New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a way to customize the gpg program used for signing #2072
base: main
Are you sure you want to change the base?
Conversation
Add a constructor to make a SigningMechanism with a custom program. This can be used to sign images with a gpg wrapper (e.g. qubes-gpg-client-wrapper) or an alternative implementation (e.g. sequoia-chameleon-gnupg). Signed-off-by: Grégoire Détrez <gregoire@mullvad.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
- This seems not to be the right API, assuming this targets
podman push
/skopeo copy
and the like. Those things are now configurable in a somewhat-extensible way viac/image/copy.Options.Signers
, with the caller callingc/image/signature/simplesigning.NewSigner
. So, I think the user-facing API needs to be something likesimplesigning.WithGPGProgram
.- We don’t, strictly speaking, need to expose a
NewGPGSigningMechanism
— and without the newsimplesigning
option it would, AFAICS, not directly help, unless you have a completely different use case in mind. - The public
SigningMechanism
API is already not ideally fit for purpose, see the privatesigningMechanismWithPassphrase
extension we need. So I don’t think adding aSigningMechanism
-focused public API is very valuable any more. - … and if we did add an API, it should probably be extensible using something like the functional option mechanism, so that we don’t motivate a combinatoric explosion of functions.
- Overall, my guess at a clean approach (which I haven’t prototyped to make sure that works) is:
- Move most of the
SigningMechanism
code (the two implementations + the shared facade) intosignature/internal
(or is thatsignature/internal/mechanism
?) Then we don’t need to design a long-term public API. E.g. we can have a singlenewGPGSigningMechanism
without the existing per-option functions in that private API. - Keep the existing public API in
signature
, just forward to the new location. - Port
signature/simplesigning
to the private API - Add the new option to the internal implementation, and expose it in
signature/simplesigning
.
- Move most of the
- We don’t, strictly speaking, need to expose a
- This does not compile with the
containers_image_openpgp
build tag. The two build alternatives need to expose the same API — though it’s fine to report an “unsupported” error message; e.g. theopenpgp
backend refuses to sign things. - Within the
signature
subpackage, we want as high unit test code coverage as reasonably possible. In this case, at least a basic test that points at a shell script and verifies that the shell script has been executed seems appropriate.
@mtrmac thanks for the review. I was indeed a bit unsure about the different APIs, and decided that a good starting point was to make this work with |
@gregoire-mullvad I’m afraid I don’t much think about Right now, To make that work, |
Add a constructor to make a SigningMechanism with a custom program. This
can be used to sign images with a gpg wrapper (e.g. qubes-gpg-client-wrapper)
or an alternative implementation (e.g. sequoia-chameleon-gnupg).
Related to containers/podman#15838