From 7b491ee6cbf4aa6d8f55be02993fba7147472a98 Mon Sep 17 00:00:00 2001
From: Eduard Iliadis <e.iliadis@live.com>
Date: Sun, 24 Aug 2025 18:53:51 +0300
Subject: [PATCH] Add --base-domain-overwrite option to container image signing
 functions

Dear OCI Team,

When attempting to sign images using OCI CLI, the request times out as the URL returned by OCI CLI is incorrect. The correct URL is https://<redacted>-crypto.kms.me-riyadh-1.oci.oraclecloud.com but the one the OCI CLI attempts to use is https://<redacted>-crypto.kms.me-riyadh-1.oraclecloud.com without ".oci." - as a result the image signing fails.

The command that is used to sign images with full administrative permissions is as follows:
```
oci artifacts container image-signature sign-upload --compartment-id ocid1.compartment.oc1...<redacted> --image-id ocid1.containerimage.oc1.me-riyadh-1.0.<redacted> --kms-key-id ocid1.key.oc1.me-riyadh-1.<redacted> --kms-key-version-id ocid1.keyversion.oc1.me-riyadh-1.<redacted> --signing-algorithm SHA_<redacted>_RSA_PKCS_PSS --debug
```

The error that is returned is as follows:
File "<redacted>/site-packages/oci/base_client.py", line 694, in request raise exceptions.RequestException(e) oci.exceptions.RequestException: (MaxRetryError("OCIConnectionPool(host='<redacted>-crypto.kms.me-riyadh-1.oraclecloud.com', port=443): Max retries exceeded with url: /<redacted>/sign (Caused by NewConnectionError('< oci.base_client.OCIConnection object at 0x1123f34d0>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known'))"), 'Request Endpoint: POST https://<redacted>-crypto.kms.me-riyadh-1.oraclecloud.com/<redacted>/sign See https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_troubleshooting.htm for help troubleshooting this error, or contact support and provide this full error message.')

After further investigation and chat with kind OCI Support team, it became apparent that this issue is related to a change of endpoint format and may affect multiple regions including me-riyadh-1. The following is from comments in this repository:

Please, accept this PR which will allow flexibility for overwriting the Cryptographic Endpoint to 'oraclecloud.com' or 'oci.oraclecloud.com' or 'oracleiaas.com' etc. as below:

```
oci artifacts container image-signature sign-upload .... --base-domain-overwrite oci.oraclecloud.com
```
---
 .../artifacts_cli_extended.py                 | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/services/artifacts/src/oci_cli_artifacts/artifacts_cli_extended.py b/services/artifacts/src/oci_cli_artifacts/artifacts_cli_extended.py
index 72f3c21d6..caf21ceb8 100644
--- a/services/artifacts/src/oci_cli_artifacts/artifacts_cli_extended.py
+++ b/services/artifacts/src/oci_cli_artifacts/artifacts_cli_extended.py
@@ -559,6 +559,7 @@ def list_container_images_extended(ctx, from_json, all_pages, page_size, compart
 @cli_util.option('--image-id', required=True, help=u"""The [OCID] of the container image.""")
 @cli_util.option('--description', help="""The optional text of your choice to describe the image. The description is included as part of the signature, and is shown in the Console. For example, --description "Image for UAT testing" """)
 @cli_util.option('--metadata', help="""The optional information of your choice about the image, in a valid JSON format (alphanumeric characters only, with no whitespace or escape characters). For example, --metadata "{\"buildNumber\":\"123\"}" """)
+@cli_util.option('--base-domain-overwrite', help="Overwrite the base domain for the Cryptographic Endpoint, e.g. to overwrite 'oraclecloud.com' with 'oci.oraclecloud.com'. Usage: --base-domain-overwrite 'oci.oraclecloud.com'")
 @json_skeleton_utils.get_cli_json_input_option({})
 @cli_util.help_option
 @click.pass_context
@@ -567,7 +568,7 @@ def list_container_images_extended(ctx, from_json, all_pages, page_size, compart
 def sign_and_upload_container_image_signature_metadata(ctx, from_json, kms_key_id, kms_key_version_id,
                                                        signing_algorithm,
                                                        compartment_id, image_id,
-                                                       description, metadata):
+                                                       description, metadata, base_domain_overwrite):
     """
     SignAndUploadContainerImageSignatureMetadata calls KMS to sign the message then calls OCIR to upload the returned signature
 
@@ -583,6 +584,7 @@ def sign_and_upload_container_image_signature_metadata(ctx, from_json, kms_key_i
     :param image_id: The OCID of the container image. eg) ocid1.containerimage.oc1..exampleuniqueID. Max length: 255, Min length:1
     :param description: An user inputted message.
     :param metadata:  An user defined information about the container image in JSON format eg) {"buildNumber":"123"}
+    :param base_domain_overwrite: Overwrite the base domain for the Cryptographic Endpoint. e.g. if the base domain is 'oraclecloud.com' instead of 'oci.oraclecloud.com' which happens in me-riyadh-1 and potentially other regions
     restriction:
     - should only contains alphanumeric key strings.
     - should be alphabetically sorted.
@@ -607,7 +609,7 @@ def sign_and_upload_container_image_signature_metadata(ctx, from_json, kms_key_i
     region_name = get_region_from_config(ctx)
 
     # Create KMS client
-    kms_crypto_client = build_vault_crypto_client(ctx, kms_key_id, region_name)
+    kms_crypto_client = build_vault_crypto_client(ctx, kms_key_id, region_name, base_domain_overwrite)
 
     # Get container image metadata
     click.echo("Obtaining container image metadata by the image ID")
@@ -741,13 +743,16 @@ def upload_signature_metadata(ctx, artifacts_client, compartment_id, image_id, k
 
 
 # Build the KmsCryptoClient based on the vault extension OCID in the keyId
-def build_vault_crypto_client(ctx, key_id, region):
+def build_vault_crypto_client(ctx, key_id, region, base_domain_overwrite):
     split_list = re.split("ocid1\\.key\\.([\\w-]+)\\.([\\w-]+)\\.([\\w-]+)\\.([\\w]){60}", key_id)
     if len(split_list) < 4:
         raise click.ClickException("Failed to split key ocid. Please check the kms_key_id is correct.")
     vault_ext = split_list[3]
-    realm = oci.regions.REGION_REALMS.get(region)
-    second_level_domain = oci.regions.REALMS[realm]
+    if base_domain_overwrite is not None:
+        second_level_domain = base_domain_overwrite
+    else:
+        realm = oci.regions.REGION_REALMS.get(region)
+        second_level_domain = oci.regions.REALMS[realm]
     # region example: us-phoenix-1
     crypto_endpoint = "https://" + vault_ext + "-crypto.kms." + region + "." + second_level_domain
     ctx.obj['endpoint'] = crypto_endpoint
@@ -788,10 +793,10 @@ def filter_item_by_trusted_keys(items, trusted_keys):
     return ret
 
 
-def verify_signatures(ctx, container_image_signature_summary, region_name):
+def verify_signatures(ctx, container_image_signature_summary, region_name, base_domain_overwrite):
     verified = None
     for signature_summary in container_image_signature_summary:
-        vault_crypto_client = build_vault_crypto_client(ctx, signature_summary.kms_key_id, region_name)
+        vault_crypto_client = build_vault_crypto_client(ctx, signature_summary.kms_key_id, region_name, base_domain_overwrite)
         algo = signature_summary.signing_algorithm
         signing_algo_list = [
             "SHA_224_RSA_PKCS_PSS", "SHA_256_RSA_PKCS_PSS", "SHA_384_RSA_PKCS_PSS", "SHA_512_RSA_PKCS_PSS"