Typically, use %q instead of %s (or instead of "%s"), to expose
various control characters and the like without interpreting them.
This is not really comprehensive; the codebase makes no _general_
guarantee that any returned string values are free of control
characters or other malicious/misleading metadata. Not even
in returned "error" values (which can legitimately contain newlines,
if nothing else).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... so that future code in singature/internal can use it.
This also requires requires a package-public (but internal)
constructor.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
To support signing images via gpgme without user prompt, allow for
providing a passphrase via the copy options. Add a new *WithOptions API
to the `signature` package and extend its interface.
To prevent breaking the API, extend the signature API with an internal
type as has already been done for other types and interfaces.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
... so that major-version-aware Go module import
(as opposed to vX.Y.Z+incompatible, which does not allow different
packages to use different versions) works right.
Also requires adding some more GO111MODULE=on options to Makefile.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This replaces the copy of github.com/docker/docker/reference in the same
place, which we have just gotten rid of, and allows using this package
even in consumers which insist on an incompatible version of
docker/distribution.
The copy has been edited to drop a reference to
github.com/docker/distribution/digestset .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead call distreference.ParseNormalizedNamed directly.
(This looks bigger than it really is because so many files now don't
need c/i/docker/reference, so they are dropping the “distreference”
qualifier for docker/distribution/reference.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead call distreference.FamiliarString() for SOME uses, generally for
error messages and StringWithinTransport().
In signature/policy_reference_match.go and signature/docker.go, where we
care about equality but not exactly about the kind of normalization, call
XNamed.String() instead, with the same rationale as the earlier
Name/FamiliarName choice.
In copy.Image, when creating a singature, use .String() (i.e. the fully
explicit form), for that extra bit of safety.
In tests, generally use the simpler .String() and modify expected
results, instead of calling FamilarString().
XNamed is now equivalent to distreference.Named, all the extra methods
have went away.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is an intermediate step which will eventually go away.
The goal of this PR is to get rid of c/i/docker/daemon/reference and to
replace uses of it by direct calls to docker/distribution/reference.
We can't do that safely and easily, because the two have different
semantics for reference.Named.Name() and reference.Named.String(): we
return a minimized version, e.g. "busybox", upstream returns an expanded
version, e.g. "docker.io/library/busybox".
BEFORE this commit the difference is hidden by using
docker/distribution/reference.WithName, which allows using the minimized
version, and works with it correctly; but because we want to use the
upstream canonicalization code, which will change semantics, we can't
just mix and match.
To make the distinction explicit, this commmit adds an X to ALL public
names from c/i/docker/daemon/reference. E.g. a reference.XNamed type,
which has methods XName and XString.
This is pretty large, but does not change behavior at all. By
inspection it is clear to see that reference.XNamed and subtypes does
not expose any of the non-X, conflicting, method names.
Using e.g.
> git diff --word-diff-regex=.|grep -F '{+'|grep -v '^\([^{]\|{+X+}\)*{\?$'
it is possible to see that most lines in this diff only add a single X
letter, and manually inspect the few lines which don't match the regexp.
The only REALLY new code is an explicit definition of namedRef.XName()
and namedRef.XString(), and two newly added casts to namedRef in cases
where we need to use the underlying distreference.Reference within
a reference.XNamed value. Strictly speaking these changes change
behavior, in that third-party implementations of reference.XNamed are no
longer accepted; but we broke them by renaming at all.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
After https://github.com/containers/image/pull/220, and especially
future https://github.com/containers/image/pull/221, signing
docker/distribution/reference.Named.String() would use the new
fully-expanded normalization (as opposed to
containers/image/docker/reference.Named.String(), which is minimized).
For interoperability between various versions and signers, parse and normalize
the expected and signed references before comparing them.
This should be equivalent to prmMatchExact.matchesDockerReference().
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of silently embedding values in untrustedSignature.MarshalJSON
(and having to add a marshalJSONWithvariables to work around this),
make the creator ID and timestamp explicit fields of untrustedSignature,
and MarshalJSON a simple marshaller of existing data.
The values are now filled by calling newUntrustedSignature.
Now that the fields are explicit, we can also record them by
untrustedSignature.UnmarshalJSON.
This also explicitly defines the timestamp to be an integer, instead of
allowing floating-point values, because the JSON float64 is not precise
enough for nanosecond timstamps. For now, we reject fractional values,
which will allow us to record the nanosecond part separately in the
future if it became necessary.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of a privateSignature containing a Signature, and using the
privateSignature type to attach private implementatinos of
json.Marshaler and json.Unmarshaler and other private methods,
use a completely separate private untrustedSignature type.
This allows us to use scarier Untrusted… names for the members, but the
only real code change is that verifyAndExtractSignature now needs to do
a member-by-member copy instead of copying the full Signature struct.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
To support verification of signatures when more than one key, or more
than one identity, are accepted, have verifyAndExtract signature accept
callbacks (in a struct so that they are explicitly named).
verifyAndExtractSignature now also validates the manifest digest. It is
intended to become THE SINGLE PLACE where untrusted signature blobs
have signatures verified, are validated against other expectations, and
parsed, and converted into internal data structures available to other
code.
Also:
- Modifies VerifyDockerManifestSignature to use utils.ManifestMatchesDigest.
- Adds a test for Docker reference mismatch in VerifyDockerManifestSignature.
also remove fixtures pkg as it would clutter godoc (there's not need
to have a .go files with fixtures)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Move the manifest computation (with v2s1 signature stripping) out of
skopeo/signature into a separate package; it is necessary in the
OpenShift client as well, unrelated to signatures.
Other Docker-specific utilities, like getting a list of layer blobsums
from a manifest, may be also moved here in the future.
Miloslav Trmač