Merge pull request #868 from saschagrunert/sign-recursive

k8s-ci-robot · web-flow · commit ec74d149c522 · 2023-05-17T00:38:33.000-07:00
Use recursive signing for multi-arch images
diff --git a/internal/promoter/image/sign.go b/internal/promoter/image/sign.go
@@ -114,6 +114,9 @@ func (di *DefaultPromoterImplementation) SignImages(
 	}
 	signOpts.IdentityToken = token
 
+	// We want to sign all entities for multi-arch images
+	signOpts.Recursive = true
+
 	// Creating a new Signer after setting the identity token is MANDATORY
 	// because that's the only way to propagate the identity token to the
 	// internal Signer structs. Without that, the identity token wouldn't be
diff --git a/internal/promoter/image/signcheck.go b/internal/promoter/image/signcheck.go
@@ -337,6 +337,10 @@ func (di *DefaultPromoterImplementation) signReference(opts *options.Options, re
 		return fmt.Errorf("generating identity token: %w", err)
 	}
 	signOpts.IdentityToken = token
+
+	// We want to sign all entities for multi-arch images
+	signOpts.Recursive = true
+
 	di.signer = sign.New(signOpts)
 
 	// Add an annotation recording the kpromo version to ensure we
diff --git a/test-e2e/cip/e2e.go b/test-e2e/cip/e2e.go
@@ -121,14 +121,11 @@ func removeSignatureLayers(snapshot *[]registry.Image) {
 	var remove []image.Digest
 	for i := range *snapshot {
 		remove = []image.Digest{}
-		for dgst := range (*snapshot)[i].Dmap {
-			// Signature layers only have one tag
-			if len((*snapshot)[i].Dmap[dgst]) != 1 || !strings.HasSuffix(
-				string((*snapshot)[i].Dmap[dgst][0]), ".sig",
-			) {
-				continue
+		for dgst, tags := range (*snapshot)[i].Dmap {
+			if len(tags) == 0 || // Recursive signing may add additional layers without tags
+				(len(tags) == 1 && strings.HasSuffix(string(tags[0]), ".sig")) { // Signature layers only have one tag
+				remove = append(remove, dgst)
 			}
-			remove = append(remove, dgst)
 		}
 		for _, dgst := range remove {
 			delete((*snapshot)[i].Dmap, dgst)
@@ -152,6 +149,7 @@ func checkSnapshot(
 	// to compare them, we remove the signature layers from the current
 	// snapshot to ensure the original images were promoted.
 	removeSignatureLayers(&got)
+	removeSignatureLayers(&expected)
 
 	diff := cmp.Diff(got, expected)
 	if diff != "" {

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,9 @@ func (di *DefaultPromoterImplementation) SignImages(`
`114`	`114`	`}`
`115`	`115`	`signOpts.IdentityToken = token`
`116`	`116`
	`117`	`+ // We want to sign all entities for multi-arch images`
	`118`	`+ signOpts.Recursive = true`
	`119`	`+`
`117`	`120`	`// Creating a new Signer after setting the identity token is MANDATORY`
`118`	`121`	`// because that's the only way to propagate the identity token to the`
`119`	`122`	`// internal Signer structs. Without that, the identity token wouldn't be`