type: cosignSigned, with the usual keyData/keyPath.
Fulcio/Rekor is not currently implemented.
NOTE: This only allows a single public key, not a keyring,
unlike simple signing. That seems problematic, there are
known users of that. But we can fix that later by adding
keyDirectory and the like.
NOTE: Cosign interoperability requires use of
signedIdentity: matchRepository. The fairly useful
signedIdentity: remapIdentity has no repository-match
functionality.
NOTE: Multi-arch images need to be signed by cosign
with --recursive to be accepted; c/image enforces
signatures per platform.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This allows accepting signatures for a complete or partial
mirror of some other repository namespace in a single step,
similar in signing effect to setting up mirrors in registries.conf,
but letting image consumers to refer to the mirrors directly.
For tag/digest matching, this currently only implemnents the
default matchRepoDigestOrExact-like semantics; it's the right
choice for almost all users, and we can add other alternatives
later if it turned out to be necessary.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Differentiate testPossiblyInvalidImageAndSig and testImageAndSig,
so that we don't silently skip cases where we don't expect the
imageRef to be invalid.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... so that major-version-aware Go module import
(as opposed to vX.Y.Z+incompatible, which does not allow different
packages to use different versions) works right.
Also requires adding some more GO111MODULE=on options to Makefile.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will be useful in the next commit. (If mocks are useful at all), let's start
reusing them more widely.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Network IO paths should react to cancels now.
- File IO paths generally still won't.
- `SystemContext` objects have been renamed to `sys` to leave `ctx`
available for the stdlib context objects.
Signed-off-by: Mike Lundy <mike@fluffypenguin.org>
Add an LayerInfosForCopy() method to source images which gives them a
chance to provide updated values for the blobsums contained in the
image's manifest, if they want to. Returning `nil` implies that they
have no changes to suggest compared to what's in the manifest.
When copying an image, if we can update the manifest with those new
values during copying, do so. If we have new values, but we can't
update the manifest, copying fails.
Update storageImageSource to return its manifest and reference in
unmodified form, and supply updated blob digests via LayerInfosForCopy()
so that copying images from storage works.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Remove the .Close() methods from UnparsedImage/Image, which closed the
underlying ImageSource. Instead, just require the caller to ensure
that the ImageSource is not closed as long as the UnparsedImage/Image
are used.
This allows using several independent UnparsedImage/Image instances
for a shared ImageSource; notably independent Image objects for the
individual image instances in a manifest list. (copy.Image is already
simpler although it is only using a single instance.)
To keep ImageReference.NewImage simple and not to break all the external
callers of this, also add a simple ImageCloser wrapper which retains
the ImageSource closing functionality, and return it from image.FromSource
and ImageReference.NewImage implementations.
(It's very likely many of the NewImage callers would be surprised by how this
handles manifest lists, and it is very tempting to break this API, at least
by renaming, to force the callers to consider this; however, this would be
better done after eliminating the need of ImageReference.NewImage entirely,
by replacing the specialized types.Image extensions with something else, first.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The requestedManifestMIMETypes parameter was added because a destination
might not support all manifest MIME types that the the source supports,
but the original use case now passes all manifest types and lets
containers/image convert internally. In generally, internal conversion
may be more comprehensive, is more predictable, and avoids bypassing
internal checks.
Fixes: #331
Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
This allows us to provide in the image interfaces a method of providing
an error at close time. This is only currently used in a few situations.
Signed-off-by: Erik Hollensbe <github@hollensbe.org>
This replaces the copy of github.com/docker/docker/reference in the same
place, which we have just gotten rid of, and allows using this package
even in consumers which insist on an incompatible version of
docker/distribution.
The copy has been edited to drop a reference to
github.com/docker/distribution/digestset .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead call distreference.ParseNormalizedNamed directly.
(This looks bigger than it really is because so many files now don't
need c/i/docker/reference, so they are dropping the “distreference”
qualifier for docker/distribution/reference.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of rebuilding it as name/name+digest/name+tag, just use the
return value from distreference.ParseNormalizedName without
modification.
THIS CHANGES BEHAVIOR: before, name@tag:digest inputs were silently
trated as name:digest, dropping the tag; now the semantics is correctly
preserved.
We already anticipate such strings as references in docker: and
docker-daemon: (where they are now rejected) and in signature
verification (where, unless we check repository names only, they must
match exactly).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead call distreference.FamiliarString() for SOME uses, generally for
error messages and StringWithinTransport().
In signature/policy_reference_match.go and signature/docker.go, where we
care about equality but not exactly about the kind of normalization, call
XNamed.String() instead, with the same rationale as the earlier
Name/FamiliarName choice.
In copy.Image, when creating a singature, use .String() (i.e. the fully
explicit form), for that extra bit of safety.
In tests, generally use the simpler .String() and modify expected
results, instead of calling FamilarString().
XNamed is now equivalent to distreference.Named, all the extra methods
have went away.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is an intermediate step which will eventually go away.
The goal of this PR is to get rid of c/i/docker/daemon/reference and to
replace uses of it by direct calls to docker/distribution/reference.
We can't do that safely and easily, because the two have different
semantics for reference.Named.Name() and reference.Named.String(): we
return a minimized version, e.g. "busybox", upstream returns an expanded
version, e.g. "docker.io/library/busybox".
BEFORE this commit the difference is hidden by using
docker/distribution/reference.WithName, which allows using the minimized
version, and works with it correctly; but because we want to use the
upstream canonicalization code, which will change semantics, we can't
just mix and match.
To make the distinction explicit, this commmit adds an X to ALL public
names from c/i/docker/daemon/reference. E.g. a reference.XNamed type,
which has methods XName and XString.
This is pretty large, but does not change behavior at all. By
inspection it is clear to see that reference.XNamed and subtypes does
not expose any of the non-X, conflicting, method names.
Using e.g.
> git diff --word-diff-regex=.|grep -F '{+'|grep -v '^\([^{]\|{+X+}\)*{\?$'
it is possible to see that most lines in this diff only add a single X
letter, and manually inspect the few lines which don't match the regexp.
The only REALLY new code is an explicit definition of namedRef.XName()
and namedRef.XString(), and two newly added casts to namedRef in cases
where we need to use the underlying distreference.Reference within
a reference.XNamed value. Strictly speaking these changes change
behavior, in that third-party implementations of reference.XNamed are no
longer accepted; but we broke them by renaming at all.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is the new default: tag references require a signature with a
matching repo:tag, digest references require a signature with a matching
repo (and any tag [or digest]), with the digest itself still being
validated in image.UnparsedImage, independently of signature processing.
Users can still opt into strict checking by specifying matchExact
in signedIdentity.
Also update most tests to use matchExactOrSignedDigest, to match
the default.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We expect symmetric behavior; this makes it clearer and allows us to
remove a few cases from the pretty lengthy tables.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Currently we use a types.Image, which supports lots of parsing, for
verification processing in in signature.PolicyContext.
In the future, we will want that types.Image to do significantly more
processing at initialization time (e.g. determine manifest type and
fully parse it), which is undesirable for signature verification
— there we would _really_ prefer to first find a signature which
cryptographically verifies, before even _downloading_ the manifest,
let alone processing it in any way.
So, split the minimum functionality desired for processing unsigned
images (manifest and signature caching) into a separate UnparsedImage
type.
Right now, this does not affect any Image or UnparsedImage
implementation (apart from dropping a few panic()ing mock functions).
(Note that for some more advanced processing, signature/* may create a
types.Image out of the given types.UnparsedImage in the future — but
that would be an intentional action after the signature code determines
that there is enough presumed trust to even start parsing anything.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This does nothing right now; it will serve as a general interface to
modify the manifest as copy.go and other users need.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This adds the size member; unused for now, but we will need to fill it
in schema2 manifests when editing them.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This gives more information about the layer structure, and it will make
it easier to replace layer blobs with compressed versions.
NOTE: This changes behavior of types.Image.Inspect() for schema 1,
reversing the order of digests in InspectInfo.Layers.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
For lookaside signature store, and separating the read and write URLs,
we need to set up read-only and read-write states differently; having
read-write “delete” in dockerImageSource is incovenient.
In tue future, ImageSource.Delete will be a really poor fit for
docker-daemon:, where initializing the ImageSource causes the tarball
to be copied from the daemon. We could instead implement the
docker-daemon source so that it only copies the tarball on demand, but
not sharing the object is much simpler.
This leaves the Docker implementation in docker_image_src.go to make
reviewing easier.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This allows the selection to be consistent across GetManifest and
GetSignatures (which will be needed by Docker lookaside).
The API change causes lots of churn, but ultimately it just moves the
real origin of the value from image.FromSource() to transport.NewImageSource(),
both of which are static for the life of the ImageSource.
Does not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... instead of Docker-specific certPath and tlsVerify.
Also invert the sense of tlsVerify to make the default secure.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This e.g. rejects relative paths for directories.
Notably docker: transport is the only one which does not do any real
validation; we could copy&paste the character ranges and lengths
directly from docker/distribution/reference, which feels fairly ugly.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This makes the core policy lookup logic Docker-independent,
with the underlying Docker-specific implementation moved to
docker/policyconfiguration/naming.go.
Does not change behavior, only docker: and atomic: transports
currently implement the policy configuration naming, in a compatible
way, and the policy configuration is still not transport-aware. That
happens next.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This allows the DockerReference-only refImageReferenceMock to be a bit
tighter about rejecting unexpected calls, and it will be useful
soon when policy is handled separately from DockerReference.
At the moment this does not change much, separately commited primarily
to ease reviewing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is somewhat better typed, and avoids unnecessary roundtrips using
strings when both the producer and consumer want a reference.Named value
(like in PolicyContext.requirementsForImage).
This also forces us to explicitly handle IntendedDockerReference()
returning nil, when before we could rely on it returning "", which would
then be rejected by reference.ParseNamed as invalid input; anyway,
handling that case specially just allows for better error messages.
This adds two FIXMEs about error messages which do not tell the user
which image is being rejected; that will be fixed in the future
generalized reference work.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Miloslav Trmač