Skip to content

Commit

Permalink
feat: remove signatures in container deployments by default
Browse files Browse the repository at this point in the history
Make `skopeo copy` to remove the signatures of signed containers
by default to avoid build failures until [1] is implemented.

Depends: osbuild/osbuild#1906
Resolves: osbuild/bootc-image-builder#681

[1] containers/image#2599

Co-authored-by: Michael Vogt <[email protected]>
  • Loading branch information
2 people authored and achilleas-k committed Oct 30, 2024
1 parent 33a9496 commit 6b93e69
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
4 changes: 3 additions & 1 deletion pkg/manifest/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,9 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline {
pipeline.Runner = p.runner.String()

image := osbuild.NewContainersInputForSingleSource(p.containerSpecs[0])
stage, err := osbuild.NewContainerDeployStage(image, &osbuild.ContainerDeployOptions{})
// Make skopeo copy to remove the signatures of signed containers by default to workaround
// build failures until https://github.com/containers/image/issues/2599 is implemented
stage, err := osbuild.NewContainerDeployStage(image, &osbuild.ContainerDeployOptions{RemoveSignatures: true})
if err != nil {
panic(err)
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/osbuild/container_deploy_stage.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ type ContainerDeployInputs struct {
func (ContainerDeployInputs) isStageInputs() {}

type ContainerDeployOptions struct {
Exclude []string `json:"exclude,omitempty"`
Exclude []string `json:"exclude,omitempty"`
RemoveSignatures bool `json:"remove-signatures,omitempty"`
}

func (ContainerDeployOptions) isStageOptions() {}
Expand Down
12 changes: 12 additions & 0 deletions pkg/osbuild/container_deploy_stage_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,18 @@ func TestContainersDeployStageOptionsJson(t *testing.T) {
assert.Equal(t, string(json), expectedJson)
}

func TestContainersDeployStageOptionsJsonRemoveSignatures(t *testing.T) {
expectedJson := `{
"remove-signatures": true
}`
cdi := osbuild.ContainerDeployOptions{
RemoveSignatures: true,
}
json, err := json.MarshalIndent(cdi, "", " ")
require.Nil(t, err)
assert.Equal(t, string(json), expectedJson)
}

func TestContainersDeployStageEmptyOptionsJson(t *testing.T) {
expectedJson := `{}`
cdi := osbuild.ContainerDeployOptions{}
Expand Down

0 comments on commit 6b93e69

Please sign in to comment.