From 3d1b7b30199c034712f912cbcaa1300b1d797fff Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 13 Dec 2024 22:57:43 +0000 Subject: [PATCH 1/5] sign: switch to SHA2-256 signature by default Switch to SHA2-256 signature by default for the `melange sign` command. Use the same runtime opt-out back to SHA1 signatures as apko. With apko from: - https://github.com/chainguard-dev/apko/pull/1440 This will use RSA256 signature type for both .apk & APKINDEX.tar.gz signing. --- Makefile | 2 ++ pkg/build/sign.go | 20 +++++++++++++++----- pkg/sign/apk_test.go | 16 ++++++++++++---- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 1a01ea5b9..eebfcc349 100644 --- a/Makefile +++ b/Makefile @@ -148,10 +148,12 @@ lint: checkfmt setup-golangci-lint ## Run linters and checks like golangci-lint .PHONY: unit unit: go test ./... -race + SIGNING_DIGEST=SHA1 go test ./... -race .PHONY: integration integration: go test ./... -race -tags=integration + SIGNING_DIGEST=SHA1 go test ./... -race -tags=integration .PHONY: test test: integration diff --git a/pkg/build/sign.go b/pkg/build/sign.go index 9d648b142..685c1defa 100644 --- a/pkg/build/sign.go +++ b/pkg/build/sign.go @@ -22,6 +22,21 @@ type ApkSigner interface { SignatureName() string } +var melangeApkDigest crypto.Hash + +func init() { + melangeApkDigest = crypto.SHA256 + if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok { + switch digest { + case "SHA256": + case "SHA1": + melangeApkDigest = crypto.SHA1 + default: + panic(fmt.Errorf("unsupported SIGNING_DIGEST")) + } + } +} + func EmitSignature(ctx context.Context, signer ApkSigner, controlData []byte, sde time.Time) ([]byte, error) { _, span := otel.Tracer("melange").Start(ctx, "EmitSignature") defer span.End() @@ -73,12 +88,7 @@ type KeyApkSigner struct { KeyPassphrase string } -const melangeApkDigest = crypto.SHA1 - -// const melangeApkDigest = crypto.SHA256 - func (s KeyApkSigner) Sign(control []byte) ([]byte, error) { - controlDigest, err := sign.HashData(control, melangeApkDigest) if err != nil { return nil, err diff --git a/pkg/sign/apk_test.go b/pkg/sign/apk_test.go index 45fb0538f..e25964474 100644 --- a/pkg/sign/apk_test.go +++ b/pkg/sign/apk_test.go @@ -54,10 +54,18 @@ func TestAPK(t *testing.T) { if err != nil { t.Fatal(err) } - melangeApkDigest := crypto.SHA1 - prefix := ".SIGN.RSA." - // melangeApkDigest := crypto.SHA256 - // prefix := ".SIGN.RSA256." + melangeApkDigest := crypto.SHA256 + prefix := ".SIGN.RSA256." + if digest, ok := os.LookupEnv("SIGNING_DIGEST"); ok { + switch digest { + case "SHA256": + case "SHA1": + melangeApkDigest = crypto.SHA1 + prefix = ".SIGN.RSA." + default: + t.Fatalf("unsupported SIGNING_DIGEST") + } + } if sigName != prefix+testPubkey { t.Fatalf("unexpected signature name %s", sigName) } From ba604671c0e709b5a649ad9f60c0423a165aca62 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 13 Dec 2024 23:08:21 +0000 Subject: [PATCH 2/5] upgrade to 3.13 --- e2e-tests/numpy-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e-tests/numpy-test.yaml b/e2e-tests/numpy-test.yaml index 67fc4e4bb..89d19dea3 100644 --- a/e2e-tests/numpy-test.yaml +++ b/e2e-tests/numpy-test.yaml @@ -12,12 +12,12 @@ test: # TODO(pnasrat): fix to use multiple python contents: packages: - - python-3.12 + - python-3.13 pipeline: # Test import with command (python -c "import numpy") - uses: python/test with: - command: python3.12 -c "import numpy" + command: python3.13 -c "import numpy" # Test import directly (python -c "import numpy") - uses: python/import with: From 8cd97dfe848af6f2e4a3e18e50a837d74b9d7f5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Dec 2024 23:31:08 +0000 Subject: [PATCH 3/5] build(deps): bump dagger.io/dagger in the gomod group Bumps the gomod group with 1 update: [dagger.io/dagger](https://github.com/dagger/dagger-go-sdk). Updates `dagger.io/dagger` from 0.15.0 to 0.15.1 - [Changelog](https://github.com/dagger/dagger-go-sdk/blob/main/CHANGELOG.md) - [Commits](https://github.com/dagger/dagger-go-sdk/compare/v0.15.0...v0.15.1) --- updated-dependencies: - dependency-name: dagger.io/dagger dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b8a96b35d..b8562a693 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.23.3 require ( chainguard.dev/apko v0.21.0 cloud.google.com/go/storage v1.48.0 - dagger.io/dagger v0.15.0 + dagger.io/dagger v0.15.1 github.com/chainguard-dev/clog v1.5.1 github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 github.com/chainguard-dev/yam v0.2.4 diff --git a/go.sum b/go.sum index 19eb4a593..8e8e66ba6 100644 --- a/go.sum +++ b/go.sum @@ -27,8 +27,8 @@ cloud.google.com/go/storage v1.48.0 h1:FhBDHACbVtdPx7S/AbcKujPWiHvfO6F8OXGgCEbB2 cloud.google.com/go/storage v1.48.0/go.mod h1:aFoDYNMAjv67lp+xcuZqjUKv/ctmplzQ3wJgodA7b+M= cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI= cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io= -dagger.io/dagger v0.15.0 h1:ZZQanzKuzM/dnArhjxkkU5NbA83Lsq10KNuEnavRllw= -dagger.io/dagger v0.15.0/go.mod h1:kI2cuUHVpSRyj6uAJ4DS8UzH+eu9Lpe9Ilr1U0xVTCg= +dagger.io/dagger v0.15.1 h1:2faeBRf/3gTPGcjcej44fu/V81SIDhu+UjYn3hUJuIE= +dagger.io/dagger v0.15.1/go.mod h1:orbqkxrktOSvhUr8+Iyl9sRfjENvkX/Vdo31b2ers5c= dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= From d8b4c05a97166569cfef35c7525b72a499f0ebc6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Dec 2024 23:31:18 +0000 Subject: [PATCH 4/5] build(deps): bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace Bumps [go.opentelemetry.io/otel/exporters/stdout/stdouttrace](https://github.com/open-telemetry/opentelemetry-go) from 1.32.0 to 1.33.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/stdout/stdouttrace dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 11 ++++++----- go.sum | 22 ++++++++++++---------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index b8a96b35d..04a7ec670 100644 --- a/go.mod +++ b/go.mod @@ -35,9 +35,9 @@ require ( github.com/yookoala/realpath v1.0.0 github.com/zealic/xignore v0.3.3 gitlab.alpinelinux.org/alpine/go v0.10.1 - go.opentelemetry.io/otel v1.32.0 - go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 - go.opentelemetry.io/otel/sdk v1.32.0 + go.opentelemetry.io/otel v1.33.0 + go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.33.0 + go.opentelemetry.io/otel/sdk v1.33.0 golang.org/x/crypto v0.31.0 golang.org/x/exp v0.0.0-20241210194714-1829a127f884 golang.org/x/sync v0.10.0 @@ -193,6 +193,7 @@ require ( go.lsp.dev/uri v0.3.0 // indirect go.mongodb.org/mongo-driver v1.17.1 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect @@ -204,10 +205,10 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 // indirect go.opentelemetry.io/otel/log v0.3.0 // indirect - go.opentelemetry.io/otel/metric v1.32.0 // indirect + go.opentelemetry.io/otel/metric v1.33.0 // indirect go.opentelemetry.io/otel/sdk/log v0.3.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.32.0 // indirect + go.opentelemetry.io/otel/trace v1.33.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.step.sm/crypto v0.55.0 // indirect go.uber.org/multierr v1.11.0 // indirect diff --git a/go.sum b/go.sum index 19eb4a593..2dd60faf5 100644 --- a/go.sum +++ b/go.sum @@ -501,14 +501,16 @@ go.mongodb.org/mongo-driver v1.17.1 h1:Wic5cJIwJgSpBhe3lx3+/RybR5PiYRMpVFgO7cOHy go.mongodb.org/mongo-driver v1.17.1/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib/detectors/gcp v1.29.0 h1:TiaiXB4DpGD3sdzNlYQxruQngn5Apwzi1X0DRhuGvDQ= go.opentelemetry.io/contrib/detectors/gcp v1.29.0/go.mod h1:GW2aWZNwR2ZxDLdv8OyC2G8zkRoQBuURgV7RPQgcPoU= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 h1:qtFISDHKolvIxzSs0gIaiPUPR0Cucb0F2coHC7ZLdps= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0/go.mod h1:Y+Pop1Q6hCOnETWTW4NROK/q1hv50hM7yDaUTjG8lp8= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 h1:DheMAlT6POBP+gh8RUH19EOTnQIor5QE0uSRPtzCpSw= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0/go.mod h1:wZcGmeVO9nzP67aYSLDqXNWK87EZWhi7JWj1v7ZXf94= -go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= -go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.0.0-20240518090000-14441aefdf88 h1:oM0GTNKGlc5qHctWeIGTVyda4iFFalOzMZ3Ehj5rwB4= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.0.0-20240518090000-14441aefdf88/go.mod h1:JGG8ebaMO5nXOPnvKEl+DiA4MGwFjCbjsxT1WHIEBPY= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.3.0 h1:ccBrA8nCY5mM0y5uO7FT0ze4S0TuFcWdDB2FxGMTjkI= @@ -525,20 +527,20 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 h1:j9+03 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0/go.mod h1:Y5+XiUG4Emn1hTfciPzGPJaSI+RpDts6BnCIir0SLqk= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.33.0 h1:W5AWUn/IVe8RFb5pZx1Uh9Laf/4+Qmm4kJL5zPuvR+0= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.33.0/go.mod h1:mzKxJywMNBdEX8TSJais3NnsVZUaJ+bAy6UxPTng2vk= go.opentelemetry.io/otel/log v0.3.0 h1:kJRFkpUFYtny37NQzL386WbznUByZx186DpEMKhEGZs= go.opentelemetry.io/otel/log v0.3.0/go.mod h1:ziCwqZr9soYDwGNbIL+6kAvQC+ANvjgG367HVcyR/ys= -go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= -go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= -go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4= -go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= +go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= +go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= go.opentelemetry.io/otel/sdk/log v0.3.0 h1:GEjJ8iftz2l+XO1GF2856r7yYVh74URiF9JMcAacr5U= go.opentelemetry.io/otel/sdk/log v0.3.0/go.mod h1:BwCxtmux6ACLuys1wlbc0+vGBd+xytjmjajwqqIul2g= go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= -go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= -go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.step.sm/crypto v0.55.0 h1:575Q7NahuM/ZRxUVN1GkO2e1aDYQJqIIg+nbfOajQJk= From c4294d8088b5f8f5a84e2a23f06a69d4f12805fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 14 Dec 2024 00:01:48 +0000 Subject: [PATCH 5/5] build(deps): bump chainguard.dev/apko from 0.21.0 to 0.22.1 Bumps [chainguard.dev/apko](https://github.com/chainguard-dev/apko) from 0.21.0 to 0.22.1. - [Release notes](https://github.com/chainguard-dev/apko/releases) - [Changelog](https://github.com/chainguard-dev/apko/blob/main/NEWS.md) - [Commits](https://github.com/chainguard-dev/apko/compare/v0.21.0...v0.22.1) --- updated-dependencies: - dependency-name: chainguard.dev/apko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 443f04802..b5757216e 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module chainguard.dev/melange go 1.23.3 require ( - chainguard.dev/apko v0.21.0 + chainguard.dev/apko v0.22.1 cloud.google.com/go/storage v1.48.0 dagger.io/dagger v0.15.1 github.com/chainguard-dev/clog v1.5.1 diff --git a/go.sum b/go.sum index 22cf480c8..f91033bc9 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ cel.dev/expr v0.16.1 h1:NR0+oFYzR1CqLFhTAqg3ql59G9VfN8fKq1TCHJ6gq1g= cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= -chainguard.dev/apko v0.21.0 h1:McqW15qcBpV7vlAc3SBoD8Ruxjqi+rmO/4Ls1H1jLMw= -chainguard.dev/apko v0.21.0/go.mod h1:Dz/1cWdn6w53ZbMR2qA0tHcqhLhb2YptAWCk5r2pByw= +chainguard.dev/apko v0.22.1 h1:AIDhTQy68HdL9JNZ9uDfCbg8GeGya4qRMSbxDI9Kwbw= +chainguard.dev/apko v0.22.1/go.mod h1:lgMMzODIxGo0/NtcZ1sq26jbgniJgLkIFIa6L3xDGNs= chainguard.dev/go-grpc-kit v0.17.7 h1:TqHua7er5k8m6WM96y0Tm7IoLLkuZ5vh3+5SR1gruKg= chainguard.dev/go-grpc-kit v0.17.7/go.mod h1:JroMzTY9mdhKe/bvtyChgfECaNh80+bMZH3HS+TGXHw= chainguard.dev/sdk v0.1.29 h1:GNcCw5NoyvylhlUbVD8JMmrPaeYyrshaHHjEWnvcCGI=