Singularity related background

[dtrudg]

Hi all - I was asked to write a bit from the Singularity point of view r.e. Notary v2 and ORAS. I figured it'd be good to just get something down quickly on an issue here, and let others from Sylabs and elsewhere comment, rather than delaying. Also, I don't want to clog up the main scenarios documents etc. with background that isn't very relevant.

Singularity Signing - Background

Singularity's main container format is a single .sif file. The SIF file can have multiple descriptors - with one of those pointing to a container rootfs, which is a squashfs.

We can singularity sign an image that we are happy with using a PGP keypair (I have a single one setup here, so no prompts/specification of which key)...

dave@piran~> singularity sign ubuntu_latest.sif
Signing image: ubuntu_latest.sif
Enter key passphrase :
Signature created and applied to ubuntu_latest.sif

Singularity is computing the signature over the objects in the SIF. Some runtime metadata is, for historical reasons (singularity used to use bare squashfs images), inside the rootfs. This is changing as we transition metadata into SIF descriptors fully.

The signature is appended as a new descriptor in the SIF file...

$ singularity sif list test.sif
ID:           bd970cf8-603d-46e3-9ee1-89a20898a311
Created At:   2021-09-10 19:11:40 +0000 UTC
Modified At:  2021-09-22 18:43:48 +0000 UTC
----------------------------------------------------
Descriptors:
ID   |GROUP   |LINK    |SIF POSITION (start-end)  |TYPE
------------------------------------------------------------------------------
1    |1       |NONE    |32768-32801               |Def.FILE
2    |1       |NONE    |36864-38782               |JSON.Generic
3    |1       |NONE    |40960-41055               |JSON.Generic
4    |1       |NONE    |45056-2777088             |FS (Squashfs/*System/amd64)
5    |NONE    |1   (G) |2777088-2778885           |Signature (SHA-256)

The SIF container image can be singularity verify-ed using the public key added into the local keyring used by Singularity, or with retrieval from a keyserver as part of our Cloud/Enterprise product....

$ singularity verify test.sif
Verifying image: test.sif
[LOCAL]   Signing entity: Test <[email protected]>
[LOCAL]   Fingerprint: 19BC24FDAE726C1F1AC629C305E77207542D3336
Objects verified:
ID  |GROUP   |LINK    |TYPE
------------------------------------------------
1   |1       |NONE    |Def.FILE
2   |1       |NONE    |JSON.Generic
3   |1       |NONE    |JSON.Generic
4   |1       |NONE    |FS
Container verified: test.sif

You can singularity sign an image multiple times, with multiple keys, e.g. as an image goes through a QA pipeline. The singularity runtime can be configured to require a valid signature associated with any of N keys, all of N keys, etc.

If I dump the signature portion of the file you'll see that there's a structure describing digests of the header and data objects in the SIF, and a PGP signature over that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

{"version":1,"header":{"digest":"sha256:8e341d2fb09c007b3f761f635fb2929d40d3d4916ea5bcb9a2e5e1ffcd11df23"},"objects":[{"relativeId":0,"descriptorDigest":"sha256:93996251da371bdc225af93107f6d7a642082f7eaa497c30797d1d6c7c0b1285","objectDigest":"sha256:5789ff8cbc7a28be68c13b6d48be486b9f010b2fac1df2049c777ac10b4c019a"},{"relativeId":1,"descriptorDigest":"sha256:24401ee7dd7841dab56c56c1524c78be33660094e891101a64279631b1837938","objectDigest":"sha256:4c08f5083a42b36b341c27c7502674df7db6897c4c0452ff9482a554c163b52c"},{"relativeId":2,"descriptorDigest":"sha256:28465ede0ae05dce98014e881ead87dececc770df8f5597448233071e74d740e","objectDigest":"sha256:3c3df0d03a8277fd0992081b5cb7784895cacde9f6b4ec62397213e694758f4b"},{"relativeId":3,"descriptorDigest":"sha256:726e9ed1090cdb5bd286ba2acaa343268ace59353dbe7129c25199d95a4a5caa","objectDigest":"sha256:f1e86780bf2035d65c120d2305ce2070dfc33ca9cabddf7d7ef739e4602e8d97"}]}
-----BEGIN PGP SIGNATURE-----

wsFzBAEBCAAnBQJhS3lkCRAF53IHVC0zNhYhBBm8JP2ucmwfGsYpwwXncgdULTM2
AABVXhAAi7mC0hpCOMzkWfGS6K02ytfAbJeqJj/IiaizaZhwjx9fxAIoAaFbptJG
X8jsJ3IvPH5qKqkAhzIlfHxs1kmkK4LjhS9+Wl0k5Gs//iKBNsd16ftvU5Pfyz9m
QsJFBNIYf1s7TBbjBpol5MszHE7pXNIrop91DV+YjksUOmjQi0tA6/N0SejWrNxj
CttK5jOYSoZgp2v17q1cWIxnalMMytEO4CFfHf06VCb8WKpACnqvEfVOSCp3hO5U
rdfJivoyasmwv0YwSHSXMlnrWZzxeVid0uCHyK2iSqobdrFFbagsgzTJ3Y2JXHAQ
/XVepva4xntDzTcDefgQ17EXSLAtNSg35v+JS+pWPZt29Jr1UDrz8OIskuxc1l68
NqFspxAvbZGrRwtJ4Qohm1lnNFdrtgFFyKmyVxxOIFgsCCjNGbYb2HqlMgj+051V
x45AAD55mwqh+kuMZ5gXsxjne71EYpMf9IzB7QPT8D3peNcCEJxczL/yTpOdm/vK
cKrIbMfH/w6BqqO57EdyjAFI5J6jbWSrkqAK4+s1RAoPgceuHxp8DuYNZMdDGUD7
0MJeDfhUOtXQeCBfQzZ/foBAq61CyQON7NnVWbV62J3I6UHyh77C/Xbirj4/VqjT
F4F2ac9zTE2q7uhX13NYyLeyPJjMuybFawswMYrzGKGicHEy27Q=
=TjQ0
-----END PGP SIGNATURE-----

Singularity Interest in Notary v2

There are 2 areas of interest for us with Notary v2:

1. Handling Notary v2 OCI/docker images

Much use of Singularity is to run OCI/docker images on systems where Singularity is the preferred container runtime. When Notary v2 gets out into the wild and is adopted, we need to be able to deal with pulling/converting/running signed stuff in a nice manner.

We are using containers/image, openSUSE/umoci etc. to handle our docker:// and other docker/OCI related source URIs - so it's likely we benefit from other's implementations of verification. We do need to understand how things are going to work, though, to make sure we fit it all in nicely to the singularity CLI and workflow that people are familiar with.

2. Singularity Images Distributed via ORAS

We have functionality for distributing Singularity .sif file images via registries that support ORAS.

We need to understand how signing will be implemented for arbitrary artifacts. We'd like to develop thoughts around how a Notary v2 ORAS signing model can be implemented in the Singularity CLI such that it doesn't feel like a completely separate 'add-on' to the native signing/verification of our SIF images.

We need to think about what the relationship is between a signature embedded in a SIF image, and a Notary v2 signature associated with an SIF image artifact. A signature over the artifact 'wraps' the entire content of the SIF file, including its embedded signatures.

Scenarios

We'll try to have a think about some specific scenarios that involve Singularity - but generally it's the same kind of stuff as in the existing scenarios PR, but with Singularity as software used to build/execute/both a container. We might be building/pushing/running SIFs, or we might be pulling and running signed OCI/docker stuff.

[SteveLasker]

Moving to a discussion to capture the info, with closure on inactive issues.

[dtrudg]

Updated the command output / dump of the SIF signature as these now look a bit different from when I first wrote this. Noting that @tri-adam is the main contact r.e. SIF and signing / verification at Sylabs.

[SteveLasker]

Thanks @dtrudg