From fc6dc1ea8b3124641ad7a867a7ac1e0bd7f327dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20Sch=C3=BCller?= <florian.schueller@redhat.com>
Date: Wed, 24 Apr 2024 10:28:36 +0200
Subject: [PATCH]  stages/org.osbuild.skopeo: support for "--remove-signatures"

---
 stages/org.osbuild.skopeo           | 8 +++++++-
 stages/org.osbuild.skopeo.meta.json | 7 ++++++-
 stages/test/test_skopeo.py          | 1 +
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/stages/org.osbuild.skopeo b/stages/org.osbuild.skopeo
index 30bb1bb2..ec62c595 100755
--- a/stages/org.osbuild.skopeo
+++ b/stages/org.osbuild.skopeo
@@ -13,6 +13,7 @@ def main(inputs, output, options):
 
     destination = options["destination"]
     dest_type = destination["type"]
+    remove_signatures = destination.get("remove-signatures")
 
     for image in images.values():
         with containers.container_source(image) as (image_name, image_source):
@@ -27,7 +28,12 @@ def main(inputs, output, options):
             else:
                 raise ValueError(f"Unknown destination type '{dest_type}'")
 
-            subprocess.run(["skopeo", "copy", image_source, dest], check=True)
+            cmd = ["skopeo", "copy"]
+            if remove_signatures:
+                cmd.append("--remove-signatures")
+            cmd.extend([image_source, dest])
+
+            subprocess.run(cmd, check=True)
 
     if dest_type == "containers-storage" and storage_driver == "overlay":
         # Each time the overlay backend runs on an xfs fs it creates this file:
diff --git a/stages/org.osbuild.skopeo.meta.json b/stages/org.osbuild.skopeo.meta.json
index 2b6c0b1a..95812a90 100644
--- a/stages/org.osbuild.skopeo.meta.json
+++ b/stages/org.osbuild.skopeo.meta.json
@@ -64,7 +64,7 @@
           "path": {
             "description": "Location of a tar archive compliant with 'Open Container Image Layout Specification'",
             "type": "string"
-          },
+          }
         }
       },
       "destination-dir": {
@@ -126,6 +126,11 @@
               "$ref": "#/definitions/destination-dir"
             }
           ]
+        },
+        "remove-signatures": {
+          "type": "boolean",
+          "default": false,
+          "description": "Do not copy signatures, if any, from source-image. Necessary when copying a signed image to a destination which does not support signatures."
         }
       }
     }
diff --git a/stages/test/test_skopeo.py b/stages/test/test_skopeo.py
index 47356a2e..8fac0ff4 100644
--- a/stages/test/test_skopeo.py
+++ b/stages/test/test_skopeo.py
@@ -25,6 +25,7 @@ STAGE_NAME = "org.osbuild.skopeo"
     ({"destination": {"type": "oci", "path": "/foo"}}, ""),
     ({"destination": {"type": "oci-archive", "path": "/foo"}}, ""),
     ({"destination": {"type": "dir", "path": "/foo"}}, ""),
+    ({"destination": {"type": "dir", "path": "/foo"}, "remove-signatures": True}, ""),
 
     # this one might not be expected but it's valid because we don't require any
     # *inputs* and it'll be a no-op in the stage