signing: clarify build error when cgo is not available

[paralin]

The build fails if CGO_ENABLED=0:

# github.com/containers/image/v5/signature
signature/mechanism_gpgme.go:156:41: undefined: gpgme.PinEntryLoopback
signature/mechanism_gpgme.go:161:31: undefined: gpgme.Key
signature/mechanism_gpgme.go:161:31: too many errors

Make it clear that cgo is required by adding a comment & undefined variable:

# github.com/containers/image/v5/signature
./mechanism_other.go:10:21: undefined: ContainersImageSignatureRequiresCgo

Anyone who encounters this error (like me) will immediately understand the issue and can
read the comment on that line to understand that the alternative build tag is
not actively maintained and considered not secure.

// CgoIsDisabled indicates as a compiler error that this package requires cgo.
//
// You may enable the containers_image_openpgp build tag but beware that this
// implementation is not actively maintained and is considered insecure.
var CgoIsDisabled = ContainersImageSignatureRequiresCgo

Fixes #1634

[paralin]

The second commit in this PR adds a new build tag to disable signing:

Possible use cases:

• default: use cgo and enable libgpgme
• CGO_ENABLED=0 -> build fails
• CGO_ENABLED=0 and containers_image_openpgp -> build succeeds
• CGO_ENABLED=0 and containers_image_disable_signing -> build succeeds but returns errors at runtime

The default is to compile in the endorsed cgo implementation and fail the build otherwise.

[rhatdan]

@vrothberg @mtrmac WDYT?

[mtrmac]

I’m fine with doing this, overall, though it does seem quite a bit of effort for what I think is a fairly small gain. Only users familiar enough with Go to use build tags are going to benefit, and those might find their way to the README either way.

I’m especially uncertain about the disable_signing part. If that tag is added:

• It should be documented in README.md, so that it has some chance of being useful to anyone else
• … and then I guess we need it to keep working, i. e. the tests must work (easily quadrupling the size of this PR), and the tests should be run in CI — and maybe we don’t want to pay for a complete separate CI step, so just run unit tests of ./signature/... with that tag?

[mtrmac]

If the goal is to make tests pass with containers_image_disable_signing (and I do think those tests should pass, because parts of c/image/signature are completely independent of the simple signing implementation), this doesn’t do that, and from a quick check it would be a rather larger effort — because individual expected results would have to be made conditional, correctly.

[paralin]

The goal was to make go test pass by excluding the signing tests unless a signing mechanism is compiled in.

I've fixed the build tags so that all three of these succeed:

go test -v
CGO_ENABLED=0 go test -v
CGO_ENABLED=0 go test -v -tags containers_image_disable_signing
CGO_ENABLED=0 go test -v -tags containers_image_openpgp

[mtrmac]

Something like

Suggested change

	// +build containers_image_disable_signing
	// +build containers_image_disable_simple_signing

(updated everywhere) because this does not prevent use of sigstore. (Cc: @rhatdan )

[paralin]

@mtrmac I suppose what I meant by disable_signing is "the signing mechanism is disabled so you won't be able to create new signatures" - am I correct that disabling mechanism*.go does this?

[mtrmac]

c/image/signature does not only do cryptography; it includes policies like “always allow” and “always reject”.

Of the cryptographic mechanisms, it now actually implements two: “simple signing”, which requires GPG, and “sigstore”, which doesn’t. All of the discussion so far was about disabling / choosing a mechanism underlying the “simple signing” part; “sigstore” is unaffected.

So, the tag name should refer (in some way) to simple signing in particular, and not to the concept of signing in general.

[paralin]

though it does seem quite a bit of effort for what I think is a fairly small gain

The PR in its current form fixes a number of issues for us downstream in package managers like Buildroot.org.

Running the entire test suite for Signatures even when it's not compiled in may be a lot of extra effort for a very small gain.

The way to avoid extra effort here is this: say (in README) that building containers/image with anything other than go build using the default build tags and with Cgo enabled "may work but is not supported" - in other words: let's fix the issues that are preventing compiling the packages in these cases, while the project does not formally support those use cases w/ test suites.

[paralin]

@mtrmac I've fixed the PR according to your comments - let me know if you need me to update the name of the tag.

[mtrmac]

Both of these should refer to “simple signing signatures” or something like that. (I’m afraid I forgot to update that when adding sigstore.

Note to self: Make sure that is fixed either way.)

[mtrmac]

This might be a bit too strong — we do test the OpenPGP variant.

[mtrmac]

This is the other signing implementation (“sigstore”) and needs to work, so it needs to be tested, even if “simple signing” is disabled.

[mtrmac]

This contains things like “reject all images from this repo” and needs to work, so it needs to be tested, even if “simple signing” is disabled.

[mtrmac]

This needs to work in all cases.

[mtrmac]

c/image/signature does not only do cryptography; it includes policies like “always allow” and “always reject”.

Of the cryptographic mechanisms, it now actually implements two: “simple signing”, which requires GPG, and “sigstore”, which doesn’t. All of the discussion so far was about disabling / choosing a mechanism underlying the “simple signing” part; “sigstore” is unaffected.

So, the tag name should refer (in some way) to simple signing in particular, and not to the concept of signing in general.

[mtrmac]

On second thought (which should have come with the first review already, and I apologize for not thinking this through), do we want the disable_signing tag at all?

If I understand it correctly, you don’t intend to use it.
I don’t know of anyone who wants to use it either.

And making that work without compromising the testing of the rest of the policy.json evaluation would probably be more work than just disabling test files; and some ongoing maintenance cost (if nothing else, the cost of computers running tests). If no-one benefits, is that work worthwhile?

So maybe let’s just add the CGoIsDisabled error reporting mechanism that you truly want, and not the other part.

---

WRT the tag name, (see #1638 (comment) for background), assuming the tag remains, I think …disable_simple_signing would be an accurate name but I’d prefer a second opinion to confirm.

[rhatdan]

@paralin Still working on this?

[paralin]

@rhatdan I'll revisit this shortly