This fixes CVE-2024-3727 .
Digest values used throughout this library were not always validated.
That allowed attackers to trigger, when pulling untrusted images,
unexpected authenticated registry accesses on behalf of a victim user.
In less common uses of this library (using other transports or not using
the containers/image/v5/copy.Image API), an attacker could also trigger
local path traversals or crashes.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
As we have a release-5.29 branch now that we will be updating,
bump the main branch up to v5.30-dev to stop confusion.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Bump to v5.27.0-dev. I intend to make a release branch for v5.26,
thus bumping to 27 dev here.
[NO NEW TESTS NEEDED]
Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
Registry accesses now benefit from HTTP keep-alives, instead of making a separate
connection for each request.
If an image provides a Zstd variant, it is now read preferentially.
Image copies preserve OCI layer descriptor annotations in more (but not all) cases.
Now requires Go 1.18.
- Convert openshift from ghodss/yaml to gopkg.in/yaml.v3
- Convert docker from ghodss/yaml to yaml.v3
- Add a more specific error message on invalid docker-config-in-OCI-image images
- Cirrus: Use human-readable CI VM Images
- Update to github.com/vbauerster/mpb/v8
- Update to docker/docker v23.0.0
- Manually add dependencies of github.com/docker/docker
- go mod tidy -go=1.18
- Use bytes.Cut instead of bytes.Index
- Use strings.Cut instead of strings.SplitN
- Use golang.org/x/exp to avoid open-coded loops.
- Add internal/set, use it
- s/interface{}/any/g
- Use struct{} instead of interface{} for close-only channels
- Make policyJSONUmarshallerTests generic over the used type/interface
- Use net/netip.Addr instead of net.IP
- Update to golangci-lint 1.51.0
- Close http.Response.Body
- Remove duplicate words in comments
- Correctly propagate wrapped errors
- Don't use an unofficial println function
- Reformat import sections
- Use short-form assignments in various places
- Start a local variable name with lower case
- Fix some comments
- Add comment punctuation
- Remove an unnecessary else
- Update a doc string
- Don't use an underscore in variable name
- Fix a typo in an error message
- Pre-allocate arrays of known size
- Avoid an unused parameter warning
- Remove an unused error return value
- Remove unexpected blank lines
- Split dockerClient.resolveRequestURL from makeRequest
- Reconnecting blob reader
- manifest: introduce internal/manifest.ListInternal and freeze manifest.List
- Disable dependabot
- Run codespell on codebase
- Use DialContext instead of the deprecated Dial.
- Remove a direct use of golang.org/x/net/http2
- Merge pullSource tests as table driven format
- Reorder bodyReader fields to separate constants and state
- Turn millisecondsSince into millisecondsSinceOptional
- Only get current time once in errorIfNotReconnecting
- Rename some variables
- Also record, and output, the time of last retry, if any
- Relax retry heuristics
- Differentiate between no retry and immediate retry also in the printed offset
- Add unit tests for the retry heuristics
- Simplify bodyReader.errorIfNotReconnecting
- Fix various unused parameters
- Avoid importing the same subpackage twice
- Make it clear that cleartext signatures are not accepted in simple signing
- Make SigstoreFromBlobChunk package-private
- Make fields of untrustedSignature private
- Make fields of UntrustedSigstorePayload private
- distribution: remove use of deprecated dial.DualStack
- Fix builds of the ostree transport
- manifest,zstd: give priority to zstd compressed images
- copy: Image use ChooseInstanceByCompression
- oci_index: optimize lookup when platform is nil
- client: enable HTTP(S) keep-alive
- Move copyOneImage, imageCopier, and exclusive callees, to copy/single.go
- Reorder copy/single.go a bit
- Move copyMultipleImages to copy/multiple.go
- Reorder copy/copy.go a bit
- Move compression-specific variables to copy/compression.go
- Rename copyOneImage to copySingleImage
- Remove some inaccurate comments
- copy: move c.compression* to imageCopier
- Don't claim auth.json contains encrypted information
- refactor(docs): Disambiguate sigstoreSigned documentation
- Cirrus: Replace Ubuntu container w/ Debian VM
- Fix golangci-lint cache location error
- Fix a potential recursion when committing unknown blobs
- Don't use manifest.LayerInfo in storageImageDestination.indexToPulledLayerInfo
- Rename the blob parameter of commitLayer to info
- Pass individual parameter instead of types.BlobInfo to tryReusingBlobAsPending
- Use only the necesary fields in addedLayerInfo
- Rename addedLayerInfo.Digest to digest
- Don't track layer size in addedLayerInfo
- Return private.ReusedBlob from TryReusingBlobWithOptions
- Return private.UploadedBlob from PutBlobWithOptions
- Return UploadedBlob also from PutBlobPartial
- Rename sigstorePrivateKeyPemType to cosignPrivateKeyPemType
- Allow using cosign-generated private keys with a "SIGSTORE" type
- Introduce oidIssuerV1Ext
- Split fulcioIssuerInCertificate from fulcioTrustRoot.verifyFulcioCertificateAtTime
- Rename oidcIssuer and gotOIDCIssuer to oidcIssuer1 and gotOIDCIssuer1
- Update to github.com/sigstore/fulcio v1.2.0
- Add support for the Fulcio OIDIssuerV2 extension
- Add ability to verify a signature with a set of fingerprints
- Fix a repeated typo
- Add FIXMEs about handling of zstd:chunked blob annotations on blob changes
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Now supports both creating and verifying sigstore signatures that use
Fulcio and Rekor.
A New API for signing images during copy.
docker-archive: now can read non-seekable streams.
Improved error messages for registry errors.
- Introduce oci/{archive,layout}.ImageNotFoundError
- Don't use any default path fallbacks if the user specified a path
- Introduce signature/sigstore.NewSigner
- Introduce signature/simplesigning.NewSigner
- Add pkg/cli/sigstore
- Add functional-option NewPRSigstoreSigned
- Add signature/sigstore.GenerateKeyPair
- Avoid confusion about 404 on lookaside
- Heuristically warn about lookaside servers serving HTML
- Add a limit for the total number of signatures in lookaside
- Update the public.ecr.aws error with current data
- Add a test for isManifestUnknownError
- Consolidate handleErrorResponse calls to registryHTTPResponseToError
- Discard any but the first element of errcode.Errors
- Add more detailed error tests
- Make invalid HTTP bodies unwrappable as unexpectedHTTPResponseError
- Use registryHTTPResponseToError on /tags/list failure
- Simplify error messages using the default error text
- Use registryHttpResponseToError in many more places
- set directory transport destination as thread-safe
- Recognize invalid error responses of registry.redhat.io
- Make the pseudo-config used in sigstore attachments a bit more valid
- Convert TestSignatureStorageBaseURL to table-based
- Don't call net/url.URL.Parse when we mean net/url.Parse
- Rename all "url" variables to something else
- Fix documentation comment of the stubs package
- Simplify ociReference.getManifestDescriptor
- Simplify ociReference.getManifestDescriptor a bit
- Fix typos
- Remove unnecessary conversions
- Actually test the caller-requested function
- Remove ineffective assignments
- Fix an always-true condition
- Fix unordered list formatting in containers-policy.json(5)
- docker/reference: reduce regex compilations
- docker/reference/regexp.go: constify strings
- docker/reference.literal: return QuoteMeta directly
- docker/reference.expression: use strings.Join()
- Run (gofmt -s)
- Don't incorrectly report success on failure paths
- Clarify the semantics of the optional.creator field in simple signature payload
- Call x509.SystemCertPool directly instead of tlsconfig.SystemCertPool
- Remove sockets.DialerFromEnvironment
- Use io.SeekStart instead of a hard-coded 0
- Add support for non-seekable files in docker-archive: sources
- Add comments to BlobInfo to warn against adding more edit fields
- Split test data from TestV1RegistriesConfNonempty and TestV2RegistriesConfNonempty
- Reject files mixing v1 and v2 registries.conf, even with empty fields
- Fix a typo
- Move the "human-readable description" of a helper into setAuthToCredHelper
- Correctly report a credHelpers location in SetCredentials
- Add missing documentation of build tags
- Fix comments about exponential backoff with Retry-After
- storage source: Don't store small blobs on disk in GetBlob()
- config: use `authPath` struct consistently
- config: Make parsing function a method on authFile
- storage: Immediately unlink tmpfile
- Don't duplicate the getPathToAuth rules for user-specified paths in getAuthPaths
- Move killGPGAgent into a helper package
- Terminate the GPG agent spawned by c/image/signature tests
- Speed up pkg/blobcache tests
- Turn copy.TestCreateSignature into a table-based test
- Reorder the tests in copy.TestCreateSignature
- Add a test case for signing dir: with an explicit identity
- Fix a documentation typo
- Return a generic signature.Signature from SignDockerManifestWithPrivateKeyFileUnstable
- Introduce Signer = internal/signer.Signer, and internal/signer.SignerImplementation
- Introduce signature/sigstore/internal.SigstoreSigner
- Make SigstoreSigner implement signer.SignerImplementation
- Rename signature/sigstore/sign.go to signer.go
- Consolidate the two signing implementations to copier.createSignatureWithSigner
- Refactor copy.Image to sign using []*signer.Signer
- Add copy.Options.Signers
- Don't use GPG in copy.TestCreateSignatures
- Make sure value types also implement json.Marshaler
- Add signature/internal.UntrustedRekor{SET,Payload}
- Refactor SigstoreSigner.SignImageManifest a bit
- Rekor upload
- Move the docker client User-Agent value to a shared subpackage
- Add Fulcio with OIDC authentication
- Add Fulcio with user-provided OIDC token
- Drop dead code that causes a regex compilation on init
- Do not preallocate regex in init program
- Replace copy&pasted code by a shared modifiedJSON function
- Add VerifyRekorSET
- manifest: pull Variant from an OCI config
- Remove left-over logging from test development
- Cirrus: Use F37 CI VM Image
- Add Fulcio certificate acceptance logic
- Split loadBytesFromDataOrPath and prepareTrustRoot in prSigstoreSigned
- Make a part of TestPRSigstoreSignedIsSignatureAccepted table-driven
- Split sigstore configuration parsing and API into separate files
- Add tests to reject neither of keyPath / keyData being set
- Add support for Fulcio and Rekor to sigstoreSigned
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Image.Inspect now provides more information.
Improved support for registries that require authentication, notably for
the search operation.
- Cirrus: Use the latest imgts container
- Cirrus: Update CI VM images
- Replace use of deprecated io/ioutil
- Reformat with Go 1.19's gofmt
- Use c/image's reference package
- Rename archiveImageDestination.writer to file
- Introduce archiveImageDestination.closeWriter
- Use an *archive.Writer in dockerArchiveReference and dockerArchiveDestination
- Inline openArchiveForWriting into archive.Writer
- Automaticaly delete a docker-archive if we didn't write a complete image
- Update a test dependency to avoid override problems
- docker_client: Handle "invalid_scope" errors
- Document limitations of transports for remote podman client
- Remove github.com/docker/distribution/registry/client package
- Log invalid and empty credential helper entries
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
copy.Image can now copy non-image OCI artifacts.
Added support for sigstore signatures: they (and related cosign
attachments) can be copied along with images after opt-in in registries.d.
Signatures can be created by copy.Image and enforced via policy.json
(currently with public/private key pairs only).
Now requires Go 1.17.
GPGMe now must be new enough to be visible via pkg-config.
github.com/pkg/errors is no longer used; that might affect
caller-observable error types (in particular, errors.{As,Is}
might need to be used instead of pkg/errors.Cause).
Changes default paths on FreeBSD.
- Remove unused Makefile variables
- Config files should live in /usr/local on FreeBSD
- docker: validate received parts
- Use go env to fetch the go path
- docker: add workaround for CloudFront
- Improve errors messages when image missing from list
- Stop calling gpgme-config
- Fix codespell errors
- Make sure github.com/opencontainers/runc >= 1.1.2 is used
- Cirrus: use Ubuntu 22.04 LTS
- Merge pull request #1576 from mtrmac/private-image
- Merge pull request #1577 from mtrmac/mocks
- Merge pull request #1571 from mtrmac/go1.17
- Merge pull request #1578 from mtrmac/sourced-image-struct
- Fix error on parallel multiple image pullings with additionallayerstore
- Merge pull request #1579 from mtrmac/copy-layers-refactor
- Reject OCI artifacts in manifest.OCI1.ImageID
- Reject OCI artifacts in manifest.OCI1.Inspect
- Refuse to convert non-image OCI artifacts to Docker formats
- Reject OCI artifacts in image.manifestOCI1.OCIConfig
- Introduce SourcedImage.CanChangeLayerCompression, use it in copy.Image
- Use an updated CI image
- Use strings.ReplaceAll instead of strings.Replace(..., -1)
- Move the main helper removal case to the main path on RemoveAllAuthentication
- Merge pull request #1588 from mtrmac/pkg_errors
- Merge pull request #1589 from mtrmac/private-dest-impls
- Merge pull request #1590 from mtrmac/private-src-impls
- Merge pull request #1592 from mtrmac/blobcache-wrap-private
- Use "io.ReadAll" instead of "os.ReadAll"
- Merge pull request #1596 from mtrmac/cosign-payload
- Generalize copy.Image to be able to copy signatures with any format
- Merge pull request #1593 from mtrmac/cosign-sigs
- Introduce signature.Cosign as a format
- Add use-cosign-attachments to registries.d/*.yaml
- Add support for reading and writing Cosign attachments, incl. signatures
- Merge pull request #1595 from mtrmac/cosign-docker
- Add support for creating Cosign signatures
- Fix a long-standing incorrect comment
- Fix JSON syntax in the policy.json(5) man page
- Correctly decode Cosign-generated payloads
- Add Cosign verification support
- s/sigstore/lookaside/g in comments and documentation
- Refer to lookasideStorage instead of signatureStorage in code
- Add lookaside and lookaside-staging, hide sigstore and sigstore-staging
- Merge pull request #1605 from mtrmac/sigstore
- Fix a typo in error messages
- Remove a copy&pasted test entry
- Add context to some test failures
- Use more valid data in TestPRSignedByIsSignatureAuthorAccepted
- Generalize keyPath/keyData exclusivity checks
- Remove repetition in tests
- Accept multiple keyrings in newEphemeralGPGSigningMechanism
- Allow accepting multiple GPG keyrings via signedBy.keyPaths
- Switch to golang native error wrapping
- Point out use-sigstore-registries in sigstoreSigned documentation
- Use .pub extension for public keys in sigstoreSigned examples
- copy: print copy info once when writer==io.Discard
- Silence a "potentially unused parameter" warning
- Read signatures from UnparsedImage instead of ImageSource directly
- Consolidate reading messages, and checking for support, into a helper
- build(deps): bump github.com/containers/storage from 1.40.0 to 1.40.2
- build(deps): bump github.com/docker/docker
- build(deps): bump github.com/klauspost/compress from 1.15.2 to 1.15.3
- build(deps): bump github.com/klauspost/compress from 1.15.3 to 1.15.4
- build(deps): bump github.com/docker/docker
- build(deps): bump github.com/proglottis/gpgme from 0.1.1 to 0.1.2
- build(deps): bump github.com/vbauerster/mpb/v7 from 7.4.1 to 7.4.2
- build(deps): bump github.com/imdario/mergo from 0.3.12 to 0.3.13
- build(deps): bump github.com/klauspost/compress from 1.15.4 to 1.15.5
- build(deps): bump github.com/sylabs/sif/v2 from 2.7.0 to 2.7.1
- build(deps): bump github.com/klauspost/compress from 1.15.5 to 1.15.6
- build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2
- build(deps): bump github.com/docker/docker
- build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4
- build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5
- build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0
- build(deps): bump github.com/klauspost/compress from 1.15.6 to 1.15.7
- build(deps): bump github.com/proglottis/gpgme from 0.1.2 to 0.1.3
- build(deps): bump github.com/klauspost/compress from 1.15.7 to 1.15.8
- build(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0
- build(deps): bump github.com/theupdateframework/go-tuf
- build(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Mirrors defined in registries.conf can now be restricted for
tag/digest references only, using the new pull-from-mirror option.
New option copy.Options.SignIdentity.
The library now formally requires Go 1.15 (which was, in practice,
already the case).
- vendor: bump c/storage to main/d06b0f8
- storage: use race-free AddNames instead of SetNames
- build(deps): bump github.com/klauspost/compress from 1.14.4 to 1.15.0
- Update github.com/containerd/containerd
- build(deps): bump github.com/docker/distribution
- build(deps): bump github.com/sylabs/sif/v2 from 2.3.2 to 2.4.0
- build(deps): bump github.com/docker/docker
- build(deps): bump github.com/klauspost/compress from 1.15.0 to 1.15.1
- Silence go-staticcheck about openpgp use
- Try to make (make lint) pass with Go 1.18
- build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1
- Use assert.ErrorContains
- build(deps): bump github.com/sylabs/sif/v2 from 2.4.0 to 2.4.1
- Update an obsolete comment
- Use Testing.T.Cleanup() to simplify tests
- Modify makeRequestToResolvedURL and makeRequestToResolvedURLOnce to accept an *url.URL
- Use url.Redacted() in log output
- Use testing.T.TempDir()
- Simplify blobifocache/internal/test.GenericCache
- build(deps): bump github.com/containers/ocicrypt from 1.1.2 to 1.1.3
- build(deps): bump github.com/docker/docker
- registries.conf: prefixes: subdomain matching
- registries.conf: fix typo in prefix
- toml decoding: report unknown keys
- build(deps): bump github.com/opencontainers/selinux
- Add option to specify the identity for signing
- Use only full named references for signing identity
- Add pull-from-mirror for adding per-mirror level restrictions
- build(deps): bump github.com/sylabs/sif/v2 from 2.4.1 to 2.4.2
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- docker/referece: add IsFullIdentifier
- Changed oci layout transport to thread-safe destination
- add pkg/blobcache from Buildah
- blobcache: drop import on buildah/docker
- blobcache: drop history comment
- blobcache: make `ClearCache()` private
- blobcache: remove `CacheLookupReferenceFunc`
- blobcache: turn BlobCache into a struct
- blobcache: export clearCache
- Remove (unused and unreachable) keyring support
- Eliminate a goroutine
- Also introduces internal-only interfaces to allow extending the
transport feature set in the future
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- build(deps): bump github.com/klauspost/compress from 1.14.1 to 1.14.2
- build(deps): bump github.com/containers/storage from 1.38.0 to 1.38.1
- build(deps): bump github.com/containers/storage from 1.38.1 to 1.38.2
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
tomsweeneyredhat