stages/org.osbuild.skopeo: support for "--remove-signatures"

2024-04-24 10:28:36 +02:00 · 2024-04-24 10:28:36 +02:00 · fc6dc1ea8b
commit fc6dc1ea8b
parent 7de7838534
3 changed files with 14 additions and 2 deletions
--- a/stages/org.osbuild.skopeo
+++ b/stages/org.osbuild.skopeo
@ -13,6 +13,7 @@ def main(inputs, output, options):

    destination = options["destination"]
    dest_type = destination["type"]
+    remove_signatures = destination.get("remove-signatures")

    for image in images.values():
        with containers.container_source(image) as (image_name, image_source):
@ -27,7 +28,12 @@ def main(inputs, output, options):
            else:
                raise ValueError(f"Unknown destination type '{dest_type}'")

-            subprocess.run(["skopeo", "copy", image_source, dest], check=True)
+            cmd = ["skopeo", "copy"]
+            if remove_signatures:
+                cmd.append("--remove-signatures")
+            cmd.extend([image_source, dest])
+
+            subprocess.run(cmd, check=True)

    if dest_type == "containers-storage" and storage_driver == "overlay":
        # Each time the overlay backend runs on an xfs fs it creates this file:
--- a/stages/org.osbuild.skopeo.meta.json
+++ b/stages/org.osbuild.skopeo.meta.json
@ -64,7 +64,7 @@
          "path": {
            "description": "Location of a tar archive compliant with 'Open Container Image Layout Specification'",
            "type": "string"
-          },
+          }
        }
      },
      "destination-dir": {
@ -126,6 +126,11 @@
              "$ref": "#/definitions/destination-dir"
            }
          ]
+        },
+        "remove-signatures": {
+          "type": "boolean",
+          "default": false,
+          "description": "Do not copy signatures, if any, from source-image. Necessary when copying a signed image to a destination which does not support signatures."
        }
      }
    }
--- a/stages/test/test_skopeo.py
+++ b/stages/test/test_skopeo.py
@ -25,6 +25,7 @@ STAGE_NAME = "org.osbuild.skopeo"
    ({"destination": {"type": "oci", "path": "/foo"}}, ""),
    ({"destination": {"type": "oci-archive", "path": "/foo"}}, ""),
    ({"destination": {"type": "dir", "path": "/foo"}}, ""),
+    ({"destination": {"type": "dir", "path": "/foo"}, "remove-signatures": True}, ""),

    # this one might not be expected but it's valid because we don't require any
    # *inputs* and it'll be a no-op in the stage