https://sylabs.io/guides/3.7/user-guide/signNverify.html?highlight=descriptor

Advanced Signing - SIF IDs and Groups—-查看

As well as the default behaviour, which signs all objects, fine-grained control of signing is possible.
If you sif list a SIF file you will see it is comprised of a number of objects. Each object has an ID, and belongs to a GROUP.

  1. $ singularity sif list my_container.sif
  3. Container id: e455d2ae-7f0b-4c79-b3ef-315a4913d76a
  4. Created on:   2019-11-15 10:11:58 -0600 CST
  5. Modified on:  2019-11-15 10:11:58 -0600 CST
  6. ----------------------------------------------------
  7. Descriptor list:
  8. ID   |GROUP   |LINK    |SIF POSITION (start-end)  |TYPE
  9. ------------------------------------------------------------------------------
  10. 1    |1       |NONE    |32768-32800               |Def.FILE
  11. 2    |1       |NONE    |36864-36961               |JSON.Generic
  12. 3    |1       |NONE    |40960-25890816            |FS (Squashfs/*System/amd64)

I can choose to sign and verify a specific object with the --sif-id option to sign and verify.

  1. $ singularity sign --sif-id 1 my_container.sif
  2. Signing image: my_container.sif
  3. Enter key passphrase :
  4. Signature created and applied to my_container.sif
  6. $ singularity verify --sif-id 1 my_container.sif
  7. Verifying image: my_container.sif
  8. [LOCAL]   Signing entity: David Trudgian (Demo keys) <david.trudgian@sylabs.io>
  9. [LOCAL]   Fingerprint: 65833F473098C6215E750B3BDFD69E5CEE85D448
  10. Objects verified:
  11. ID  |GROUP   |LINK    |TYPE
  12. ------------------------------------------------
  13. 1   |1       |NONE    |Def.FILE
  14. Container verified: my_container.sif

Note that running the verify command without specifying the specific sif-id gives a fatal error. The container is not considered verified as whole because other objects could have been changed without my knowledge.

  1. $ singularity verify my_container.sif
  2. Verifying image: my_container.sif
  3. [LOCAL]   Signing entity: David Trudgian (Demo keys) <david.trudgian@sylabs.io>
  4. [LOCAL]   Fingerprint: 65833F473098C6215E750B3BDFD69E5CEE85D448
  6. Error encountered during signature verification: object 2: object not signed
  7. FATAL:   Failed to verify container: integrity: object 2: object not signed

SIF Image Files—-定义

https://sylabs.io/guides/3.7/user-guide/bind_paths_and_mounts.html?highlight=descriptor
Advanced users may wish to create a standalone SIF image, which contains an ext3 or squashfs data partition holding files, by using the singularity sif commands similarly to the persistent overlays instructions:

  1.  # Create a new empty SIF file
  2.  $singularity sif new inputs.sif
  4.  # Add the squashfs data image from above to the SIF
  5.  $singularity sif add --datatype 4 --partarch 2 --partfs 1 --parttype 3 inputs.sif inputs.squashfs
  7.  # Run Singularity, binding data from the SIF file
  8.  $singularity run -B inputs.sif:/input-data:image-src=/ mycontainer.sif
  9. Singularity> ls /input-data
  10. 1  2  3  4  5  6  7  8  9

If your bind source is a SIF then Singularity will bind from the first data partition in the SIF, or you may specify an alternative descriptor by ID with the additional bind option :id=n, where n is the descriptor ID.