go.mod: update github.com/containers/image/v5

Version 5.22 introduced a new option to /etc/containers/policy.json called keyPaths, see https://github.com/containers/image/pull/1609 EL9 immediately took advantage of this new feature and started using it, see 04645c4a84 This quickly became an issue in our code: The go library (containers/image) parses the configuration file very strictly and refuses to create a client when policy.json with an unknown key is present on the filesystem. As we used 5.21.1 that doesn't know the new key, our unit tests started to failing when containers-common was present. Reproducer: podman run --pull=always --rm -it centos:stream9 dnf install -y dnf-plugins-core dnf config-manager --set-enabled crb dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core git clone https://github.com/osbuild/osbuild-composer cd osbuild-composer # install the new containers-common and run the test dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm go test -count 1 ./... # this returns: --- FAIL: TestClientResolve (0.00s) client_test.go:31: Error Trace: client_test.go:31 Error: Received unexpected error: Unknown key "keyPaths" invalid policy in "/etc/containers/policy.json" github.com/containers/image/v5/signature.NewPolicyFromFile /osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88 github.com/osbuild/osbuild-composer/internal/container.NewClient /osbuild-composer/internal/container/client.go:123 github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve /osbuild-composer/internal/container/client_test.go:29 testing.tRunner /usr/lib/golang/src/testing/testing.go:1439 runtime.goexit /usr/lib/golang/src/runtime/asm_amd64.s:1571 Test: TestClientResolve client_test.go:32: Error Trace: client_test.go:32 Error: Expected value not to be nil. Test: TestClientResolve When run with an older containers-common, it succeeds: dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm go test -count 1 ./... PASS To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0. Unfortunately, this wasn't so simple, see go get github.com/containers/image/v5@latest go: github.com/containers/image/v5@v5.22.0 requires github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires github.com/honeycombio/beeline-go@v1.1.1 requires github.com/gobuffalo/pop/v5@v5.3.1 requires github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3 It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this broke a ton of packages depending on it. I was able to fix it by adding exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible to our go.mod, see https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657 After adding it, go get github.com/containers/image/v5@latest succeeded and tools/prepare-source.sh took care of the rest. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-08-28 20:29:14 +02:00 · 2022-08-28 20:29:14 +02:00 · 29f66a251f
commit 29f66a251f
parent fa514c5326
694 changed files with 90636 additions and 50426 deletions
--- a/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go
+++ b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go
@ -0,0 +1,151 @@
+// Copyright 2022 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+// Client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").
+// The signer binary is OS-specific, but exposes a standard set of APIs for the client to use.
+package client
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/gob"
+	"fmt"
+	"io"
+	"net/rpc"
+	"os"
+	"os/exec"
+
+	"github.com/googleapis/enterprise-certificate-proxy/client/util"
+)
+
+const signAPI = "EnterpriseCertSigner.Sign"
+const certificateChainAPI = "EnterpriseCertSigner.CertificateChain"
+const publicKeyAPI = "EnterpriseCertSigner.Public"
+
+// A Connection wraps a pair of unidirectional streams as an io.ReadWriteCloser.
+type Connection struct {
+	io.ReadCloser
+	io.WriteCloser
+}
+
+// Close closes c's underlying ReadCloser and WriteCloser.
+func (c *Connection) Close() error {
+	rerr := c.ReadCloser.Close()
+	werr := c.WriteCloser.Close()
+	if rerr != nil {
+		return rerr
+	}
+	return werr
+}
+
+func init() {
+	gob.Register(crypto.SHA256)
+	gob.Register(&rsa.PSSOptions{})
+}
+
+// SignArgs contains arguments to a crypto Signer.Sign method.
+type SignArgs struct {
+	Digest []byte            // The content to sign.
+	Opts   crypto.SignerOpts // Options for signing, such as Hash identifier.
+}
+
+// Key implements credential.Credential by holding the executed signer subprocess.
+type Key struct {
+	cmd       *exec.Cmd        // Pointer to the signer subprocess.
+	client    *rpc.Client      // Pointer to the rpc client that communicates with the signer subprocess.
+	publicKey crypto.PublicKey // Public key of loaded certificate.
+	chain     [][]byte         // Certificate chain of loaded certificate.
+}
+
+// CertificateChain returns the credential as a raw X509 cert chain. This contains the public key.
+func (k *Key) CertificateChain() [][]byte {
+	return k.chain
+}
+
+// Close closes the RPC connection and kills the signer subprocess.
+// Call this to free up resources when the Key object is no longer needed.
+func (k *Key) Close() error {
+	if err := k.client.Close(); err != nil {
+		return fmt.Errorf("failed to close RPC connection: %w", err)
+	}
+	if err := k.cmd.Process.Kill(); err != nil {
+		return fmt.Errorf("failed to kill signer process: %w", err)
+	}
+	if err := k.cmd.Wait(); err.Error() != "signal: killed" {
+		return fmt.Errorf("signer process was not killed: %w", err)
+	}
+	return nil
+}
+
+// Public returns the public key for this Key.
+func (k *Key) Public() crypto.PublicKey {
+	return k.publicKey
+}
+
+// Sign signs a message by encrypting a message digest, using the specified signer options.
+func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) {
+	err = k.client.Call(signAPI, SignArgs{Digest: digest, Opts: opts}, &signed)
+	return
+}
+
+// Cred spawns a signer subprocess that listens on stdin/stdout to perform certificate
+// related operations, including signing messages with the private key.
+//
+// The signer binary path is read from the specified configFilePath, if provided.
+// Otherwise, use the default config file path.
+//
+// The config file also specifies which certificate the signer should use.
+func Cred(configFilePath string) (*Key, error) {
+	if configFilePath == "" {
+		configFilePath = util.GetDefaultConfigFilePath()
+	}
+	enterpriseCertSignerPath, err := util.LoadSignerBinaryPath(configFilePath)
+	if err != nil {
+		return nil, err
+	}
+	k := &Key{
+		cmd: exec.Command(enterpriseCertSignerPath, configFilePath),
+	}
+
+	// Redirect errors from subprocess to parent process.
+	k.cmd.Stderr = os.Stderr
+
+	// RPC client will communicate with subprocess over stdin/stdout.
+	kin, err := k.cmd.StdinPipe()
+	if err != nil {
+		return nil, err
+	}
+	kout, err := k.cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	k.client = rpc.NewClient(&Connection{kout, kin})
+
+	if err := k.cmd.Start(); err != nil {
+		return nil, fmt.Errorf("starting enterprise cert signer subprocess: %w", err)
+	}
+
+	if err := k.client.Call(certificateChainAPI, struct{}{}, &k.chain); err != nil {
+		return nil, fmt.Errorf("failed to retrieve certificate chain: %w", err)
+	}
+
+	var publicKeyBytes []byte
+	if err := k.client.Call(publicKeyAPI, struct{}{}, &publicKeyBytes); err != nil {
+		return nil, fmt.Errorf("failed to retrieve public key: %w", err)
+	}
+
+	publicKey, err := x509.ParsePKIXPublicKey(publicKeyBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	var ok bool
+	k.publicKey, ok = publicKey.(crypto.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("invalid public key type: %T", publicKey)
+	}
+
+	return k, nil
+}
--- a/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go
+++ b/vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go
@ -0,0 +1,72 @@
+// Package util provides helper functions for the client.
+package util
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"os"
+	"os/user"
+	"path/filepath"
+	"runtime"
+)
+
+const configFileName = "enterprise_certificate_config.json"
+
+// EnterpriseCertificateConfig contains parameters for initializing signer.
+type EnterpriseCertificateConfig struct {
+	Libs Libs `json:"libs"`
+}
+
+// Libs specifies the locations of helper libraries.
+type Libs struct {
+	SignerBinary string `json:"signer_binary"`
+}
+
+// LoadSignerBinaryPath retrieves the path of the signer binary from the config file.
+func LoadSignerBinaryPath(configFilePath string) (path string, err error) {
+	jsonFile, err := os.Open(configFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	byteValue, err := ioutil.ReadAll(jsonFile)
+	if err != nil {
+		return "", err
+	}
+	var config EnterpriseCertificateConfig
+	err = json.Unmarshal(byteValue, &config)
+	if err != nil {
+		return "", err
+	}
+	signerBinaryPath := config.Libs.SignerBinary
+	if signerBinaryPath == "" {
+		return "", errors.New("Signer binary path is missing.")
+	}
+	return signerBinaryPath, nil
+}
+
+func guessHomeDir() string {
+	// Prefer $HOME over user.Current due to glibc bug: golang.org/issue/13470
+	if v := os.Getenv("HOME"); v != "" {
+		return v
+	}
+	// Else, fall back to user.Current:
+	if u, err := user.Current(); err == nil {
+		return u.HomeDir
+	}
+	return ""
+}
+
+func getDefaultConfigFileDirectory() (directory string) {
+	if runtime.GOOS == "windows" {
+		return filepath.Join(os.Getenv("APPDATA"), "gcloud")
+	} else {
+		return filepath.Join(guessHomeDir(), ".config/gcloud")
+	}
+}
+
+// GetDefaultConfigFilePath returns the default path of the enterprise certificate config file created by gCloud.
+func GetDefaultConfigFilePath() (path string) {
+	return filepath.Join(getDefaultConfigFileDirectory(), configFileName)
+}