feat(cli): sign/verify support#895
Merged
jakobmoellerdev merged 31 commits intoOct 1, 2025
Merged
Conversation
### What this does - Updated multiple Go module dependencies in the `cli/go.mod` and `cli/go.sum` files, improving compatibility and functionality. - Upgraded `go.yaml.in/yaml/v2` to v2.4.3 and `ocm.software/open-component-model/bindings` modules to their latest versions, including `credentials`, `repository`, and `descriptor`. - Updates to `golang.org/x/net` and `github.com/dlclark/regexp2` etc., for bug fixes and stability enhancements. - Introduced `compref/options.go` in `cli/internal/reference` to handle CTF access mode options: - Added `Options` struct and related functionality for applying and creating CTF configuration. - Included `WithCTFAccessMode` configuration helper. ### Why this change is needed - Keeps Go dependencies up-to-date to leverage bug fixes, security patches, and feature enhancements. - The new `compref/options.go` enables better configurability and modular handling of CTF-related options, improving maintainability and extendability. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
#### What this does - Added a new `SigningRegistry` to manage signing handler plugins. - Integrated signing handler support into the plugin manager and registries. - Updated dependencies in `go.mod` and `go.sum` to include the signing library. - Adjusted test cases to align with the new signing plugin functionality. #### Why this change is needed - Expands the plugin framework capabilities to include signing handlers for enhanced security and verification processes. - Improves extensibility by enabling seamless integration and management of signing plugins. - Ensures alignment with the evolving requirements for cryptographic operations on component descriptors. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
### What this does - Upgraded `ocm.software/open-component-model/bindings/go/descriptor/runtime` from `v0.0.0-20250909064434-e1a06fe74668` to `v0.0.0-20250915165427-710b0c881b3c`. - Updated `go.mod` and `go.sum` to reflect the newer version. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
### What this does - Introduced a new Go-based test signing handler plugin under `plugin/internal/testplugin-signinghandler`. - Implements basic signing and verifying capabilities with dummy data for testing purposes: - `Sign` and `Verify` operations. - Retrieval of signer and verifier identities. - Added plugin initialization logic with logging, configuration parsing, and capability registration. ### Why this change is needed - Provides a foundation for testing signing plugin functionality within the Open Component Model ecosystem. - Supports the development and verification of plugin-based cryptographic operations with minimal overhead. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
…-signing-cli-rebase # Conflicts: # bindings/go/plugin/manager/registries/signinghandler/converter.go # bindings/go/plugin/manager/registries/signinghandler/endpoints_function.go # bindings/go/plugin/manager/registries/signinghandler/endpoints_function_test.go # bindings/go/plugin/manager/registries/signinghandler/handlers_test.go # bindings/go/plugin/manager/registries/signinghandler/implementations.go # bindings/go/plugin/manager/registries/signinghandler/implementations_test.go # bindings/go/plugin/manager/registries/signinghandler/registry_test.go # cli/cmd/add/component-version/cmd.go # cli/go.mod # cli/go.sum # cli/integration/go.mod # cli/integration/go.sum # cli/internal/repository/ocm/repository.go
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
…rebase Signed-off-by: Jakob Möller <jakob.moeller@sap.com> # Conflicts: # cli/go.mod # cli/go.sum # cli/integration/go.mod # cli/integration/go.sum
…rebase Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
2e44ad0 to
8372afb
Compare
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
46df4cf to
58bad55
Compare
matthiasbruns
left a comment
Contributor
There was a problem hiding this comment.
CLI implementation looks solid
My two cents
- duplicated code in sign an verify
- I feel that CLI has a lot of responsibilities, maybe we should move stuff out of the command itself to make things more reusable
- Moved digest generation and verification logic to a new `signing` package for better modularity and maintainability. - Updated commands to use the `signing` package for digest operations. - Adjusted flag descriptions for `--signer-spec` and `--verifier-spec` to clarify default behavior. This refactor centralizes digest-related operations, making it easier to test, extend, and maintain. Additionally, the changes improve user-facing documentation and flag usability. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Member
Author
I think thats a good point, but im wondering how you would like to split behavior. Im happy to hear any suggestions |
…t versions - Refactored `VerifyComponentVersion` to `SignComponentVersion` to align with its primary functionality. - Added support for output formats (`json`, `yaml`) using a new `--output` flag. - Introduced the capability to load signer specifications via `runtime.Typed` from external files. - Enhanced context checks for better error handling during repository and plugin manager initialization. - Improved logging for actions like credential usage, signature overwriting, and successful operations. - Simplified flag handling and validated consistency for signature-related operations. - Abstracted signer specification loading and rendering as reusable utilities for clarity and maintainability. These improvements streamline signing workflows, enhance user flexibility with output formats, and improve robustness through better error handling and logging. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
e3f789e to
87dad40
Compare
fabianburth
reviewed
Sep 25, 2025
…ication Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
17e1cae to
05ca493
Compare
fabianburth
reviewed
Sep 26, 2025
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Skarlso
previously approved these changes
Sep 29, 2025
…rebase Signed-off-by: Jakob Möller <jakob.moeller@sap.com> # Conflicts: # cli/go.mod # cli/go.sum # cli/integration/go.mod
6bcd064 to
de93ee2
Compare
fabianburth
requested changes
Sep 30, 2025
Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
fabianburth
previously approved these changes
Sep 30, 2025
…rebase # Conflicts: # .github/config/wordlist.txt
Contributor
I think this is a general problem with the ci right now - we can discuss this outside of this pr |
matthiasbruns
approved these changes
Oct 1, 2025
Skarlso
approved these changes
Oct 1, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
adds
ocm sign cv/ocm verify cvsupport to OCM CLI.Why this change is needed
This actually uses the handlers prepared before for OCM signing support in open-component-model/ocm-project#648
Needs #885
fix open-component-model/ocm-project#649