag, PushCmd)
 	})
 }
 
@@ -206,6 +220,7 @@ var PushCmd = &cobra.Command{
 				Auth:        ociAuth,
 				AuthFile:    reqAuthFile,
 				LayerFormat: pushLayerFormat,
+				WithCosign:  pushWithCosign,
 			}
 			if err := oci.Push(cmd.Context(), file, ref, opts); err != nil {
 				sylog.Fatalf("Unable to push image to oci registry: %v", err)

e2e/push/push.go

@@ -273,6 +273,79 @@ func (c ctx) testPushOCIOverlay(t *testing.T) {
 	}
 }
 
+func (c ctx) testPushOCICosign(t *testing.T) {
+	e2e.EnsureOCISIF(t, c.env)
+
+	imgRef := fmt.Sprintf("docker://%s/docker_oci-cosign:test", c.env.TestRegistry)
+
+	testSif := filepath.Join(t.TempDir(), "signed.sif")
+	if err := fs.CopyFile(c.env.OCISIFPath, testSif, 0o755); err != nil {
+		t.Fatal(err)
+	}
+	keyPath := filepath.Join("..", "test", "keys", "cosign.key")
+	c.env.RunSingularity(
+		t,
+		e2e.AsSubtest("sign"),
+		e2e.WithProfile(e2e.UserProfile),
+		e2e.WithCommand("sign"),
+		e2e.WithArgs("--cosign", "--key", keyPath, testSif),
+		e2e.ExpectExit(0),
+	)
+
+	tests := []struct {
+		name        string
+		withCosign  bool
+		layerFormat string
+		expectExit  int
+		resultOps   []e2e.SingularityCmdResultOp
+	}{
+		{
+			name:        "Default",
+			withCosign:  false,
+			layerFormat: "",
+			expectExit:  0,
+			resultOps: []e2e.SingularityCmdResultOp{
+				e2e.ExpectError(e2e.UnwantedContainMatch, "Writing cosign signatures"),
+			},
+		},
+		{
+			name:        "WithCosign",
+			withCosign:  true,
+			layerFormat: "",
+			expectExit:  0,
+			resultOps: []e2e.SingularityCmdResultOp{
+				e2e.ExpectError(e2e.ContainMatch, "Writing cosign signatures"),
+			},
+		},
+		{
+			name:        "WithCosignMutated",
+			withCosign:  true,
+			layerFormat: "tar",
+			expectExit:  255,
+		},
+	}
+
+	for _, tt := range tests {
+		args := []string{}
+		if tt.layerFormat != "" {
+			args = []string{"--layer-format", tt.layerFormat}
+		}
+		if tt.withCosign {
+			args = append(args, "--with-cosign")
+		}
+		args = append(args, testSif, imgRef)
+
+		c.env.RunSingularity(
+			t,
+			e2e.AsSubtest(tt.name),
+			e2e.WithProfile(e2e.UserProfile),
+			e2e.WithCommand("push"),
+			e2e.WithArgs(args...),
+			e2e.ExpectExit(tt.expectExit, tt.resultOps...),
+		)
+	}
+}
+
 // E2ETests is the main func to trigger the test suite
 func E2ETests(env e2e.TestEnv) testhelper.Tests {
 	c := ctx{
@@ -284,5 +357,6 @@ func E2ETests(env e2e.TestEnv) testhelper.Tests {
 		"oras":              c.testPushCmd,
 		"oci tar layers":    c.testPushOCITarLayers,
 		"oci overlay":       c.testPushOCIOverlay,
+		"oci cosign":        c.testPushOCICosign,
 	}
 }

internal/pkg/client/oci/push.go

@@ -28,6 +28,9 @@ type PushOptions struct {
 	// TmpDir is a temporary directory to be used for an temporary files created
 	// during the push.
 	TmpDir string
+	// WithCosign sets whether to push any associated cosign signatures when
+	// pushing an OCI-SIF to a registry.
+	WithCosign bool
 }
 
 // Push pushes an image into an OCI registry, as an OCI image (not an ORAS artifact).
@@ -46,6 +49,7 @@ func Push(ctx context.Context, sourceFile string, destRef string, opts PushOptio
 			AuthFile:    opts.AuthFile,
 			LayerFormat: opts.LayerFormat,
 			TmpDir:      opts.TmpDir,
+			WithCosign:  opts.WithCosign,
 		}
 		return ocisif.PushOCISIF(ctx, sourceFile, destRef, ocisifOpts)
 	case image.SIF:

internal/pkg/client/ocisif/ocisif.go

@@ -7,6 +7,7 @@ package ocisif
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -18,7 +19,9 @@ import (
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	cosignremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 	ocimutate "github.com/sylabs/oci-tools/pkg/mutate"
+	"github.com/sylabs/oci-tools/pkg/sourcesink"
 	"github.com/sylabs/sif/v2/pkg/sif"
 	"github.com/sylabs/singularity/v4/internal/pkg/cache"
 	"github.com/sylabs/singularity/v4/internal/pkg/client/progress"
@@ -45,6 +48,7 @@ type PullOptions struct {
 	Platform    ggcrv1.Platform
 	ReqAuthFile string
 	KeepLayers  bool
+	WithCosign  bool
 }
 
 // PullOCISIF will create an OCI-SIF image in the cache if directTo="", or a specific file if directTo is set.
@@ -172,6 +176,9 @@ type PushOptions struct {
 	// TmpDir is a temporary directory to be used for an temporary files created
 	// during the push.
 	TmpDir string
+	// WithCosign controls whether cosign signatures present in the SIF are also
+	// pushed to the destination repository in the registry.
+	WithCosign bool
 }
 
 // PushOCISIF pushes a single image from sourceFile to the OCI registry destRef.
@@ -187,18 +194,20 @@ func PushOCISIF(ctx context.Context, sourceFile, destRef string, opts PushOption
 		return err
 	}
 
-	fi, err := sif.LoadContainerFromPath(sourceFile, sif.OptLoadWithFlag(os.O_RDONLY))
+	ss, err := sourcesink.SIFFromPath(sourceFile)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to open OCI-SIF: %w", err)
 	}
-	defer fi.UnloadContainer()
-
-	image, err := ocisif.GetSingleImage(fi)
+	d, err := ss.Get(ctx)
+	if err != nil {
+		return fmt.Errorf("while fetching image from OCI-SIF: %v", err)
+	}
+	image, err := d.Image()
 	if err != nil {
-		return fmt.Errorf("while obtaining image: %w", err)
+		return fmt.Errorf("failed to retrieve image: %w", err)
 	}
 
-	image, err = transformLayers(image, opts.LayerFormat, opts.TmpDir)
+	image, err = transformLayers(image, opts)
 	if err != nil {
 		return err
 	}
@@ -237,10 +246,18 @@ func PushOCISIF(ctx context.Context, sourceFile, destRef string, opts PushOption
 		remoteOpts = append(remoteOpts, remote.WithProgress(progChan))
 	}
 
-	return remote.Write(ir, image, remoteOpts...)
+	if err := remote.Write(ir, image, remoteOpts...); err != nil {
+		return err
+	}
+
+	if opts.WithCosign {
+		return writeSignatures(ctx, ir, d, opts)
+	}
+
+	return nil
 }
 
-func transformLayers(base v1.Image, layerFormat, tmpDir string) (v1.Image, error) {
+func transformLayers(base v1.Image, opts PushOptions) (v1.Image, error) {
 	ls, err := base.Layers()
 	if err != nil {
 		return nil, err
@@ -254,15 +271,15 @@ func transformLayers(base v1.Image, layerFormat, tmpDir string) (v1.Image, error
 			return nil, err
 		}
 
-		switch layerFormat {
+		switch opts.LayerFormat {
 		case DefaultLayerFormat:
 			continue
 		case SquashfsLayerFormat:
 			if mt != ocisif.SquashfsLayerMediaType {
 				return nil, fmt.Errorf("unexpected layer mediaType: %v", mt)
 			}
 		case TarLayerFormat:
-			opener, err := ocimutate.TarFromSquashfsLayer(l, ocimutate.OptTarTempDir(tmpDir))
+			opener, err := ocimutate.TarFromSquashfsLayer(l, ocimutate.OptTarTempDir(opts.TmpDir))
 			if err != nil {
 				return nil, err
 			}
@@ -272,10 +289,14 @@ func transformLayers(base v1.Image, layerFormat, tmpDir string) (v1.Image, error
 			}
 			ms = append(ms, ocimutate.SetLayer(i, tarLayer))
 		default:
-			return nil, fmt.Errorf("unsupported layer format: %v", layerFormat)
+			return nil, fmt.Errorf("unsupported layer format: %v", opts.TmpDir)
 		}
 	}
 
+	if len(ms) > 0 && opts.WithCosign {
+		return nil, fmt.Errorf("cannot push signature - invalidated by transforming layer format to %s", opts.LayerFormat)
+	}
+
 	return ocimutate.Apply(base, ms...)
 }
 
@@ -295,7 +316,42 @@ func handleOverlay(sourceFile string, opts PushOptions) error {
 		return fmt.Errorf("cannot push overlay with layer format %q, use 'overlay seal' before pushing this image ", opts.LayerFormat)
 	}
 
+	if opts.WithCosign {
+		return errors.New("cannot push signature - would be invalidated by synchronizing overlay")
+	}
+
 	// Make sure true overlay digest have been synced to the OCI constructs.
 	sylog.Infof("Synchronizing overlay digest to OCI image.")
 	return ocisif.SyncOverlay(sourceFile)
 }
+
+func writeSignatures(ctx context.Context, ir name.Reference, d sourcesink.Descriptor, opts PushOptions) error {
+	sd, ok := d.(sourcesink.SignedDescriptor)
+	if !ok {
+		return fmt.Errorf("failed to upgrade Descriptor to SignedDescriptor")
+	}
+	si, err := sd.SignedImage(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve SignedImage: %w", err)
+	}
+	id, err := si.Digest()
+	if err != nil {
+		return fmt.Errorf("failed to retrieve image digest: %w", err)
+	}
+	sigImg, err := si.Signatures()
+	if err != nil {
+		return fmt.Errorf("failed to retrieve signatures: %w", err)
+	}
+	csRef, err := sourcesink.CosignRef(id, ir, cosignremote.SignatureTagSuffix)
+	if err != nil {
+		return err
+	}
+
+	sylog.Infof("Writing cosign signatures: %s", csRef.Name())
+	remoteOpts := []remote.Option{
+		ociauth.AuthOptn(opts.Auth, opts.AuthFile),
+		remote.WithUserAgent(useragent.Value()),
+		remote.WithContext(ctx),
+	}
+	return remote.Write(csRef, sigImg, remoteOpts...)
+}