Show signature details on container registry page
What does this MR do and why?
On the Project
-> Settings
-> Deploy
-> Container Registry
page, we show a list of Docker image tags:
![]() |
Each tag can be signed with a signature. The signature data is already available through GraphQL. This MR adds a Signed
badge next to the image name if it's signed, and also adds the signature details (there can be multiple) to the toggle-able details menu:
![]() |
How to set up and validate locally
It's extremely involved to set up a local environment to create the signatures and return it in the GraphQL data. You can see what the production data looks like by running this query (source project):
GraphQL query
query {
containerRepository(id:"gid://gitlab/ContainerRepository/6340028") {
manifest(reference: "sha256:ce9645c76a4695781d93febc2c259fe70b29c7d3bc9ad3750337e783ba1029da")
tags(first: 100, referrers: true) {
nodes {
digest
name
referrers {
artifactType
digest
}
}
}
}
}
But to verify locally, we will mock the GraphQL response rather than go through the lengthy setup process.
Enable the container registry and generate tags
- On your local machine, you must set up Docker and a local GitLab runner using the docker executor.
- Stop your local GDK.
- Edit your
config/gitlab.yml
file. Find the top-levelregistry:
key and changeenabled: false
toenabled: true
:
registry:
enabled: true
- Start your local GDK. Verify that the last line of output says
A container registry is available at 127.0.0.1:5000.
- Clone this project locally: https://gitlab.com/dftian/container-signing
- Check if the
Settings
->Deploy
->Container Registry
nav item is shown. If not, try restarting your GDK. This happens because the image is still starting up and is not ready by the time GDK has started. The registry stays running between GDK restarts. - Run a pipeline against the master branch.
- Go to
Settings
->Deploy
->Container Registry
. There should be one registry shown. Click on it. There should be 3 tags shown.
Set up mock response
Please watch this video walkthrough (with audio commentary) on how to mock the responses using the Tweak browser extension:
Referrers data to paste:
[
{ "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json", "digest": "sha256sum:1b81b789e3ed3adda80cd471bc1a0b6552c1f84c5321f61a5982f2994d53e521" },
{ "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json", "digest": "sha256sum:003a048c50d901e4060012598baa45eaf2d6ec8cd791df16c7b46a0a136cc120" }
]
Things to verify
- Verify that the
Signed
badge is shown. - Verify that when the triple dot menu is clicked to show the tag details, the signatures are shown with their digests.
Related to #442848