Verify signatures on pull #157
Conversation
(5) Container image signing and verification with a single key
|
On Wed, Aug 10, 2016 at 04:03:54PM -0700, Miloslav Trmač wrote:
sure thing, thanks for the headsupLokesh |
mtrmac
force-pushed
the
verify-on-pull
branch
2 times, most recently
from
265a829 to
a104f2d
Compare
|
I like Unsure about failing hard if not LGTM though, reviewed #50 as well |
|
yup, saying I'm fine with that :) |
|
Should the path be vendor neutral? Or is this a path handed to container/images? |
|
after meeting: |
|
The path comes from To be precise, the path would be |
mtrmac
force-pushed
the
verify-on-pull
branch
2 times, most recently
from
525aa32 to
28ec068
Compare
|
Revendored to use |
| // getPolicyContext handles the global "policy" flag. | ||
| func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) { | ||
| policyPath := c.GlobalString("policy") | ||
| var policy *signature.Policy // This could be cached across calls, if we had an application context. |
There was a problem hiding this comment.
Can be contacted in a single var block
There was a problem hiding this comment.
Yeah, OTOH it is easier to attach the “This could be cached” comment to the policy variable when it is on a separate line.
There was a problem hiding this comment.
I believe it's a somehow golang idiom, you can still add comments on top of each variable in a var block
|
Just a nit, LGTM otherwise Feel free to merge containers/image bit, re vendor here and merge here |
This ordinarily uses the compiled-in default, but allows per-command override. No users yet. Note that this adds an URL to policy documentation within containers/image, and that URL does not exist at the moment.
…on tests (skopeo copy) will soon ALWAYS require a present policy file. So, install one by (make install), and ensure that integration tests do so as well. Also simplifies the usage of install(1) a bit.
Finally, load and enforce the policy. NOTE that this breaks a simple ./skopeo from a built directory if you don't have /etc/atomic/policy.json installed for other reasons; use (./skopeo --policy default-policy.json) instead.
|
Thanks for the review! I have decided to drop the dependency on containers/image#50 ; the cost is that the link in |
4 participants
Adds
/etc/atomic/policy.json, and a command-line option to override (skopeo --policy some_path copy …), and enforces this policy inskopeo copy.make installnow installsdefault-policy.jsonto/etc/atomic/policy.json; the policy is set toinsecureAcceptAnythingfor all images by default. (This may not be desirable long-term, but it is a reasonable transition strategy for now I think. The policy always uses the most specific matching scope, so it is easy to e.g. pin a key and require signatures for a specific repository namespace.)Note that with merging this,
./skopeowill abort if the policy in/etc/atomicdoes not exist. This should not affect real deployments, but may be noticeable with local checkouts. A bit regrettable, but we do need to fail closed if a policy can’t be read. (Use./skopeo --policy default-policy.json …in a checkout.)This depends on, and vendors in, unmerged containers/image#49 and containers/image#50 , I will revendor as necessary.
@lsm5 , note that adding the config file will affect packaging.
@rhatdan , any comments on the path
/etc/atomic/policy.json?