Add support for OCI Image signing (spec v1.0)

[Xynnn007]

Summary

This PR helps to implement OCI Image Signing due to #125.

But please notice that this PR only uses the OCI Spec v1.0 (instead of v1.1, which brings referrer mechinism)

Release Note

• Added push related functions for ClientCapabilities and related impls
• Fixed a bug when converting sigstore::ClientConfig into oci_distribution::ClientConfig
• Fixed a bug when parsing a private key file RSA was not considered.
• Added some Debug, ToString, Eq, PartialEq macros and functions to enums and structs of crypto mod.
• Refactored SimpleSigning as a sub module for payloads
• Added OCI Image signing support together with some unit tests and examples.
• Changed signature field of SignatureLayer into an Option, which helps when we meet a SignatureLayer that is to be signed.
• Added a switch of http/https when access a registry for examples/cosign/verify

Documentation

Please see the examples/cosign/sign/README.md for the guide of OCI Image Signing.

[Xynnn007]

The Clippy CI error is not caused by this PR. It can be fixed in another PR.

[lukehinds]

awesome, will take a look early next week @Xynnn007 !

What's the reasoning behind 1.0 support over 1.1?

[Xynnn007]

What's the reasoning behind 1.0 support over 1.1?

The reason may be three I think:

• It is still in rc stage.
• I did not find related spec in sigstore/cosign to apply cosign signing to v1.1 registry
• upstream oci-distribution is not ready for referrers api of v1.1 spec

For first: #125 (comment).
I've read some of the specs in opencontainers/images and opencontainers/distribution-spec. I think that v1.1 spec is still in rc stage, as https://github.com/opencontainers/image-spec/releases shows.

For second, I checked code and spec in sigstore/cosign roughly, and did not find the guide that defines how we store signatures in an oci registry v1.1. If any please tell me the link please. If not, I think we should make a new spec to apply the in-coming registry if v1.1 spec with referrer API. And I'd like to join the discussion of the spec :-)

For third, https://github.com/krustlet/oci-distribution still needs to be developed.

Besides, current implementation may have extensibility to support v2 spec, s.t. might not need much refactor.

[lukehinds]

makes sense.

@imjasonh is a good source for OCI specs

[Xynnn007]

makes sense.

@imjasonh is a good source for OCI specs

Thanks for introducing!

For second, I checked code and spec in sigstore/cosign roughly, and did not find the guide that defines how we store signatures in an oci registry v1.1. If any please tell me the link please. If not, I think we should make a new spec to apply the in-coming registry if v1.1 spec with referrer API. And I'd like to join the discussion of the spec :-)

Got it here sigstore/cosign#1397. But as @imjasonh mentioned, the work for golang version is going on upsteam google/go-containerregistry#1455. Maybe the work on the rust side should also start. Let me propose an issue first ;-).

FYI oras-project/rust-oci-client#51

[flavio]

Fantastic job! 👏

Overall LGTM, I left some minor comments

[flavio]

reminder: because of this and other refactors the public API changed, hence we will have to do a minor release

[Xynnn007]

BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI?

[flavio]

Thanks for the changes you've made!

[flavio]

BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI?

I would be fine making the test-trigger a default feature, like we're doing with oci-distribution

This would ensure these tests are run also inside of GitHub's CI

[Xynnn007]

BTW, this pr includes a new feature "test-registry", which is not triggered by CI now. Do we need to need to add a switch for this feature, or directly enable it in GitHub CI?

I would be fine making the test-trigger a default feature, like we're doing with oci-distribution

This would ensure these tests are run also inside of GitHub's CI

Agreed, and have fixed it

[Xynnn007]

Another significant problem I meet:
Given that upstream oci_distribution has not support OCI Image Configuration, I use an empty json here to fill the Configuration. https://github.com/sigstore/sigstore-rs/pull/158/files#diff-3974fb3df6df5c9e9da01fb27e58de8f8681f4c14898cf0d4dfe2e08e638f9d0R34

I have tried with test registry, but no error had occurred. I wonder whether it is ok now?

And we surely need to fix it then, though.

cc @imjasonh

[flavio]

Thanks a lot for having incorporated all the feedback.

LGTM

[lukehinds]

This looks good to me, but I am not able to test this as registries typically need auth

Do we need to code in auth mechanisms in this or a follow up patch?

docker login
Authenticating with existing credentials...
Login Succeeded

cargo run --example sign -- \
    --key cosign.key \
    --image lukehinds/cosign-test:latest \
    --signing-scheme ECDSA_P256_SHA256_ASN1 \
    --password p6ssw0rd \
    --http \
    --annotations a=1

Image signing failed: Cannot fetch manifest of docker.io/lukehinds/cosign-test:latest: Not authorized: url http://registry-1.docker.io/v2/lukehinds/cosign-test/manifests/latest

[Xynnn007]

Do we need to code in auth mechanisms in this or a follow up patch?

I can add something to support BasicAuth in this pr.

For upstream oci_distribution does not support identity token now, we cannot automatically use identity token in ~/.docker/config.json. We can promote it in the future, when the upstream supports identity token.

[Xynnn007]

Hi @lukehinds I've added some code to retrieve credential to access a registry, which will help the command that you'd tried. Still, is it proper to include in this PR? If not, I can split it into another.

[flavio]

LGTM. I would like to merge it

[flavio]

Please file a PR against the upstream project.