diff --git a/go.mod b/go.mod index efc43aeb..4462cb34 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/sylabs/sif/v2 go 1.22.8 require ( - github.com/ProtonMail/go-crypto v1.0.0 + github.com/ProtonMail/go-crypto v1.1.2 github.com/google/go-containerregistry v0.20.2 github.com/google/uuid v1.6.0 github.com/sebdah/goldie/v2 v2.5.5 diff --git a/go.sum b/go.sum index c29635cb..13740b74 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,9 @@ -github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78= -github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/ProtonMail/go-crypto v1.1.2 h1:A7JbD57ThNqh7XjmHE+PXpQ3Dqt3BrSAC0AL0Go3KS0= +github.com/ProtonMail/go-crypto v1.1.2/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= @@ -74,53 +72,12 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 h1:Q2RxlXqh1cgzzUgV261vBO2jI5R/3DD1J2pM0nI4NhU= google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= diff --git a/internal/app/siftool/testdata/TestApp_Info/DataSignature.golden b/internal/app/siftool/testdata/TestApp_Info/DataSignature.golden index cb2859f7..6aa68e5b 100644 --- a/internal/app/siftool/testdata/TestApp_Info/DataSignature.golden +++ b/internal/app/siftool/testdata/TestApp_Info/DataSignature.golden @@ -3,6 +3,6 @@ Group ID: NONE Linked ID: 1 (G) Offset: 303104 - Size: 1054 + Size: 1048 Hash Type: SHA-256 Entity: 12045C8C0B1004D058DE4BEDA20C27EE7FF7BA84 diff --git a/internal/app/siftool/testdata/TestApp_List/OneGroupSignedPGP.golden b/internal/app/siftool/testdata/TestApp_List/OneGroupSignedPGP.golden index 5b663d3e..b03df369 100644 --- a/internal/app/siftool/testdata/TestApp_List/OneGroupSignedPGP.golden +++ b/internal/app/siftool/testdata/TestApp_List/OneGroupSignedPGP.golden @@ -3,4 +3,4 @@ ID |GROUP |LINK |SIF POSITION (start-end) |TYPE ------------------------------------------------------------------------------ 1 |1 |NONE |32768-32772 |FS (Raw/System/386) 2 |1 |NONE |36864-40960 |FS (Squashfs/*System/386) -3 |NONE |1 (G) |40960-42014 |Signature (SHA-256) +3 |NONE |1 (G) |40960-42008 |Signature (SHA-256) diff --git a/internal/app/siftool/testdata/TestApp_List/TwoGroupsSignedPGP.golden b/internal/app/siftool/testdata/TestApp_List/TwoGroupsSignedPGP.golden index 17240ba5..31875e98 100644 --- a/internal/app/siftool/testdata/TestApp_List/TwoGroupsSignedPGP.golden +++ b/internal/app/siftool/testdata/TestApp_List/TwoGroupsSignedPGP.golden @@ -4,5 +4,5 @@ ID |GROUP |LINK |SIF POSITION (start-end) |TYPE 1 |1 |NONE |32768-32772 |FS (Raw/System/386) 2 |1 |NONE |36864-40960 |FS (Squashfs/*System/386) 3 |2 |NONE |40960-303104 |FS (Ext3/System/amd64) -4 |NONE |1 (G) |303104-304158 |Signature (SHA-256) -5 |NONE |2 (G) |304158-305013 |Signature (SHA-256) +4 |NONE |1 (G) |303104-304152 |Signature (SHA-256) +5 |NONE |2 (G) |304152-305001 |Signature (SHA-256) diff --git a/pkg/integrity/clearsign.go b/pkg/integrity/clearsign.go index 4c60c440..a8aa7aa8 100644 --- a/pkg/integrity/clearsign.go +++ b/pkg/integrity/clearsign.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2023, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2024, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -11,7 +11,6 @@ import ( "crypto" "errors" "io" - "time" "github.com/ProtonMail/go-crypto/openpgp" "github.com/ProtonMail/go-crypto/openpgp/clearsign" @@ -25,14 +24,12 @@ type clearsignEncoder struct { config *packet.Config } -// newClearsignEncoder returns an encoder that signs messages in clear-sign format using entity e. -// If timeFunc is not nil, it is used to generate signature timestamps. -func newClearsignEncoder(e *openpgp.Entity, timeFunc func() time.Time) *clearsignEncoder { +// newClearsignEncoder returns an encoder that signs messages in clear-sign format using entity e, +// according to config. +func newClearsignEncoder(e *openpgp.Entity, config *packet.Config) *clearsignEncoder { return &clearsignEncoder{ - e: e, - config: &packet.Config{ - Time: timeFunc, - }, + e: e, + config: config, } } diff --git a/pkg/integrity/clearsign_test.go b/pkg/integrity/clearsign_test.go index 0de5e321..e164f49a 100644 --- a/pkg/integrity/clearsign_test.go +++ b/pkg/integrity/clearsign_test.go @@ -39,12 +39,12 @@ func Test_clearsignEncoder_signMessage(t *testing.T) { }{ { name: "EncryptedKey", - en: newClearsignEncoder(encrypted, fixedTime), + en: newClearsignEncoder(encrypted, &packet.Config{Time: fixedTime}), wantErr: true, }, { name: "OK", - en: newClearsignEncoder(e, fixedTime), + en: newClearsignEncoder(e, &packet.Config{Time: fixedTime}), de: newClearsignDecoder(openpgp.EntityList{e}), wantHash: crypto.SHA256, }, diff --git a/pkg/integrity/sign.go b/pkg/integrity/sign.go index 002810a8..d6ed339f 100644 --- a/pkg/integrity/sign.go +++ b/pkg/integrity/sign.go @@ -17,6 +17,7 @@ import ( "time" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/ProtonMail/go-crypto/openpgp/packet" "github.com/sigstore/sigstore/pkg/signature" "github.com/sylabs/sif/v2/pkg/sif" ) @@ -179,13 +180,14 @@ func (gs *groupSigner) sign(ctx context.Context) (sif.DescriptorInput, error) { } type signOpts struct { - ss []signature.Signer - e *openpgp.Entity - groupIDs []uint32 - objectIDs [][]uint32 - timeFunc func() time.Time - deterministic bool - ctx context.Context //nolint:containedctx + ss []signature.Signer + e *openpgp.Entity + groupIDs []uint32 + objectIDs [][]uint32 + timeFunc func() time.Time + deterministic bool + ctx context.Context //nolint:containedctx + withoutPGPSignatureSalt bool } // SignerOpt are used to configure so. @@ -257,6 +259,16 @@ func OptSignWithContext(ctx context.Context) SignerOpt { } } +// OptSignWithoutPGPSignatureSalt disables the addition of a salt notation for v4 and v5 PGP keys. +// While this increases determinism, it should be used with caution as the salt notation increases +// protection for certain kinds of attacks. +func OptSignWithoutPGPSignatureSalt() SignerOpt { + return func(so *signOpts) error { + so.withoutPGPSignatureSalt = true + return nil + } +} + // withGroupedObjects splits the objects represented by ids into object groups, and calls fn once // per object group. func withGroupedObjects(f *sif.FileImage, ids []uint32, fn func(uint32, []uint32) error) error { @@ -339,11 +351,10 @@ func NewSigner(f *sif.FileImage, opts ...SignerOpt) (*Signer, error) { case so.ss != nil: en = newDSSEEncoder(so.ss) case so.e != nil: - timeFunc := time.Now - if so.timeFunc != nil { - timeFunc = so.timeFunc - } - en = newClearsignEncoder(so.e, timeFunc) + en = newClearsignEncoder(so.e, &packet.Config{ + Time: so.timeFunc, + NonDeterministicSignaturesViaNotation: packet.BoolPointer(!so.withoutPGPSignatureSalt), + }) commonOpts = append(commonOpts, optSignGroupFingerprint(so.e.PrimaryKey.Fingerprint)) default: return nil, fmt.Errorf("integrity: %w", ErrNoKeyMaterial) diff --git a/pkg/integrity/sign_test.go b/pkg/integrity/sign_test.go index cb878aee..56f02098 100644 --- a/pkg/integrity/sign_test.go +++ b/pkg/integrity/sign_test.go @@ -16,6 +16,7 @@ import ( "testing" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/ProtonMail/go-crypto/openpgp/packet" "github.com/sylabs/sif/v2/pkg/sif" ) @@ -195,7 +196,7 @@ func TestNewGroupSigner(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - en := newClearsignEncoder(getTestEntity(t), fixedTime) + en := newClearsignEncoder(getTestEntity(t), &packet.Config{Time: fixedTime}) s, err := newGroupSigner(en, tt.fi, tt.groupID, tt.opts...) if got, want := err, tt.wantErr; !errors.Is(got, want) { @@ -254,12 +255,12 @@ func TestGroupSigner_Sign(t *testing.T) { } e := getTestEntity(t) - clearsign := newClearsignEncoder(e, fixedTime) + clearsign := newClearsignEncoder(e, &packet.Config{Time: fixedTime}) encrypted := getTestEntity(t) encrypted.PrivateKey.Encrypted = true - clearsignEncrypted := newClearsignEncoder(encrypted, fixedTime) + clearsignEncrypted := newClearsignEncoder(encrypted, &packet.Config{Time: fixedTime}) tests := []struct { name string @@ -449,6 +450,11 @@ func TestNewSigner(t *testing.T) { }, wantErr: sif.ErrNoObjects, }, + { + name: "NoKeyMaterial", + fi: oneGroupImage, + wantErr: ErrNoKeyMaterial, + }, { name: "InvalidObjectID", fi: oneGroupImage, @@ -820,6 +826,18 @@ func TestSigner_Sign(t *testing.T) { OptVerifyWithKeyRing(openpgp.EntityList{e}), }, }, + { + name: "OptSignWithoutPGPSignatureSalt", + inputFile: "one-group.sif", + signOpts: []SignerOpt{ + OptSignWithEntity(e), + OptSignWithTime(fixedTime), + OptSignWithoutPGPSignatureSalt(), + }, + verifyOpts: []VerifierOpt{ + OptVerifyWithKeyRing(openpgp.EntityList{e}), + }, + }, } for _, tt := range tests { diff --git a/pkg/siftool/testdata/Test_command_getInfo/Three/out.golden b/pkg/siftool/testdata/Test_command_getInfo/Three/out.golden index bf5fddca..6be61ddc 100644 --- a/pkg/siftool/testdata/Test_command_getInfo/Three/out.golden +++ b/pkg/siftool/testdata/Test_command_getInfo/Three/out.golden @@ -3,6 +3,6 @@ Group ID: NONE Linked ID: 1 (G) Offset: 40960 - Size: 1054 + Size: 1048 Hash Type: SHA-256 Entity: 12045C8C0B1004D058DE4BEDA20C27EE7FF7BA84 diff --git a/pkg/siftool/testdata/Test_command_getList/OneGroupSignedPGP/out.golden b/pkg/siftool/testdata/Test_command_getList/OneGroupSignedPGP/out.golden index 5b663d3e..b03df369 100644 --- a/pkg/siftool/testdata/Test_command_getList/OneGroupSignedPGP/out.golden +++ b/pkg/siftool/testdata/Test_command_getList/OneGroupSignedPGP/out.golden @@ -3,4 +3,4 @@ ID |GROUP |LINK |SIF POSITION (start-end) |TYPE ------------------------------------------------------------------------------ 1 |1 |NONE |32768-32772 |FS (Raw/System/386) 2 |1 |NONE |36864-40960 |FS (Squashfs/*System/386) -3 |NONE |1 (G) |40960-42014 |Signature (SHA-256) +3 |NONE |1 (G) |40960-42008 |Signature (SHA-256) diff --git a/pkg/siftool/testdata/Test_command_getList/TwoGroupsSignedPGP/out.golden b/pkg/siftool/testdata/Test_command_getList/TwoGroupsSignedPGP/out.golden index 17240ba5..31875e98 100644 --- a/pkg/siftool/testdata/Test_command_getList/TwoGroupsSignedPGP/out.golden +++ b/pkg/siftool/testdata/Test_command_getList/TwoGroupsSignedPGP/out.golden @@ -4,5 +4,5 @@ ID |GROUP |LINK |SIF POSITION (start-end) |TYPE 1 |1 |NONE |32768-32772 |FS (Raw/System/386) 2 |1 |NONE |36864-40960 |FS (Squashfs/*System/386) 3 |2 |NONE |40960-303104 |FS (Ext3/System/amd64) -4 |NONE |1 (G) |303104-304158 |Signature (SHA-256) -5 |NONE |2 (G) |304158-305013 |Signature (SHA-256) +4 |NONE |1 (G) |303104-304152 |Signature (SHA-256) +5 |NONE |2 (G) |304152-305001 |Signature (SHA-256) diff --git a/test/images/gen_sifs.go b/test/images/gen_sifs.go index 61d24be8..701fc679 100755 --- a/test/images/gen_sifs.go +++ b/test/images/gen_sifs.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2023, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2024, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -294,6 +294,7 @@ func generateImages() error { opts = append(opts, integrity.OptSignWithTime(func() time.Time { return time.Date(2020, 6, 30, 0, 1, 56, 0, time.UTC) }), integrity.OptSignDeterministic(), + integrity.OptSignWithoutPGPSignatureSalt(), ) s, err := integrity.NewSigner(f, opts...) diff --git a/test/images/one-group-signed-pgp.sif b/test/images/one-group-signed-pgp.sif index b1095033..9c782582 100755 Binary files a/test/images/one-group-signed-pgp.sif and b/test/images/one-group-signed-pgp.sif differ diff --git a/test/images/two-groups-signed-pgp.sif b/test/images/two-groups-signed-pgp.sif index d2149718..35ba895f 100755 Binary files a/test/images/two-groups-signed-pgp.sif and b/test/images/two-groups-signed-pgp.sif differ