/kind feature
Description
I would like to be able to do unattended image signing with podman - getting the signature passphrase from file/fd.
With gpg I can do something like this:
$ gpg --pinentry-mode loopback --passphrase-file /secrets/SIGNATURE_ID_PASSWORD -s -u SIGNATURE_ID ...
to sign something (unattended) using secrets from the filesystem.
It would be nice with something similar for podman (or buildah/skopeo).
jskovjyskebankdk
All 11 comments
Maybe people just make signatures without password?
That seems to allow unattended signing.
jskovjyskebankdk
on 21 Sep 2020
@QiWang19 @mtrmac PTAL
rhatdan
on 21 Sep 2020
Thanks for your report. This was historically not easily possible because RHEL 7’s GPGme does not expose the loopback option (and IIRC neither does the underlying GPG); and the Go build system makes it rather difficult for libraries to opt in/out of features based on the build environment — essentially the top-level software has to deal with all the complexity.
If we can drop drop support for RHEL 7, adding the loopback option + a way to supply a passphrase seems reasonable, based on reading the documentation (not having a prototype).
One way that would work right now is to use a GPG agent, and to unlock the private key by using gpg --sign to sign something inconsequential. That’s horribly ugly, of course, and having those “inconsequential” signatures around introduces extra risk.
mtrmac
on 2 Oct 2020
I have no problem ignoring RHEL7 going forward. We should pay attention to RHEL8 and above at this point. If someone backports this functionality to RHEL7 and it blows up we can just close it as not supported.
rhatdan
on 5 Oct 2020
It’s not so much a backport concern, or a feature blowing up if used — just _building_ any version of Podman / … that adds the loopback option will be simply impossible on RHEL 7 and earlier; anyone trying would have to actively patch out the loopback uses.
(I’m fine with that consequence, I just want to make it very explicit.)
mtrmac
on 6 Oct 2020
Sure, we are already beginning to do this. With certain features (cgroupsV2). But I don't want a 8 year old OS holding us back,especially when we have no intention os shipping a new supported version of a container engine on it. podman 1.6 was the end of the line for supported RHEL 7.
rhatdan
on 10 Oct 2020
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 4 Dec 2020
@mtrmac WDYT with us dumping RHEL7, should we pursue this?
rhatdan
on 4 Dec 2020
It does make sense to do. I don’t have a strong opinion on priority/timing.
mtrmac
on 7 Dec 2020
@QiWang19 PTAL
rhatdan
on 23 Dec 2020
duplicate of BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1892722, @umohnani8 are you working on this?
QiWang19
on 23 Dec 2020
Related issues
NooneXe
·
3Comments
juansuerogit
·
5Comments
undecaf
·
3Comments
jtligon
·
4Comments
SergeyBear
·
4Comments