go.mod: update github.com/containers/image/v5
Version 5.22 introduced a new option to /etc/containers/policy.json called
keyPaths, see
https://github.com/containers/image/pull/1609
EL9 immediately took advantage of this new feature and started using it, see
04645c4a84
This quickly became an issue in our code: The go library (containers/image)
parses the configuration file very strictly and refuses to create a client
when policy.json with an unknown key is present on the filesystem. As we
used 5.21.1 that doesn't know the new key, our unit tests started to
failing when containers-common was present.
Reproducer:
podman run --pull=always --rm -it centos:stream9
dnf install -y dnf-plugins-core
dnf config-manager --set-enabled crb
dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core
git clone https://github.com/osbuild/osbuild-composer
cd osbuild-composer
# install the new containers-common and run the test
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm
go test -count 1 ./...
# this returns:
--- FAIL: TestClientResolve (0.00s)
client_test.go:31:
Error Trace: client_test.go:31
Error: Received unexpected error:
Unknown key "keyPaths"
invalid policy in "/etc/containers/policy.json"
github.com/containers/image/v5/signature.NewPolicyFromFile
/osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88
github.com/osbuild/osbuild-composer/internal/container.NewClient
/osbuild-composer/internal/container/client.go:123
github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve
/osbuild-composer/internal/container/client_test.go:29
testing.tRunner
/usr/lib/golang/src/testing/testing.go:1439
runtime.goexit
/usr/lib/golang/src/runtime/asm_amd64.s:1571
Test: TestClientResolve
client_test.go:32:
Error Trace: client_test.go:32
Error: Expected value not to be nil.
Test: TestClientResolve
When run with an older containers-common, it succeeds:
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm
go test -count 1 ./...
PASS
To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0.
Unfortunately, this wasn't so simple, see
go get github.com/containers/image/v5@latest
go: github.com/containers/image/v5@v5.22.0 requires
github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires
github.com/honeycombio/beeline-go@v1.1.1 requires
github.com/gobuffalo/pop/v5@v5.3.1 requires
github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3
It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been
recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this
broke a ton of packages depending on it. I was able to fix it by adding
exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
to our go.mod, see
https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657
After adding it,
go get github.com/containers/image/v5@latest
succeeded and tools/prepare-source.sh took care of the rest.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
This commit is contained in:
Ondřej Budai
Tomáš Hozza
parent
fa514c5326
commit
29f66a251f
694 changed files with 90636 additions and 50426 deletions
66
vendor/github.com/letsencrypt/boulder/goodkey/weak.go
generated
vendored
Normal file
66
vendor/github.com/letsencrypt/boulder/goodkey/weak.go
generated
vendored
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
package goodkey
|
||||
|
||||
// This file defines a basic method for testing if a given RSA public key is on one of
|
||||
// the Debian weak key lists and is therefore considered compromised. Instead of
|
||||
// directly loading the hash suffixes from the individual lists we flatten them all
|
||||
// into a single JSON list using cmd/weak-key-flatten for ease of use.
|
||||
|
||||
import (
|
||||
"crypto/rsa"
|
||||
"crypto/sha1"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
)
|
||||
|
||||
type truncatedHash [10]byte
|
||||
|
||||
type WeakRSAKeys struct {
|
||||
suffixes map[truncatedHash]struct{}
|
||||
}
|
||||
|
||||
func LoadWeakRSASuffixes(path string) (*WeakRSAKeys, error) {
|
||||
f, err := ioutil.ReadFile(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var suffixList []string
|
||||
err = json.Unmarshal(f, &suffixList)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
wk := &WeakRSAKeys{suffixes: make(map[truncatedHash]struct{})}
|
||||
for _, suffix := range suffixList {
|
||||
err := wk.addSuffix(suffix)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
return wk, nil
|
||||
}
|
||||
|
||||
func (wk *WeakRSAKeys) addSuffix(str string) error {
|
||||
var suffix truncatedHash
|
||||
decoded, err := hex.DecodeString(str)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if len(decoded) != 10 {
|
||||
return fmt.Errorf("unexpected suffix length of %d", len(decoded))
|
||||
}
|
||||
copy(suffix[:], decoded)
|
||||
wk.suffixes[suffix] = struct{}{}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (wk *WeakRSAKeys) Known(key *rsa.PublicKey) bool {
|
||||
// Hash input is in the format "Modulus={upper-case hex of modulus}\n"
|
||||
hash := sha1.Sum([]byte(fmt.Sprintf("Modulus=%X\n", key.N.Bytes())))
|
||||
var suffix truncatedHash
|
||||
copy(suffix[:], hash[10:])
|
||||
_, present := wk.suffixes[suffix]
|
||||
return present
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue