Remove Notary and Content Trust

This commit removes Notary and Content Trust. Notary v1 is due to be replaced with Notary v2 soon. There is no clean migration path from one to the other. For now, this removes all signing from LinuxKit. We will look to add this back once a new Notary alternative becomes available. Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
2025-09-01 23:18:41 +00:00 · 2021-03-19 15:14:28 +00:00
parent 1f93eab506
commit 561ce6f4be
171 changed files with 126 additions and 29608 deletions
--- a/tools/alpine/Makefile
+++ b/tools/alpine/Makefile
@@ -4,12 +4,6 @@ ORG?=linuxkit
 IMAGE=alpine
 DEPS=packages

-ifeq ($(DOCKER_CONTENT_TRUST),)
-ifndef NOTRUST
-export DOCKER_CONTENT_TRUST=1
-endif
-endif
-
 ARCH := $(shell uname -m)
 ifeq ($(ARCH), x86_64)
 DEPS += packages.x86_64
--- a/tools/alpine/push-manifest.sh
+++ b/tools/alpine/push-manifest.sh
@@ -2,16 +2,13 @@
 set -e

 # This script creates a multiarch manifest for the 'linuxkit/alpine'
-# image, pushes and signs it. The manifest is pushed with the tag of
+# image and pushes it. The manifest is pushed with the tag of
 # the amd64 images (which is the suffix removed). On macOS we use the
-# credentials helper to extract the Hub credentials. We need to
-# manually sign the manifest using 'notary'.
+# credentials helper to extract the Hub credentials.
 #
 # This script is specific to 'linuxkit/alpine'. For normal packages we
 # use a different scheme.
 #
-# For signing, DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE must be set.
-#
 # This should all be replaced with 'docker manifest' once it lands.

 ORG=$1
@@ -80,58 +77,4 @@ fi
 # Push manifest list
 OUT=$(manifest-tool $MT_ARGS push from-spec --ignore-missing "$YAML")
 rm "$YAML"
-echo "$OUT"
-
-# Extract sha256 and length from the manifest-tool output
-SHA256=$(echo "$OUT" | cut -d' ' -f2 | cut -d':' -f2)
-LEN=$(echo "$OUT" | cut -d' ' -f3)
-
-NOTARY_DELEGATION_PASSPHRASE="$DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"
-
-# Notary requires a PTY for username/password so use expect for that.
-export NOTARY_DELEGATION_PASSPHRASE="$DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"
-NOTARY_CMD="notary -s https://notary.docker.io -d $HOME/.docker/trust addhash \
-             -p docker.io/"$ORG"/"$IMAGE" $TAG $LEN --sha256 $SHA256 \
-             -r targets/releases"
-
-echo '
-spawn '"$NOTARY_CMD"'
-set pid [exp_pid]
-set timeout 60
-expect {
-    timeout {
-        puts "Expected username prompt"
-        exec kill -9 $pid
-        exit 1
-    }
-    "username: " {
-        send "'"$USER"'\n"
-    }
-}
-expect {
-    timeout {
-        puts "Expected password prompt"
-        exec kill -9 $pid
-        exit 1
-    }
-    "password: " {
-        send "'"$PASS"'\n"
-    }
-}
-expect {
-    timeout {
-        puts "Expected password prompt"
-        exec kill -9 $pid
-        exit 1
-    }
-    eof {
-    }
-}
-set waitval [wait -i $spawn_id]
-set exval [lindex $waitval 3]
-exit $exval
-' | expect -f -
-
-echo
-echo "New signed multi-arch image: $REPO:$TAG"
-echo
+echo "$OUT"