Merge pull request #2876 from mtrmac/signature-sequoia

Add containers_image_sequoia build tag to do simple signing verification using Sequoia-PGP, and add a signature/simplesequoia implementation

Author: lsm5

.cirrus.yml

@@ -30,8 +30,14 @@ env:
     SKOPEO_PR:
 
     # Google-cloud VM Images
-    IMAGE_SUFFIX: "c20250721t181111z-f42f41d13"
+    # If you are updating IMAGE_SUFFIX: We are currently using rawhide for
+    # the containers_image_sequoia tests because the rust-podman-sequoia
+    # package is not available in earlier releases; once we update to a future
+    # Fedora release (or if the package is backported), switch back from Rawhide
+    # to the latest Fedora release.
+    IMAGE_SUFFIX: "c20250812t173301z-f42f41d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
+    RAWHIDE_CACHE_IMAGE_NAME: "rawhide-${IMAGE_SUFFIX}"
 
     # Container FQIN's (include bleeding-edge development-level container deps.)
     FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
@@ -55,9 +61,12 @@ validate_task:
         # Required to be 200gig, do not modify - has i/o performance impact
         # according to gcloud CLI tool warning messages.
         disk: 200
-        image_name: ${FEDORA_CACHE_IMAGE_NAME}
+        # Eventually, hard-code FEDORA_CACHE_IMAGE_NAME here again and remove the
+        # VM_IMAGE_NAME parameter.
+        image_name: ${VM_IMAGE_NAME}
     env:
         HOME: "/root"  # default unset, needed by golangci-lint.
+        VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
     script: |
         git remote update
         make tools
@@ -68,6 +77,8 @@ validate_task:
 cross_task:
     only_if: &not_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
     gce_instance: *fedora_vm
+    env:
+        VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
     script: make cross
 
 
@@ -81,9 +92,15 @@ test_task:
         - name: "Test"
           env:
               BUILDTAGS: ''
+              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
         - name: "Test w/ opengpg"
           env:
               BUILDTAGS: &withopengpg 'containers_image_openpgp'
+              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
+        - name: "Test w/ Sequoia (currently Rawhide)"
+          env:
+              BUILDTAGS: &withsequoia 'containers_image_sequoia'
+              VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
     script: ${GOSRC}/${SCRIPT_BASE}/runner.sh image_tests
 
 
@@ -102,9 +119,15 @@ test_skopeo_task:
         - name: "Skopeo Test"
           env:
               BUILDTAGS: ''
+              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
         - name: "Skopeo Test w/ opengpg"
           env:
               BUILDTAGS: *withopengpg
+              VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
+        - name: "Skopeo Test w/ Sequoia (currently Rawhide)"
+          env:
+              BUILDTAGS: *withsequoia
+              VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME}
     setup_script: >-
         "${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
     vendor_script: >-
@@ -133,6 +156,7 @@ meta_task:
         # Space-separated list of images used by this repository state
         IMGNAMES: |
             ${FEDORA_CACHE_IMAGE_NAME}
+            ${RAWHIDE_CACHE_IMAGE_NAME}
         BUILDID: "${CIRRUS_BUILD_ID}"
         REPOREF: "${CIRRUS_REPO_NAME}"
         GCPJSON: ENCRYPTED[04306103eee1933f87deb8a5af6514a7e3164aa589d6079abc0451eb2360879430ed020d6e025ca64ef667138ce9d786]

Makefile

@@ -9,9 +9,10 @@ endif
 # when cross compiling _for_ a Darwin or windows host, then we must use openpgp
 BUILD_TAGS_WINDOWS_CROSS = containers_image_openpgp
 BUILD_TAGS_DARWIN_CROSS = containers_image_openpgp
+SEQUOIA_SONAME_DIR =
 
 BUILDTAGS =
-BUILDFLAGS := -tags "$(BUILDTAGS)"
+BUILDFLAGS := -tags "$(BUILDTAGS)" -ldflags '-X github.com/containers/image/v5/signature/internal/sequoia.sequoiaLibraryDir='"$(SEQUOIA_SONAME_DIR)"
 
 # Extra flags passed to go test
 TESTFLAGS :=

README.md

@@ -60,6 +60,7 @@ or use the build tags described below to avoid the dependencies (e.g. using `go
 - `containers_image_docker_daemon_stub`: Don’t import the `docker-daemon:` transport in `github.com/containers/image/transports/alltransports`, to decrease the amount of required dependencies.  Use a stub which reports that the transport is not supported instead.
 - `containers_image_openpgp`: Use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
 the primary downside is that creating new signatures with the Golang-only implementation is not supported.
+- `containers_image_sequoia`: Use Sequoia-PGP for signature verification instead of the default cgo/gpgme-based or the Golang-only OpenPGP implementations, and enable the `signature/simplesequoia` subpackage. This requires a support shared library installed on the system. Install https://github.com/ueno/podman-sequoia , and potentially update build configuration to point at it (compare `SEQUOIA_SONAME_DIR` in `Makefile`).
 - `containers_image_storage_stub`: Don’t import the `containers-storage:` transport in `github.com/containers/image/transports/alltransports`, to decrease the amount of required dependencies.  Use a stub which reports that the transport is not supported instead.
 
 ## [Contributing](CONTRIBUTING.md)

signature/internal/sequoia/gosequoia.c

@@ -0,0 +1,200 @@
+/*
+ * Copying and distribution of this file, with or without modification,
+ * are permitted in any medium without royalty provided the copyright
+ * notice and this notice are preserved.  This file is offered as-is,
+ * without any warranty.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "gosequoia.h"
+
+#if defined(GO_SEQUOIA_ENABLE_DLOPEN) && GO_SEQUOIA_ENABLE_DLOPEN
+
+#include <assert.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <stdlib.h>
+
+/* If SEQUOIA_SONAME is defined, dlopen handle can be automatically
+ * set; otherwise, the caller needs to call
+ * go_sequoia_ensure_library with soname determined at run time.
+ */
+#ifdef SEQUOIA_SONAME
+
+static void
+ensure_library (void)
+{
+  if (go_sequoia_ensure_library (SEQUOIA_SONAME, RTLD_LAZY | RTLD_LOCAL) < 0)
+    abort ();
+}
+
+#if defined(GO_SEQUOIA_ENABLE_PTHREAD) && GO_SEQUOIA_ENABLE_PTHREAD
+#include <pthread.h>
+
+static pthread_once_t dlopen_once = PTHREAD_ONCE_INIT;
+
+#define ENSURE_LIBRARY pthread_once(&dlopen_once, ensure_library)
+
+#else /* GO_SEQUOIA_ENABLE_PTHREAD */
+
+#define ENSURE_LIBRARY do {	    \
+    if (!go_sequoia_dlhandle) \
+      ensure_library();		    \
+  } while (0)
+
+#endif /* !GO_SEQUOIA_ENABLE_PTHREAD */
+
+#else /* SEQUOIA_SONAME */
+
+#define ENSURE_LIBRARY do {} while (0)
+
+#endif /* !SEQUOIA_SONAME */
+
+static void *go_sequoia_dlhandle;
+
+/* Define redirection symbols */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-macros"
+
+#if (2 <= __GNUC__ || (4 <= __clang_major__))
+#define FUNC(ret, name, args, cargs)			\
+  static __typeof__(name)(*go_sequoia_sym_##name);
+#else
+#define FUNC(ret, name, args, cargs)		\
+  static ret(*go_sequoia_sym_##name)args;
+#endif
+#define VOID_FUNC FUNC
+#include "gosequoiafuncs.h"
+#undef VOID_FUNC
+#undef FUNC
+
+#pragma GCC diagnostic pop
+
+/* Define redirection wrapper functions */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-macros"
+
+#define FUNC(ret, name, args, cargs)        \
+ret go_##name args           \
+{					    \
+  ENSURE_LIBRARY;			    \
+  assert (go_sequoia_sym_##name);	    \
+  return go_sequoia_sym_##name cargs;	    \
+}
+#define VOID_FUNC(ret, name, args, cargs)   \
+ret go_##name args           \
+{					    \
+  ENSURE_LIBRARY;			    \
+  assert (go_sequoia_sym_##name);	    \
+  go_sequoia_sym_##name cargs;		    \
+}
+#include "gosequoiafuncs.h"
+#undef VOID_FUNC
+#undef FUNC
+
+#pragma GCC diagnostic pop
+
+static int
+ensure_symbol (const char *name, void **symp)
+{
+  if (!*symp)
+    {
+      void *sym = dlsym (go_sequoia_dlhandle, name);
+      if (!sym)
+	return -EINVAL;
+      *symp = sym;
+    }
+  return 0;
+}
+
+int
+go_sequoia_ensure_library (const char *soname, int flags)
+{
+  int err;
+
+  if (!go_sequoia_dlhandle)
+    {
+      go_sequoia_dlhandle = dlopen (soname, flags);
+      if (!go_sequoia_dlhandle)
+	return -EINVAL;
+    }
+
+#define ENSURE_SYMBOL(name)					\
+  ensure_symbol(#name, (void **)&go_sequoia_sym_##name)
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-macros"
+
+#define FUNC(ret, name, args, cargs)		\
+  err = ENSURE_SYMBOL(name);			\
+  if (err < 0)					\
+    {						\
+      dlclose (go_sequoia_dlhandle);	\
+      go_sequoia_dlhandle = NULL;		\
+      return err;				\
+    }
+#define VOID_FUNC FUNC
+#include "gosequoiafuncs.h"
+#undef VOID_FUNC
+#undef FUNC
+
+#pragma GCC diagnostic pop
+
+#undef ENSURE_SYMBOL
+  return 0;
+}
+
+void
+go_sequoia_unload_library (void)
+{
+  if (go_sequoia_dlhandle)
+    {
+      dlclose (go_sequoia_dlhandle);
+      go_sequoia_dlhandle = NULL;
+    }
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-macros"
+
+#define FUNC(ret, name, args, cargs)		\
+  go_sequoia_sym_##name = NULL;
+#define VOID_FUNC FUNC
+#include "gosequoiafuncs.h"
+#undef VOID_FUNC
+#undef FUNC
+
+#pragma GCC diagnostic pop
+}
+
+unsigned
+go_sequoia_is_usable (void)
+{
+  return go_sequoia_dlhandle != NULL;
+}
+
+#else /* GO_SEQUOIA_ENABLE_DLOPEN */
+
+int
+go_sequoia_ensure_library (const char *soname, int flags)
+{
+  (void) soname;
+  (void) flags;
+  return 0;
+}
+
+void
+go_sequoia_unload_library (void)
+{
+}
+
+unsigned
+go_sequoia_is_usable (void)
+{
+  /* The library is linked at build time, thus always usable */
+  return 1;
+}
+
+#endif /* !GO_SEQUOIA_ENABLE_DLOPEN */

signature/internal/sequoia/gosequoia.h

@@ -0,0 +1,54 @@
+/*
+ * Copying and distribution of this file, with or without modification,
+ * are permitted in any medium without royalty provided the copyright
+ * notice and this notice are preserved.  This file is offered as-is,
+ * without any warranty.
+ */
+
+#ifndef GO_SEQUOIA_H_
+#define GO_SEQUOIA_H_
+
+#include <sequoia.h>
+
+#if defined(GO_SEQUOIA_ENABLE_DLOPEN) && GO_SEQUOIA_ENABLE_DLOPEN
+
+#define FUNC(ret, name, args, cargs)		\
+  ret go_##name args;
+#define VOID_FUNC FUNC
+#include "gosequoiafuncs.h"
+#undef VOID_FUNC
+#undef FUNC
+
+#define GO_SEQUOIA_FUNC(name) go_##name
+
+#else
+
+#define GO_SEQUOIA_FUNC(name) name
+
+#endif /* GO_SEQUOIA_ENABLE_DLOPEN */
+
+/* Ensure SONAME to be loaded with dlopen FLAGS, and all the necessary
+ * symbols are resolved.
+ *
+ * Returns 0 on success; negative error code otherwise.
+ *
+ * Note that this function is NOT thread-safe; when calling it from
+ * multi-threaded programs, protect it with a locking mechanism.
+ */
+int go_sequoia_ensure_library (const char *soname, int flags);
+
+/* Unload library and reset symbols.
+ *
+ * Note that this function is NOT thread-safe; when calling it from
+ * multi-threaded programs, protect it with a locking mechanism.
+ */
+void go_sequoia_unload_library (void);
+
+/* Return 1 if the library is loaded and usable.
+ *
+ * Note that this function is NOT thread-safe; when calling it from
+ * multi-threaded programs, protect it with a locking mechanism.
+ */
+unsigned go_sequoia_is_usable (void);
+
+#endif /* GO_SEQUOIA_H_ */

signature/internal/sequoia/gosequoiafuncs.h

@@ -0,0 +1,21 @@
+/*
+ * This file was automatically generated from sequoia.h,
+ * which is covered by the following license:
+ * SPDX-License-Identifier: Apache-2.0
+ */
+VOID_FUNC(void, sequoia_error_free, (struct SequoiaError *err_ptr), (err_ptr))
+FUNC(struct SequoiaMechanism *, sequoia_mechanism_new_from_directory, (const char *dir_ptr, struct SequoiaError **err_ptr), (dir_ptr, err_ptr))
+FUNC(struct SequoiaMechanism *, sequoia_mechanism_new_ephemeral, (struct SequoiaError **err_ptr), (err_ptr))
+VOID_FUNC(void, sequoia_mechanism_free, (struct SequoiaMechanism *mechanism_ptr), (mechanism_ptr))
+VOID_FUNC(void, sequoia_signature_free, (struct SequoiaSignature *signature_ptr), (signature_ptr))
+FUNC(const uint8_t *, sequoia_signature_get_data, (const struct SequoiaSignature *signature_ptr, size_t *data_len), (signature_ptr, data_len))
+VOID_FUNC(void, sequoia_verification_result_free, (struct SequoiaVerificationResult *result_ptr), (result_ptr))
+FUNC(const uint8_t *, sequoia_verification_result_get_content, (const struct SequoiaVerificationResult *result_ptr, size_t *data_len), (result_ptr, data_len))
+FUNC(const char *, sequoia_verification_result_get_signer, (const struct SequoiaVerificationResult *result_ptr), (result_ptr))
+FUNC(struct SequoiaSignature *, sequoia_sign, (struct SequoiaMechanism *mechanism_ptr, const char *key_handle_ptr, const char *password_ptr, const uint8_t *data_ptr, size_t data_len, struct SequoiaError **err_ptr), (mechanism_ptr, key_handle_ptr, password_ptr, data_ptr, data_len, err_ptr))
+FUNC(struct SequoiaVerificationResult *, sequoia_verify, (struct SequoiaMechanism *mechanism_ptr, const uint8_t *signature_ptr, size_t signature_len, struct SequoiaError **err_ptr), (mechanism_ptr, signature_ptr, signature_len, err_ptr))
+VOID_FUNC(void, sequoia_import_result_free, (struct SequoiaImportResult *result_ptr), (result_ptr))
+FUNC(size_t, sequoia_import_result_get_count, (const struct SequoiaImportResult *result_ptr), (result_ptr))
+FUNC(const char *, sequoia_import_result_get_content, (const struct SequoiaImportResult *result_ptr, size_t index, struct SequoiaError **err_ptr), (result_ptr, index, err_ptr))
+FUNC(struct SequoiaImportResult *, sequoia_import_keys, (struct SequoiaMechanism *mechanism_ptr, const uint8_t *blob_ptr, size_t blob_len, struct SequoiaError **err_ptr), (mechanism_ptr, blob_ptr, blob_len, err_ptr))
+FUNC(int, sequoia_set_logger_consumer, (void (*consumer)(enum SequoiaLogLevel, const char *), struct SequoiaError **err_ptr), (consumer, err_ptr))