Add task and script to upload signature to Pyxis sigstore (#229)

wcheang · web-flow · commit 169f6853f25d · 2022-01-27T10:08:56.000-05:00
Add task and script to upload signature to Pyxis sigstore
diff --git a/ansible/roles/operator-pipeline/templates/openshift/tasks/upload-signature.yml b/ansible/roles/operator-pipeline/templates/openshift/tasks/upload-signature.yml
@@ -0,0 +1,79 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: upload-signature
+spec:
+  params:
+    - name: docker_reference
+      description: Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9
+    - name: manifest_digest
+      description: Manifest digest for the signed content, usually in the format sha256:xxx
+    - name: repository
+      description: Name of the repository that hosts the signed content, e.g. redhat/community-operator-index
+    - name: sig_key_id
+      description: The signing key id that the content was signed with.
+    - name: signature_data
+      description: The signature to upload to Pyxis signature.
+    - name: pipeline_image
+      description: A docker image of operator-pipeline-images for the steps to run in.
+    - name: sig_key_pub_key
+      description: Env var that points to the location of the signing key's public key,
+        to be imported to gpg for verification.
+      default: ISVSIGN_PUB_KEY
+    - name: pyxis_ssl_secret_name
+      description: Kubernetes secret name that contains the Pyxis SSL files.
+    - name: pyxis_ssl_cert_secret_key
+      description: The key within the Kubernetes secret that contains the Pyxis SSL cert.
+    - name: pyxis_ssl_key_secret_key
+      description: The key within the Kubernetes secret that contains the Pyxis SSL key.
+    - name: pyxis_url
+      description: Pyxis instance to upload the signature to.
+      default: https://pyxis.engineering.redhat.com
+    - name: verify_signature
+      description: Whether to verify that the signature data is signed with the right key.
+      default: "true"
+  volumes:
+    - name: pyxis-ssl-volume
+      secret:
+        secretName: "$(params.pyxis_ssl_secret_name)"
+        optional: false
+  steps:
+    - name: verify-signature
+      image: "$(params.pipeline_image)"
+      script: |
+        #! /usr/bin/env bash
+        set -xe
+
+        if [[ "$(params.verify_signature)" == "true" ]]; then
+          echo "Verifying signature before upload"
+          echo $(params.signature_data) | base64 --decode > decoded_signed_claim
+
+          gpg --import $(printenv $(params.sig_key_pub_key))
+          gpg --verify decoded_signed_claim
+        fi
+
+    - name: upload-signature
+      image: "$(params.pipeline_image)"
+      env:
+        - name: PYXIS_CERT_PATH
+          value: /etc/pyxis-ssl-volume/$(params.pyxis_ssl_cert_secret_key)
+        - name: PYXIS_KEY_PATH
+          value: /etc/pyxis-ssl-volume/$(params.pyxis_ssl_key_secret_key)
+      volumeMounts:
+        - name: pyxis-ssl-volume
+          readOnly: true
+          mountPath: "/etc/pyxis-ssl-volume"
+      script: |
+        #! /usr/bin/env bash
+        set -xe
+
+        echo "Signature verified. Uploading to Pyxis sigstore"
+        upload-signature \
+          --pyxis-url "$(params.pyxis_url)" \
+          --manifest-digest "$(params.manifest_digest)" \
+          --reference "$(params.docker_reference)" \
+          --repository "$(params.repository)" \
+          --sig-key-id "$(params.sig_key_id)" \
+          --signature-data "$(params.signature_data)" \
+          --verbose
diff --git a/operator-pipeline-images/Dockerfile b/operator-pipeline-images/Dockerfile
@@ -41,6 +41,11 @@ RUN curl -LO https://github.com/operator-framework/operator-registry/releases/do
     chmod +x linux-amd64-opm && \
     mv linux-amd64-opm /usr/local/bin/opm
 
+# Download ISV Container Signing Pub Key for signature verification
+RUN curl https://www.redhat.com/security/data/55A34A82.txt -o /etc/containerisvsign.txt  && \
+    chmod go=r /etc/containerisvsign.txt
+ENV ISVSIGN_PUB_KEY=/etc/containerisvsign.txt
+
 RUN useradd -ms /bin/bash -u "${USER_UID}" user
 
 WORKDIR /home/user
diff --git a/operator-pipeline-images/operatorcert/entrypoints/upload_signature.py b/operator-pipeline-images/operatorcert/entrypoints/upload_signature.py
@@ -0,0 +1,99 @@
+import argparse
+import logging
+from typing import Any
+from urllib.parse import urljoin
+from requests.exceptions import HTTPError
+
+from operatorcert import pyxis
+from operatorcert.logger import setup_logger
+
+LOGGER = logging.getLogger("operator-cert")
+
+
+def setup_argparser() -> Any:  # pragma: no cover
+    """
+    Setup argument parser
+
+    Returns:
+        Any: Initialized argument parser
+    """
+    parser = argparse.ArgumentParser(
+        description="Cli tool to upload signature to Pyxis"
+    )
+
+    parser.add_argument(
+        "--pyxis-url",
+        default="https://pyxis.engineering.redhat.com",
+        help="Base URL for Pyxis container metadata API",
+    )
+    parser.add_argument(
+        "--manifest-digest",
+        help="Manifest digest for the signed content, usually in the format sha256:xxx",
+        required=True,
+    )
+    parser.add_argument(
+        "--reference",
+        help="Docker reference for the signed content, e.g. registry.redhat.io/redhat/community-operator-index:v4.9",
+        required=True,
+    )
+    parser.add_argument(
+        "--repository",
+        help="Name of the repository that hosts the signed content, e.g. redhat/community-operator-index",
+        required=True,
+    )
+    parser.add_argument(
+        "--sig-key-id",
+        help="The signing key id that the content was signed with",
+        required=True,
+    )
+    parser.add_argument("--signature-data", help="The signed content", required=True)
+    parser.add_argument("--verbose", action="store_true", help="Verbose output")
+    return parser
+
+
+def upload_signature(args: Any) -> None:
+    """
+    Upload signature to Pyxis
+
+    Args:
+        args (Any): CLI arguments
+
+    Returns:
+        Dict[str, Any]]: Pyxis respones
+    """
+    payload = {
+        "manifest_digest": args.manifest_digest,
+        "reference": args.reference,
+        "repository": args.repository,
+        "sig_key_id": args.sig_key_id,
+        "signature_data": args.signature_data,
+    }
+
+    try:
+        rsp_json = pyxis.post(urljoin(args.pyxis_url, "v1/signatures"), payload)
+        LOGGER.info("Signature successfully created on Pyxis: %s", rsp_json)
+    except HTTPError as err:
+        if err.response.status_code == 409:
+            LOGGER.warning(
+                "Pyxis POST request resulted in 409 Conflict Error. Signature may have "
+                "already been uploaded previously."
+            )
+        else:
+            raise
+
+
+def main():  # pragma: no cover
+    """
+    Main func
+    """
+
+    parser = setup_argparser()
+    args = parser.parse_args()
+    log_level = "DEBUG" if args.verbose else "INFO"
+    setup_logger(log_level)
+
+    upload_signature(args)
+
+
+if __name__ == "__main__":  # pragma: no cover
+    main()
diff --git a/operator-pipeline-images/setup.py b/operator-pipeline-images/setup.py
@@ -42,6 +42,7 @@
             "create-container-image=operatorcert.entrypoints.create_container_image:main",
             "marketplace-replication=operatorcert.entrypoints.marketplace_replication:main",
             "pipelinerun-summary=operatorcert.entrypoints.pipelinerun_summary:main",
+            "upload-signature=operatorcert.entrypoints.upload_signature:main",
         ],
     },
 )
diff --git a/operator-pipeline-images/tests/entrypoints/test_upload_signature.py b/operator-pipeline-images/tests/entrypoints/test_upload_signature.py
@@ -0,0 +1,62 @@
+import pytest
+from requests.exceptions import HTTPError
+from requests.models import Response
+from unittest.mock import MagicMock, patch
+
+from operatorcert.entrypoints import upload_signature
+
+
+@patch("operatorcert.entrypoints.upload_signature.setup_argparser")
+@patch("operatorcert.entrypoints.upload_signature.upload_signature")
+def test_main(
+    mock_upload_signature: MagicMock,
+    mock_arg_parser: MagicMock,
+) -> None:
+    upload_signature.main()
+    mock_upload_signature.assert_called_once()
+
+
+@patch("operatorcert.entrypoints.upload_signature.pyxis.post")
+def test_upload_signature(mock_post: MagicMock) -> None:
+    args = MagicMock()
+    args.pyxis_url = "https://test-pyxis.fake.url"
+    args.manifest_digest = "sha256:123456"
+    args.reference = "registry.redhat.io/redhat/community-operator-index:v4.9"
+    args.repository = "redhat/community-operator-index"
+    args.sig_key_id = "testkeyid"
+    args.signature_data = "dGVzdHNpZ25hdHVyZWRhdGEK"
+
+    upload_signature.upload_signature(args)
+    mock_post.assert_called_once_with(
+        "https://test-pyxis.fake.url/v1/signatures",
+        {
+            "manifest_digest": args.manifest_digest,
+            "reference": args.reference,
+            "repository": args.repository,
+            "sig_key_id": args.sig_key_id,
+            "signature_data": args.signature_data,
+        },
+    )
+
+
+@patch("operatorcert.entrypoints.upload_signature.pyxis.post")
+def test_upload_signature_http_errors(mock_post: MagicMock) -> None:
+    args = MagicMock()
+    args.pyxis_url = "https://test-pyxis.fake.url"
+    args.manifest_digest = "sha256:123456"
+    args.reference = "registry.redhat.io/redhat/community-operator-index:v4.9"
+    args.repository = "redhat/community-operator-index"
+    args.sig_key_id = "testkeyid"
+    args.signature_data = "dGVzdHNpZ25hdHVyZWRhdGEK"
+
+    fake_rsp = Response()
+    fake_rsp.status_code = 409
+    fake_err = HTTPError(response=fake_rsp)
+    mock_post.side_effect = fake_err
+    upload_signature.upload_signature(args)
+
+    fake_rsp.status_code = 404
+    fake_err = HTTPError(response=fake_rsp)
+    mock_post.side_effect = fake_err
+    with pytest.raises(HTTPError):
+        upload_signature.upload_signature(args)

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@`
`42`	`42`	`"create-container-image=operatorcert.entrypoints.create_container_image:main",`
`43`	`43`	`"marketplace-replication=operatorcert.entrypoints.marketplace_replication:main",`
`44`	`44`	`"pipelinerun-summary=operatorcert.entrypoints.pipelinerun_summary:main",`
	`45`	`+ "upload-signature=operatorcert.entrypoints.upload_signature:main",`
`45`	`46`	`],`
`46`	`47`	`},`
`47`	`48`	`)`