feat(RELEASE-2031): use pubtools-sign to sign in blob-signing-pipeline#1671
feat(RELEASE-2031): use pubtools-sign to sign in blob-signing-pipeline#1671midnightercz wants to merge 1 commit intodevelopmentfrom
Conversation
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
9973d88 to
926f176
Compare
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
2 times, most recently
from
11d01b0 to
2f2a139
Compare
|
Hey would you mind adding a description to the PR :) |
|
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
2f2a139 to
3569e8e
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
5 times, most recently
from
5b0af50 to
bb687aa
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
3 times, most recently
from
f28c414 to
35c81b5
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
35c81b5 to
55d8e8a
Compare
midnightercz
force-pushed
the
pubtools-sign-blob
branch
7 times, most recently
from
25ec278 to
86e9f75
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
b26d8e6 to
b733684
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
b733684 to
2a6e3e4
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
2a6e3e4 to
3dff119
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
b619ecf to
c8da1fa
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
3 times, most recently
from
f6656ce to
c4666cb
Compare
|
/retest |
midnightercz
force-pushed
the
pubtools-sign-blob
branch
2 times, most recently
from
8d04540 to
c4b7ca8
Compare
|
/retest |
midnightercz
requested review from
arewm,
gbenhaim and
ralphbean
as code owners
midnightercz
force-pushed
the
pubtools-sign-blob
branch
2 times, most recently
from
af75c2f to
a26f8d2
Compare
tasks/internal/request-blob-signature/tests/test-request-blob-signature-failed-messages.yaml
Outdated
Show resolved
Hide resolved
| - name: CA_BUNDLE | ||
| value: /etc/pki/tls/certs/ca-bundle.crt | ||
| script: | | ||
| #!/usr/bin/env /bin/bash |
There was a problem hiding this comment.
Why cat the cert and key into vars and then echo them back out to temp files? The files already exist at the path you can pass them directly to openssl s_client. This is also better than storing secrets in variables, which infose has some convo about. Also missing set -eo pipefail here, so if the connection check fails the step exits 0 and the pipeline continues silently.
There was a problem hiding this comment.
it was meant to be rather check for what could have potentially happened then permanent stop. But I guess yeah, we can put there set -e as there are retries for internalrequests.
| echo "$PY_SCRIPT" > /tmp/validate_ssl.py | ||
|
|
||
| umb_cert="$(cat "/mnt/umb_ssl_cert_secret/$(params.umb_ssl_cert_file_name)")" | ||
| umb_key="$(cat "/mnt/umb_ssl_cert_secret/$(params.umb_ssl_key_file_name)")" |
There was a problem hiding this comment.
Use the mount paths directly instead of writing to temp files
| echo $(context.taskRun.uid) | ||
| fi | ||
| } | ||
| PY_SCRIPT=$(cat <<'END_HEREDOC' |
There was a problem hiding this comment.
Could we move the Python script into utils rather than defining it in the task? It would make it easier to maintain rather then inline.
There was a problem hiding this comment.
I'm not against it. I guess it can be used in other places as well
There was a problem hiding this comment.
We’ll be moving the IR scripts to Python anyway 🙂 so this well help that.
There was a problem hiding this comment.
Ok, I created konflux-ci/release-service-utils#671
tasks/internal/request-blob-signature/request-blob-signature.yaml
Outdated
Show resolved
Hide resolved
tasks/internal/request-blob-signature/request-blob-signature.yaml
Outdated
Show resolved
Hide resolved
tasks/internal/request-blob-signature/request-blob-signature.yaml
Outdated
Show resolved
Hide resolved
midnightercz
force-pushed
the
pubtools-sign-blob
branch
3 times, most recently
from
4c6d29f to
c826f72
Compare
Also removed sig_key_ids as they are not actively used by radas and unused pyxis attributes Signed-off-by: Jindrich Luza <jluza@redhat.com>
midnightercz
force-pushed
the
pubtools-sign-blob
branch
from
c826f72 to
5e82ebb
Compare
|
This ready for re-review @midnightercz :) |
3 participants
Describe your changes
Currently we use pubtools-sign tool to sign containers in rh-sign-image and
quay.io/redhat-isv/tkn-signing-bundle:7059415075
bundle to sign blobs. Pubtools-sign now supports blob signing. In order to make things easier it would be better to use same tooling. Pubtools-sign also supports batch signing which significantly improves performance and supports signing with two or more keys (used in PQC).
Relevant Jira
Checklist before requesting a review
do not mergelabel if there's a dependency PRrelease-service-maintainershandle if you are unsure who to tagSigned-off-by: My name <email>.github/scripts/readme_generator.shand verified the results using.github/scripts/check_readme.sh