From 72e7945ec63f6f965fea727a876fa63bc2d56bcc Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Wed, 26 Apr 2017 10:55:20 -0700 Subject: [PATCH 1/5] Add signing targets for binfmt, c-compile, go-compile, rngd, tini, toybox-media Signed-off-by: Riyaz Faizullabhoy --- pkg/binfmt/Makefile | 6 ++++++ pkg/rngd/Makefile | 6 ++++++ tools/c-compile/Makefile | 6 ++++++ tools/go-compile/Makefile | 6 ++++++ tools/tini/Makefile | 6 ++++++ tools/toybox-media/Makefile | 6 ++++++ 6 files changed, 36 insertions(+) diff --git a/pkg/binfmt/Makefile b/pkg/binfmt/Makefile index c306d5e93..c9ce6d9ab 100644 --- a/pkg/binfmt/Makefile +++ b/pkg/binfmt/Makefile @@ -23,6 +23,12 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +sign: tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index f6d908d83..9f703133b 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -19,6 +19,12 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +sign: tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true diff --git a/tools/c-compile/Makefile b/tools/c-compile/Makefile index 2a143821f..979030fbe 100644 --- a/tools/c-compile/Makefile +++ b/tools/c-compile/Makefile @@ -23,6 +23,12 @@ tag: hash docker rmi $(IMAGE):build rm -f hash +sign: tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash diff --git a/tools/go-compile/Makefile b/tools/go-compile/Makefile index 3ca4406fb..5d7822285 100644 --- a/tools/go-compile/Makefile +++ b/tools/go-compile/Makefile @@ -23,6 +23,12 @@ tag: hash docker rmi $(IMAGE):build rm -f hash +sign: tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash diff --git a/tools/tini/Makefile b/tools/tini/Makefile index adacde647..ea5059185 100644 --- a/tools/tini/Makefile +++ b/tools/tini/Makefile @@ -19,6 +19,12 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +sign: tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true diff --git a/tools/toybox-media/Makefile b/tools/toybox-media/Makefile index c50f62ee4..d79af0ac8 100644 --- a/tools/toybox-media/Makefile +++ b/tools/toybox-media/Makefile @@ -19,6 +19,12 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true +sign: tag + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) + rm -f hash + docker rmi $(IMAGE):build || true + clean: rm -f hash docker rmi $(IMAGE):build || true From 78a0d018c1654c911f8693c575e19226cb86af2d Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Wed, 26 Apr 2017 11:53:14 -0700 Subject: [PATCH 2/5] enable DCT in buildchain for compiler images Signed-off-by: Riyaz Faizullabhoy --- Makefile | 6 +++--- pkg/init/Makefile | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index c893e97ac..aff90238d 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ all: default VERSION="0.0" # dummy for now GIT_COMMIT=$(shell git rev-list -1 HEAD) -GO_COMPILE=linuxkit/go-compile:5bf17af781df44f07906099402680b9a661f999b@sha256:0bf523bcebb96ccc525f983a118f1fd8cb5e17dbf90e83044ca71bb983000e70 +GO_COMPILE=linuxkit/go-compile:5bf17af781df44f07906099402680b9a661f999b MOBY?=bin/moby LINUXKIT?=bin/linuxkit @@ -18,14 +18,14 @@ endif PREFIX?=/usr/local/ bin/moby: | bin - docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar + DOCKER_CONTENT_TRUST=1 docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar tar xf tmp_moby_bin.tar > $@ rm tmp_moby_bin.tar touch $@ LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) Makefile vendor.conf bin/linuxkit: $(LINUXKIT_DEPS) | bin - tar cf - vendor -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar + tar cf - vendor -C src/cmd/linuxkit . | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar tar xf tmp_linuxkit_bin.tar > $@ rm tmp_linuxkit_bin.tar touch $@ diff --git a/pkg/init/Makefile b/pkg/init/Makefile index 6cf6e7495..a57dde9bf 100644 --- a/pkg/init/Makefile +++ b/pkg/init/Makefile @@ -1,11 +1,11 @@ -C_COMPILE=linuxkit/c-compile:63b085bbaec1aa7c42a7bd22a4b1c350d900617d@sha256:286e3a729c7a0b1a605ae150235416190f9f430c29b00e65fa50ff73158998e5 +C_COMPILE=linuxkit/c-compile:63b085bbaec1aa7c42a7bd22a4b1c350d900617d START_STOP_DAEMON=sbin/start-stop-daemon default: push $(START_STOP_DAEMON): start-stop-daemon.c mkdir -p $(dir $@) - tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf - + tar cf - $^ | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf - .PHONY: tag push From 664ebae2bda73a8b6e735126174310c519889166 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Wed, 26 Apr 2017 11:55:42 -0700 Subject: [PATCH 3/5] Verify newly signed binfmt and/or rngd images on build for examples and tests Signed-off-by: Riyaz Faizullabhoy --- examples/docker.yml | 2 ++ examples/gcp.yml | 1 + examples/node_exporter.yml | 1 + examples/packet.yml | 1 + examples/sshd.yml | 1 + examples/vmware.yml | 1 + linuxkit.yml | 2 ++ test/docker-bench/test-docker-bench.yml | 2 ++ test/virtsock/test-virtsock-server.yml | 1 + 9 files changed, 12 insertions(+) diff --git a/examples/docker.yml b/examples/docker.yml index fefde6a2d..9080f383d 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -82,5 +82,7 @@ files: trust: image: - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/examples/gcp.yml b/examples/gcp.yml index 666a13917..c86a3351d 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -63,6 +63,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: kernel+initrd - format: gcp-img diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index dcf39f446..03a4e0963 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -36,5 +36,6 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/examples/packet.yml b/examples/packet.yml index ecf6a6db8..efa09183e 100644 --- a/examples/packet.yml +++ b/examples/packet.yml @@ -43,6 +43,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' diff --git a/examples/sshd.yml b/examples/sshd.yml index 3fad65d10..18a2c5223 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -43,6 +43,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd files: - path: root/.ssh/authorized_keys contents: '#your ssh key here' diff --git a/examples/vmware.yml b/examples/vmware.yml index eadf07913..d100b7a92 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -45,5 +45,6 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: vmdk diff --git a/linuxkit.yml b/linuxkit.yml index 9ca92ed03..73462a671 100644 --- a/linuxkit.yml +++ b/linuxkit.yml @@ -53,6 +53,8 @@ files: trust: image: - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd - format: iso-bios diff --git a/test/docker-bench/test-docker-bench.yml b/test/docker-bench/test-docker-bench.yml index a8b63ba8f..06d1547ec 100644 --- a/test/docker-bench/test-docker-bench.yml +++ b/test/docker-bench/test-docker-bench.yml @@ -80,5 +80,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/binfmt + - linuxkit/rngd outputs: - format: kernel+initrd diff --git a/test/virtsock/test-virtsock-server.yml b/test/virtsock/test-virtsock-server.yml index 40ff99063..c257084d6 100644 --- a/test/virtsock/test-virtsock-server.yml +++ b/test/virtsock/test-virtsock-server.yml @@ -43,6 +43,7 @@ services: trust: image: - linuxkit/kernel + - linuxkit/rngd outputs: - format: kernel+initrd - format: iso-bios From 38ad84bfbd97bbf8afb05a546df606ba8d4d1f48 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Wed, 26 Apr 2017 14:06:25 -0700 Subject: [PATCH 4/5] pull base images with content trust for binfmt, rngd, tini, toybox-media Signed-off-by: Riyaz Faizullabhoy --- Makefile | 4 +++- pkg/binfmt/Makefile | 4 +++- pkg/init/Makefile | 1 + pkg/rngd/Makefile | 5 ++++- tools/tini/Makefile | 2 ++ tools/toybox-media/Makefile | 2 ++ 6 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index aff90238d..fcdc6005a 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,7 @@ endif PREFIX?=/usr/local/ bin/moby: | bin + DOCKER_CONTENT_TRUST=1 docker pull $(GO_COMPILE) DOCKER_CONTENT_TRUST=1 docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar tar xf tmp_moby_bin.tar > $@ rm tmp_moby_bin.tar @@ -25,7 +26,8 @@ bin/moby: | bin LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) Makefile vendor.conf bin/linuxkit: $(LINUXKIT_DEPS) | bin - tar cf - vendor -C src/cmd/linuxkit . | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar + DOCKER_CONTENT_TRUST=1 docker pull $(GO_COMPILE) + tar cf - vendor -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar tar xf tmp_linuxkit_bin.tar > $@ rm tmp_linuxkit_bin.tar touch $@ diff --git a/pkg/binfmt/Makefile b/pkg/binfmt/Makefile index c9ce6d9ab..4d40a4371 100644 --- a/pkg/binfmt/Makefile +++ b/pkg/binfmt/Makefile @@ -2,6 +2,7 @@ default: push IMAGE=binfmt +BASE=alpine:edge SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile main.go $(wildcard etc/binmft.d/*) @@ -14,7 +15,8 @@ hash: $(DEPS) tag: hash docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - (docker build --no-cache -t $(IMAGE):build . && \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) push: tag diff --git a/pkg/init/Makefile b/pkg/init/Makefile index a57dde9bf..912ae1817 100644 --- a/pkg/init/Makefile +++ b/pkg/init/Makefile @@ -5,6 +5,7 @@ default: push $(START_STOP_DAEMON): start-stop-daemon.c mkdir -p $(dir $@) + DOCKER_CONTENT_TRUST=1 docker pull $(C_COMPILE) tar cf - $^ | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf - .PHONY: tag push diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index 9f703133b..b5f47d6d3 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -2,6 +2,7 @@ default: push IMAGE=rngd +BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile @@ -9,8 +10,10 @@ hash: $(DEPS) find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash tag: hash + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ - (docker build --no-cache -t $(IMAGE):build . && \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) push: tag diff --git a/tools/tini/Makefile b/tools/tini/Makefile index ea5059185..fbf91530e 100644 --- a/tools/tini/Makefile +++ b/tools/tini/Makefile @@ -2,10 +2,12 @@ default: push IMAGE=tini +BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile hash: $(DEPS) + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash tag: hash diff --git a/tools/toybox-media/Makefile b/tools/toybox-media/Makefile index d79af0ac8..07f8bfa7c 100644 --- a/tools/toybox-media/Makefile +++ b/tools/toybox-media/Makefile @@ -2,10 +2,12 @@ default: push IMAGE=toybox-media +BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8 DEPS=Dockerfile Makefile hash: $(DEPS) + DOCKER_CONTENT_TRUST=1 docker pull $(BASE) find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash tag: hash From 2c4c55859f1acf71416ff49b708628dcb0c0cf1f Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Thu, 27 Apr 2017 10:34:40 -0700 Subject: [PATCH 5/5] Add separate sign-tag target, keep tool building offline Signed-off-by: Riyaz Faizullabhoy --- Makefile | 4 +--- pkg/binfmt/Makefile | 8 +++++++- pkg/rngd/Makefile | 8 +++++++- tools/c-compile/Makefile | 8 +++++++- tools/go-compile/Makefile | 8 +++++++- tools/tini/Makefile | 8 +++++++- tools/toybox-media/Makefile | 8 +++++++- 7 files changed, 43 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index fcdc6005a..453ab25d1 100644 --- a/Makefile +++ b/Makefile @@ -18,15 +18,13 @@ endif PREFIX?=/usr/local/ bin/moby: | bin - DOCKER_CONTENT_TRUST=1 docker pull $(GO_COMPILE) - DOCKER_CONTENT_TRUST=1 docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar + docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar tar xf tmp_moby_bin.tar > $@ rm tmp_moby_bin.tar touch $@ LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) Makefile vendor.conf bin/linuxkit: $(LINUXKIT_DEPS) | bin - DOCKER_CONTENT_TRUST=1 docker pull $(GO_COMPILE) tar cf - vendor -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar tar xf tmp_linuxkit_bin.tar > $@ rm tmp_linuxkit_bin.tar diff --git a/pkg/binfmt/Makefile b/pkg/binfmt/Makefile index 4d40a4371..cc7f9a65c 100644 --- a/pkg/binfmt/Makefile +++ b/pkg/binfmt/Makefile @@ -25,7 +25,13 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true -sign: tag +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) rm -f hash diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile index b5f47d6d3..8a155f312 100644 --- a/pkg/rngd/Makefile +++ b/pkg/rngd/Makefile @@ -22,7 +22,13 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true -sign: tag +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) rm -f hash diff --git a/tools/c-compile/Makefile b/tools/c-compile/Makefile index 979030fbe..864506bd8 100644 --- a/tools/c-compile/Makefile +++ b/tools/c-compile/Makefile @@ -23,7 +23,13 @@ tag: hash docker rmi $(IMAGE):build rm -f hash -sign: tag +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) rm -f hash diff --git a/tools/go-compile/Makefile b/tools/go-compile/Makefile index 5d7822285..cdd98dca5 100644 --- a/tools/go-compile/Makefile +++ b/tools/go-compile/Makefile @@ -23,7 +23,13 @@ tag: hash docker rmi $(IMAGE):build rm -f hash -sign: tag +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) rm -f hash diff --git a/tools/tini/Makefile b/tools/tini/Makefile index fbf91530e..bdda245b5 100644 --- a/tools/tini/Makefile +++ b/tools/tini/Makefile @@ -21,7 +21,13 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true -sign: tag +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) rm -f hash diff --git a/tools/toybox-media/Makefile b/tools/toybox-media/Makefile index 07f8bfa7c..115c793bc 100644 --- a/tools/toybox-media/Makefile +++ b/tools/toybox-media/Makefile @@ -21,7 +21,13 @@ push: tag rm -f hash docker rmi $(IMAGE):build || true -sign: tag +signed-tag: hash + DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ + (DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \ + docker build --no-cache -t $(IMAGE):build . && \ + docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash)) + +sign: signed-tag DOCKER_CONTENT_TRUST=1 docker pull linuxkit/$(IMAGE):$(shell cat hash) || \ DOCKER_CONTENT_TRUST=1 docker push linuxkit/$(IMAGE):$(shell cat hash) rm -f hash