From 6dc3ae06bbf2597d6da68b4a7545f6b1da28e7b8 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Fri, 22 Dec 2023 23:28:14 -0800 Subject: [PATCH] initial containers-policy.json compatible signer script --- src/sign.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 src/sign.sh diff --git a/src/sign.sh b/src/sign.sh new file mode 100644 index 0000000..3151a7d --- /dev/null +++ b/src/sign.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -eux + +# Generate container image signatures in PGP sigstore format + +REGISTRY=${1?} +NAME=${2?} + +ID=$(docker image ls --format '{{.ID}}' --no-trunc "${REGISTRY}/${NAME}") +DIR=sig/${REGISTRY}/${NAME}@sha256=${ID} +SIGNUM=1 + +mkdir -p ${DIR} + +[ -f ${DIR}/signature-1 ] \ + && LASTSIGNUM=$( \ + find ${DIR} -type f -printf "%f\n" \ + | sort \ + | tail -n1 \ + | sed 's/signature-//' \ + ) \ + && let "SIGNUM=LASTSIGNUM+1" + +printf \ + '[{"critical":{"identity":{"docker-reference":"%s/%s"},"image":{"docker-manifest-digest":"%s"},"type":"pgp container image signature"},"optional":null}]' \ + "$REGISTRY" "$NAME" "$ID" \ + | gpg --sign > ${DIR}/signature-${SIGNUM}