From ff3068c58da76204af6baa8a431282222ca3ead3 Mon Sep 17 00:00:00 2001 From: MichalPysik Date: Wed, 12 Jun 2024 13:15:07 +0200 Subject: [PATCH] Sign ignores .sig, .att, .sbom The signing tasks no longer signs cosign signatures, attestations and sboms (images that end with .sigg, .att, or .sbom) and ignores them instead. closes #1347 --- CHANGES/1347.bugfix | 2 ++ pulp_container/app/tasks/sign.py | 10 +++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 CHANGES/1347.bugfix diff --git a/CHANGES/1347.bugfix b/CHANGES/1347.bugfix new file mode 100644 index 000000000..5656e314b --- /dev/null +++ b/CHANGES/1347.bugfix @@ -0,0 +1,2 @@ +The pulp signing task that produces atomic type signature no longer signs cosign signatures, +attestations and sboms (images that end with .sig, .att, or .sbom), and ignores them instead. diff --git a/pulp_container/app/tasks/sign.py b/pulp_container/app/tasks/sign.py index e37dfb49b..958c80b8b 100644 --- a/pulp_container/app/tasks/sign.py +++ b/pulp_container/app/tasks/sign.py @@ -5,6 +5,7 @@ from aiofiles import tempfile from asgiref.sync import sync_to_async from django.conf import settings +from django.db.models import Q from pulpcore.plugin.models import Repository @@ -46,12 +47,15 @@ def sign(repository_pk, signing_service_pk, reference, tags_list=None): latest_version = repository.latest_version() if tags_list: latest_repo_content_tags = latest_version.content.filter( - pulp_type=Tag.get_pulp_type(), pk__in=tags_list + pulp_type=Tag.get_pulp_type(), + pk__in=tags_list, ) else: latest_repo_content_tags = latest_version.content.filter(pulp_type=Tag.get_pulp_type()) - latest_repo_tags = Tag.objects.filter(pk__in=latest_repo_content_tags).select_related( - "tagged_manifest" + latest_repo_tags = ( + Tag.objects.filter(pk__in=latest_repo_content_tags) + .select_related("tagged_manifest") + .exclude(Q(name__endswith=".sig") | Q(name__endswith=".att") | Q(name__endswith=".sbom")) ) signing_service = ManifestSigningService.objects.get(pk=signing_service_pk)