Skip to content

Add --base-domain-overwrite option to container image signing functions #979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add --base-domain-overwrite option to container image signing functions #979

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7b491ee
Add --base-domain-overwrite option to container image signing functions
deplab Aug 24, 2025
1a45d01
Merge branch 'master' of https://github.com/oracle/oci-cli into patch-1
deplab Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 12 additions & 7 deletions services/artifacts/src/oci_cli_artifacts/artifacts_cli_extended.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -559,6 +559,7 @@ def list_container_images_extended(ctx, from_json, all_pages, page_size, compart
@cli_util.option('--image-id', required=True, help=u"""The [OCID] of the container image.""")
@cli_util.option('--description', help="""The optional text of your choice to describe the image. The description is included as part of the signature, and is shown in the Console. For example, --description "Image for UAT testing" """)
@cli_util.option('--metadata', help="""The optional information of your choice about the image, in a valid JSON format (alphanumeric characters only, with no whitespace or escape characters). For example, --metadata "{\"buildNumber\":\"123\"}" """)
@cli_util.option('--base-domain-overwrite', help="Overwrite the base domain for the Cryptographic Endpoint, e.g. to overwrite 'oraclecloud.com' with 'oci.oraclecloud.com'. Usage: --base-domain-overwrite 'oci.oraclecloud.com'")
@json_skeleton_utils.get_cli_json_input_option({})
@cli_util.help_option
@click.pass_context
Expand All @@ -567,7 +568,7 @@ def list_container_images_extended(ctx, from_json, all_pages, page_size, compart
def sign_and_upload_container_image_signature_metadata(ctx, from_json, kms_key_id, kms_key_version_id,
signing_algorithm,
compartment_id, image_id,
description, metadata):
description, metadata, base_domain_overwrite):
"""
SignAndUploadContainerImageSignatureMetadata calls KMS to sign the message then calls OCIR to upload the returned signature

Expand All @@ -583,6 +584,7 @@ def sign_and_upload_container_image_signature_metadata(ctx, from_json, kms_key_i
:param image_id: The OCID of the container image. eg) ocid1.containerimage.oc1..exampleuniqueID. Max length: 255, Min length:1
:param description: An user inputted message.
:param metadata: An user defined information about the container image in JSON format eg) {"buildNumber":"123"}
:param base_domain_overwrite: Overwrite the base domain for the Cryptographic Endpoint. e.g. if the base domain is 'oraclecloud.com' instead of 'oci.oraclecloud.com' which happens in me-riyadh-1 and potentially other regions
restriction:
- should only contains alphanumeric key strings.
- should be alphabetically sorted.
Expand All @@ -607,7 +609,7 @@ def sign_and_upload_container_image_signature_metadata(ctx, from_json, kms_key_i
region_name = get_region_from_config(ctx)

# Create KMS client
kms_crypto_client = build_vault_crypto_client(ctx, kms_key_id, region_name)
kms_crypto_client = build_vault_crypto_client(ctx, kms_key_id, region_name, base_domain_overwrite)

# Get container image metadata
click.echo("Obtaining container image metadata by the image ID")
Expand Down Expand Up @@ -741,13 +743,16 @@ def upload_signature_metadata(ctx, artifacts_client, compartment_id, image_id, k


# Build the KmsCryptoClient based on the vault extension OCID in the keyId
def build_vault_crypto_client(ctx, key_id, region):
def build_vault_crypto_client(ctx, key_id, region, base_domain_overwrite):
split_list = re.split("ocid1\\.key\\.([\\w-]+)\\.([\\w-]+)\\.([\\w-]+)\\.([\\w]){60}", key_id)
if len(split_list) < 4:
raise click.ClickException("Failed to split key ocid. Please check the kms_key_id is correct.")
vault_ext = split_list[3]
realm = oci.regions.REGION_REALMS.get(region)
second_level_domain = oci.regions.REALMS[realm]
if base_domain_overwrite is not None:
second_level_domain = base_domain_overwrite
else:
realm = oci.regions.REGION_REALMS.get(region)
second_level_domain = oci.regions.REALMS[realm]
# region example: us-phoenix-1
crypto_endpoint = "https://" + vault_ext + "-crypto.kms." + region + "." + second_level_domain
ctx.obj['endpoint'] = crypto_endpoint
Expand Down Expand Up @@ -788,10 +793,10 @@ def filter_item_by_trusted_keys(items, trusted_keys):
return ret


def verify_signatures(ctx, container_image_signature_summary, region_name):
def verify_signatures(ctx, container_image_signature_summary, region_name, base_domain_overwrite):
verified = None
for signature_summary in container_image_signature_summary:
vault_crypto_client = build_vault_crypto_client(ctx, signature_summary.kms_key_id, region_name)
vault_crypto_client = build_vault_crypto_client(ctx, signature_summary.kms_key_id, region_name, base_domain_overwrite)
algo = signature_summary.signing_algorithm
signing_algo_list = [
"SHA_224_RSA_PKCS_PSS", "SHA_256_RSA_PKCS_PSS", "SHA_384_RSA_PKCS_PSS", "SHA_512_RSA_PKCS_PSS"
Expand Down