Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: cosign-compatible signatures for OCI-SIF #3510

Merged
merged 1 commit into from
Feb 10, 2025
Merged

feat: cosign-compatible signatures for OCI-SIF #3510

merged 1 commit into from
Feb 10, 2025

Conversation

dtrudg
Copy link
Member

@dtrudg dtrudg commented Feb 4, 2025
edited
Loading

Description of the Pull Request (PR):

Add a new --cosign mode to singularity sign, which will apply a cosign-compatible signature to a container image in an OCI-SIF, and store the signature image in the OCI-SIF, using the name.ref association defined by sylabs/oci-tools.

Unlike the upstream sylabs/oci-tools code, Singularity currently only creates / considers OCI-SIF images that contain a single OCI image. Consequently there is no signature handling for image indices in Singularity at this point.

From this commit onwards, Singularity ignores cosign images in the OCI-SIF when looking for an OCI image to execute, push etc. Older versions of Singularity will error when attempting to execute a signed image, as they expect only one image in an OCI-SIF, with no filtering of non-executable cosign related images.

This fixes or addresses the following GitHub issues:

Before submitting a PR, make sure you have done the following:

@dtrudg dtrudg self-assigned this Feb 4, 2025
@dtrudg dtrudg force-pushed the cosign-sign branch 2 times, most recently from 7602140 to 1252eea Compare February 4, 2025 15:30
@dtrudg
feat: cosign-compatible signatures for OCI-SIF
8b2e5b9 
Add a new `--cosign` mode to `singularity sign`, which will apply a
cosign-compatible signature to a container image in an OCI-SIF, and
store the signature image in the OCI-SIF, using the name.ref
association defined by sylabs/oci-tools.

Unlike the upstream sylabs/oci-tools code, Singularity currently only
creates / considers OCI-SIF images that contain a single OCI image.
Consequently there is no signature handling for image indices in
Singularity at this point.

From this commit onwards, Singularity ignores cosign images in the
OCI-SIF when looking for an OCI image to execute, push etc. Older
versions of Singularity will error when attempting to execute a signed
image, as they expect only one image in an OCI-SIF, with no filtering
of non-executable cosign related images.

Fixes sylabs#3492
@dtrudg dtrudg marked this pull request as ready for review February 4, 2025 15:53
@dtrudg dtrudg added this to the SingularityCE 4.3.0 milestone Feb 4, 2025
tri-adam
tri-adam approved these changes Feb 8, 2025
View reviewed changes
Copy link
Member

@tri-adam tri-adam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested here and seems to be working as expected.

@dtrudg dtrudg merged commit 3d2f393 into sylabs:main Feb 10, 2025
1 check passed
@dtrudg dtrudg deleted the cosign-sign branch February 10, 2025 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tri-adam tri-adam tri-adam approved these changes

Assignees

@dtrudg dtrudg

Labels
None yet
Projects
None yet
Milestone
SingularityCE 4.3.0
Development

Successfully merging this pull request may close these issues.

Sign OCI-SIF (cosign/sigstore)
2 participants
@dtrudg @tri-adam