add support for X509

[fnikolai]

Singularity/Apptainer supports the capability to use PGP keys for signing and verifying containers, thus improving the level of trust for users that need to share containers.

PGP is based on the "Web of Trust" principle, where communicating parties must have at least one trusted party in common, who will sign both keys. PGP relies on asymmetric cryptography (i.e., the creation and usage of public-private key pairs).

X.509 is an alternative security approach, also relying on asymmetric cryptography, but is usually deployed in environments where certification authorities (CAs) vouch for each certificate, meaning the overall system architecture needs a CA. Anyone who wants to participate in the system must have their keys signed by that CA. Certificate creation and validation rely on a chain of trust established among CAs.

However, sharing containers among Supercomputing Center (SC) customers assumes a trusting relationship with the code providers and the SC itself. We advocate that a Supercomputing Center can provide Public Key Infrastructure (PKI) services to its customers, assuming the CA's role in the trusted sharing of pre-validated codes that are packaged as container images. We consider use cases where containers include specialized software packages and libraries, including their configuration parameter settings, for HPC codes expected to operate on sensitive datasets in a wide range of scientific domains.

This PR implements the proposed extensions to the codebase of Singularity/Apptainer so that X.509 certificates, signed by the SC's CA, can be embedded in SIF-formatted container binary image files and then be checked online for validity (incl. checks for revocation).

Important Note: the X.509 certificates are supported without removing the existing support for PGP certificates.

Signed-off-by: Fotis Nikolaidis [email protected]

[fnikolai]

@DrDaveD any reviewing progress/comments on this PR ?

[DrDaveD]

Yes, I'm sorry this fell off my radar. It looks good to me.

I will include it in a 2.8.0 tag which was needed anyway after an update from Sylabs.

[DrDaveD]

@fnikolai Now that we are planning to use the alternative implementation from Sylabs, I think we should revert this PR that was merged into the main branch. Do you agree? If so, could you please create the Revert PR? I see a "Revert" button above on the commit merge, that's what it would take I think, unless there are some conflicts. If I don't hear from you by early next week, I'll try to do the Revert myself.