From 68fba810927144d88e2aa2c0be57a51ebb4eae88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Mon, 7 Jul 2025 23:47:10 +0200 Subject: [PATCH] DO NOT MERGE: Also build+test with Sequoia MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Relies on UNMERGED https://github.com/containers/automation_images/pull/411 . Signed-off-by: Miloslav Trmač --- .cirrus.yml | 18 ++++++++++++++++-- Makefile | 6 ++++-- contrib/cirrus/runner.sh | 6 ++++-- integration/copy_test.go | 8 ++++---- systemtest/050-signing.bats | 2 +- 5 files changed, 29 insertions(+), 11 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index aa99e87d..5e07446a 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -21,8 +21,14 @@ env: SCRIPT_BASE: "./contrib/cirrus" # Google-cloud VM Images - IMAGE_SUFFIX: "c20250721t181111z-f42f41d13" + # If you are updating IMAGE_SUFFIX: We are currently using rawhide for + # the containers_image_sequoia tests because the rust-podman-sequoia + # package is not available in earlier releases; once we update to a future + # Fedora release (or if the package is backported), switch back from Rawhide + # to the latest Fedora release. + IMAGE_SUFFIX: "c20250730t185529z-f42f41d13" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" + RAWHIDE_CACHE_IMAGE_NAME: "rawhide-${IMAGE_SUFFIX}" # Container FQIN's FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}" @@ -190,14 +196,21 @@ test_skopeo_task: # Required to be 200gig, do not modify - has i/o performance impact # according to gcloud CLI tool warning messages. disk: 200 - image_name: ${FEDORA_CACHE_IMAGE_NAME} + image_name: ${VM_IMAGE_NAME} matrix: - name: "Skopeo Test" # N/B: Name ref. by hack/get_fqin.sh env: BUILDTAGS: '' + VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME} - name: "Skopeo Test w/ opengpg" env: BUILDTAGS: *withopengpg + VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME} + - name: "Skopeo test w/ Sequoia (currently Rawhide)" + env: + BUILDTAGS: 'containers_image_sequoia' + # If you are removing the use of rawhide, also remove the VM_IMAGE_NAME condition from runner.sh . + VM_IMAGE_NAME: ${RAWHIDE_CACHE_IMAGE_NAME} setup_script: >- "${GOSRC}/${SCRIPT_BASE}/runner.sh" setup vendor_script: >- @@ -226,6 +239,7 @@ meta_task: # Space-separated list of images used by this repository state IMGNAMES: | ${FEDORA_CACHE_IMAGE_NAME} + ${RAWHIDE_CACHE_IMAGE_NAME} build-push-${IMAGE_SUFFIX} BUILDID: "${CIRRUS_BUILD_ID}" REPOREF: "${CIRRUS_REPO_NAME}" diff --git a/Makefile b/Makefile index 4d106589..4076a8cd 100644 --- a/Makefile +++ b/Makefile @@ -24,6 +24,8 @@ GOBIN := $(shell $(GO) env GOBIN) GOOS ?= $(shell go env GOOS) GOARCH ?= $(shell go env GOARCH) +SEQUOIA_SONAME_DIR = + # N/B: This value is managed by Renovate, manual changes are # possible, as long as they don't disturb the formatting # (i.e. DO NOT ADD A 'v' prefix!) @@ -84,7 +86,7 @@ CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CO GIT_COMMIT := $(shell GIT_CEILING_DIRECTORIES=$$(cd ..; pwd) git rev-parse HEAD 2> /dev/null || true) EXTRA_LDFLAGS ?= -SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} $(EXTRA_LDFLAGS)' +SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} -X github.com/containers/image/v5/signature/internal/sequoia.sequoiaLibraryDir=$(SEQUOIA_SONAME_DIR) $(EXTRA_LDFLAGS)' MANPAGES_MD = $(wildcard docs/*.md) MANPAGES ?= $(MANPAGES_MD:%.md=%) @@ -251,7 +253,7 @@ validate-docs: bin/skopeo hack/xref-helpmsgs-manpages test-unit-local: - $(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$') + $(GO) test $(SKOPEO_LDFLAGS) -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$') vendor: $(GO) mod tidy diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index 64117eba..3ec9f49c 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -71,8 +71,10 @@ _run_setup() { # automation, but the sources are in different directories. It's # possible for a mismatch to happen, but should (hopefully) be unlikely. # Double-check to make sure. + # Temporarily, allow running on Rawhide VMs and consuming older binaries: + # that should be compatible enough. Eventually, we’ll stop using Rawhide again. if ! grep -Fqx "ID=$OS_RELEASE_ID" $mnt/etc/os-release || \ - ! grep -Fqx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; then + { ! [[ "$VM_IMAGE_NAME" =~ "rawhide" ]] && ! grep -Fqx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; } then die "Somehow $SKOPEO_CIDEV_CONTAINER_FQIN is not based on $OS_REL_VER." fi msg "Copying test binaries from $SKOPEO_CIDEV_CONTAINER_FQIN /usr/local/bin/" @@ -97,7 +99,7 @@ _run_vendor() { _run_build() { make bin/skopeo BUILDTAGS="$BUILDTAGS" - make install PREFIX=/usr/local + make install PREFIX=/usr/local BUILDTAGS="$BUILDTAGS" } _run_cross() { diff --git a/integration/copy_test.go b/integration/copy_test.go index 75da3d78..d4c1909a 100644 --- a/integration/copy_test.go +++ b/integration/copy_test.go @@ -776,9 +776,9 @@ func (s *copySuite) TestCopySignatures() { // Verify that mis-signed images are rejected assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack") assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack") - assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*", + assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest) - assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*", + assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest) // Verify that signed identity is verified. @@ -791,7 +791,7 @@ func (s *copySuite) TestCopySignatures() { // Verify that cosigning requirements are enforced assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned") - assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*", + assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest) assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned") @@ -836,7 +836,7 @@ func (s *copySuite) TestCopyDirSignatures() { // Verify that correct images are accepted assertSkopeoSucceeds(t, "", "--policy", policy, "copy", topDirDest+"/restricted/official", topDirDest+"/dest") // ... and that mis-signed images are rejected. - assertSkopeoFails(t, ".*Source image rejected: Invalid GPG signature.*", + assertSkopeoFails(t, ".*Source image rejected: (Invalid GPG signature|.* was not found).*", "--policy", policy, "copy", topDirDest+"/restricted/personal", topDirDest+"/dest") // Verify that the signed identity is verified. diff --git a/systemtest/050-signing.bats b/systemtest/050-signing.bats index 5d51b552..2f12cb9b 100644 --- a/systemtest/050-signing.bats +++ b/systemtest/050-signing.bats @@ -154,7 +154,7 @@ END_PUSH fi done <