Skip to content

Show signature details on container registry page

Daniel Tian requested to merge 442848-show-signatures-on-container-registry-page into master

What does this MR do and why?

On the Project -> Settings -> Deploy -> Container Registry page, we show a list of Docker image tags:
ksnip_20240507-123109

Each tag can be signed with a signature. The signature data is already available through GraphQL. This MR adds a Signed badge next to the image name if it's signed, and also adds the signature details (there can be multiple) to the toggle-able details menu:
ksnip_20240507-123409

How to set up and validate locally

It's extremely involved to set up a local environment to create the signatures and return it in the GraphQL data. You can see what the production data looks like by running this query (source project):

GraphQL query 
query {
  containerRepository(id:"gid://gitlab/ContainerRepository/6340028") {
    manifest(reference: "sha256:ce9645c76a4695781d93febc2c259fe70b29c7d3bc9ad3750337e783ba1029da")
    tags(first: 100, referrers: true) {
      nodes {
        digest
        name
        referrers {
          artifactType
          digest
          
        }
      }
    }
  }
}

But to verify locally, we will mock the GraphQL response rather than go through the lengthy setup process.

Enable the container registry and generate tags

  1. On your local machine, you must set up Docker and a local GitLab runner using the docker executor.
  2. Stop your local GDK.
  3. Edit your config/gitlab.yml file. Find the top-level registry: key and change enabled: false to enabled: true:
registry:
  enabled: true
  1. Start your local GDK. Verify that the last line of output says A container registry is available at 127.0.0.1:5000.
  2. Clone this project locally: https://gitlab.com/dftian/container-signing
  3. Check if the Settings -> Deploy -> Container Registry nav item is shown. If not, try restarting your GDK. This happens because the image is still starting up and is not ready by the time GDK has started. The registry stays running between GDK restarts.
  4. Run a pipeline against the master branch.
  5. Go to Settings -> Deploy -> Container Registry. There should be one registry shown. Click on it. There should be 3 tags shown.

Set up mock response

Please watch this video walkthrough (with audio commentary) on how to mock the responses using the Tweak browser extension:

2024-05-08_16-51-49

Referrers data to paste:

[
  { "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json", "digest": "sha256sum:1b81b789e3ed3adda80cd471bc1a0b6552c1f84c5321f61a5982f2994d53e521" },
  { "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json", "digest": "sha256sum:003a048c50d901e4060012598baa45eaf2d6ec8cd791df16c7b46a0a136cc120" }
]

Things to verify

  1. Verify that the Signed badge is shown.
  2. Verify that when the triple dot menu is clicked to show the tag details, the signatures are shown with their digests.

Related to #442848

Edited by Daniel Tian

Merge request reports