feat(RELEASE-2031): use pubtools-sign to sign in blob-signing-pipeline

midnightercz · midnightercz · commit 8d04540fada8 · 2026-02-24T09:17:58.000+01:00
Added debug cert check

Signed-off-by: Jindrich Luza &lt;jluza@redhat.com&gt;
diff --git a/tasks/internal/request-blob-signature/README.md b/tasks/internal/request-blob-signature/README.md
@@ -8,7 +8,7 @@ Tekton task to request a simple signature.
 
 | Name                     | Description                                                           | Optional | Default value                                                                     |
 |--------------------------|-----------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------|
-| pipeline_image           | A docker image of operator-pipeline-images for the steps to run in    | Yes      | quay.io/konflux-ci/release-service-utils:82012e03002128f2a226acb23dc5c6fc1c37f5b6 |
+| pipeline_image           | A docker image of operator-pipeline-images for the steps to run in    | Yes      | quay.io/konflux-ci/release-service-utils:13e379cb498293f8f7b8b9c84c57d9e8ab141be2 |
 | requester                | Name of the user that requested the signing, for auditing purposes    | No       | -                                                                                 |
 | blob                     | Blob content to be signed, base64 encoded                             | No       | -                                                                                 |
 | sig_key_names            | NL separated signing key names that the content is signed with        | Yes      | containerisvsign                                                                  |
diff --git a/tasks/internal/request-blob-signature/request-blob-signature.yaml b/tasks/internal/request-blob-signature/request-blob-signature.yaml
@@ -14,7 +14,7 @@ spec:
   params:
     - description: A docker image of operator-pipeline-images for the steps to run in
       name: pipeline_image
-      default: "quay.io/konflux-ci/release-service-utils:82012e03002128f2a226acb23dc5c6fc1c37f5b6"
+      default: "quay.io/konflux-ci/release-service-utils:13e379cb498293f8f7b8b9c84c57d9e8ab141be2"
       type: string
     - description: Name of the user that requested the signing, for auditing purposes
       name: requester
@@ -98,6 +98,7 @@ spec:
       computeResources:
         limits:
           memory: 128Mi
+          cpu: 100m
         requests:
           memory: 128Mi
           cpu: 100m
@@ -124,6 +125,7 @@ spec:
       computeResources:
         limits:
           memory: 128Mi
+          cpu: 100m
         requests:
           memory: 128Mi
           cpu: 100m
@@ -236,6 +238,7 @@ spec:
       computeResources:
         limits:
           memory: 128Mi
+          cpu: 100m
         requests:
           memory: 128Mi
           cpu: 100m
@@ -260,14 +263,67 @@ spec:
             echo $(context.taskRun.uid)
           fi
         }
+        PY_SCRIPT=$(cat <<'END_HEREDOC'
+        import os
+        import sys
+        from cryptography import x509
+        from cryptography.hazmat.primitives import serialization
+        from cryptography.hazmat.primitives.asymmetric import rsa
+
+        def validate_ssl_pair(cert_path, key_path):
+            try:
+                # 1. Load and Validate Certificate
+                with open(cert_path, "rb") as f:
+                    cert_data = f.read()
+                    cert = x509.load_pem_x509_certificate(cert_data)
+
+                # 2. Load and Validate Private Key
+                with open(key_path, "rb") as f:
+                    key_data = f.read()
+                    # If your key has a password, provide it in 'password='
+                    private_key = serialization.load_pem_private_key(key_data, password=None)
+
+                # 3. Check if they match
+                # We compare the public key derived from the cert vs the one from the private key
+                cert_pub_key = cert.public_key().public_bytes(
+                    encoding=serialization.Encoding.PEM,
+                    format=serialization.PublicFormat.SubjectPublicKeyInfo
+                )
+                key_pub_key = private_key.public_key().public_bytes(
+                    encoding=serialization.Encoding.PEM,
+                    format=serialization.PublicFormat.SubjectPublicKeyInfo
+                )
+
+                if cert_pub_key == key_pub_key:
+                    return True, "Valid pair: Private key matches certificate."
+                else:
+                    return False, "Mismatch: Private key does not belong to this certificate."
+
+            except Exception as e:
+                return False, f"Validation error: {str(e)}"
+
+        print(f'Cert exists: {os.path.exists(sys.argv[1])}');
+        print(f'Cert is readable: {os.access(sys.argv[1], os.R_OK)}');
+        is_valid, message = validate_ssl_pair(sys.argv[1], sys.argv[1])
+        print(message)
+        END_HEREDOC
+        )
+        echo "$PY_SCRIPT" > /tmp/validate_ssl.py
 
         umb_cert="$(cat "/mnt/umb_ssl_cert_secret/$(params.umb_ssl_cert_file_name)")"
         umb_key="$(cat "/mnt/umb_ssl_cert_secret/$(params.umb_ssl_key_file_name)")"
 
         echo "${umb_cert:?}" > /tmp/umb.pem.$(get-task-id)
         echo "${umb_key:?}" >> /tmp/umb.pem.$(get-task-id)
         set -xe
-        python3 -c "import proton;
+        cert="/tmp/umb.pem.$(get-task-id)"
+
+        python3 /tmp/validate_ssl.py "${cert}"
+        python3 -c "import proton; import os;
+        cert='/tmp/umb.pem.$(get-task-id)';
+        print(f'Cert exists: {os.path.exists(cert)}');
+        print(f'Cert is readable: {os.access(cert, os.R_OK)}');
+        print(f'Proton SSL ready: {proton.SSL.present()}');
         ssl_domain=proton.SSLDomain(proton.SSLDomain.MODE_CLIENT); 
         cert='/tmp/umb.pem.$(get-task-id)';
         ssl_domain.set_credentials(cert, cert, None)"
@@ -276,6 +332,7 @@ spec:
       computeResources:
         limits:
           memory: 128Mi
+          cpu: 100m
         requests:
           memory: 128Mi
           cpu: 100m
@@ -344,6 +401,7 @@ spec:
       computeResources:
         limits:
           memory: 128Mi
+          cpu: 100m
         requests:
           memory: 128Mi
           cpu: 100m
diff --git a/tasks/managed/sign-base64-blob/sign-base64-blob.yaml b/tasks/managed/sign-base64-blob/sign-base64-blob.yaml
@@ -163,7 +163,7 @@ spec:
             exit 1
         fi
 
-        default_pipeline_image="quay.io/konflux-ci/release-service-utils:9d57cd95e60f0c61a118fe9261f5941815d33469"
+        default_pipeline_image="quay.io/konflux-ci/release-service-utils:13e379cb498293f8f7b8b9c84c57d9e8ab141be2"
         pipeline_image=$(jq -r --arg default_pipeline_image ${default_pipeline_image} \
             '.sign.pipelineImage // $default_pipeline_image' "${DATA_FILE}")
         config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' "${DATA_FILE}")
diff --git a/tasks/managed/sign-base64-blob/tests/test-sign-base64-blob.yaml b/tasks/managed/sign-base64-blob/tests/test-sign-base64-blob.yaml
@@ -170,7 +170,7 @@ spec:
               fi
 
               if [ "$(jq -r '.pipeline_image' <<< "${params}")" != \
-                 "quay.io/konflux-ci/release-service-utils:9d57cd95e60f0c61a118fe9261f5941815d33469" ]
+                 "quay.io/konflux-ci/release-service-utils:13e379cb498293f8f7b8b9c84c57d9e8ab141be2" ]
               then
                 echo "pipeline_image does not match"
                 exit 1
