github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-22 10:31:35 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1552 from riyazdf/trust-yaml-docs

Browse Source 
Content Trust yaml docs and code improvements
This commit is contained in:
Justin Cormack 2017-04-09 09:53:55 +01:00 committed by GitHub
commit f45e7c898f
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/yaml.md
View File

@ -35,6 +35,18 @@ These containers are started with `containerd` and are expected to remain runnin
is not guaranteed, so containers should wait on any resources, such as networking, that they need. is not guaranteed, so containers should wait on any resources, such as networking, that they need.
For details of the config for each container, see below. For details of the config for each container, see below.
## `trust`
This section specifies which build components are to be cryptographically verified with
[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling.
Trust is a central concern in any build system, and Moby's is no exception: Docker Content Trust provides authenticity,
integrity, and freshness guarantees for the components it verifies. The Moby maintainers are responsible for signing
`mobylinux` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary).
- `image` lists which individual images to enforce pulling with Docker Content Trust.
The image name may include tag or digest, but the matching also succeeds if the base image name is the same.
- `org` lists which organizations for which Docker Content Trust is to be enforced across all images (ex: `mobylinux` is the org for `mobylinux/kernel`)
## `output` ## `output`
This section specifies the output formats that are created. Files are created with the base name of This section specifies the output formats that are created. Files are created with the base name of

11
src/cmd/moby/build.go
View File

@ -52,21 +52,26 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) {
func enforceContentTrust(fullImageName string, config *TrustConfig) bool { func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
for _, img := range config.Image { for _, img := range config.Image {
// First check for an exact tag match // First check for an exact name match
if img == fullImageName { if img == fullImageName {
return true return true
} }
// Also check for an image name only match: // Also check for an image name only match
// by removing a possible tag (with possibly added digest):
if img == strings.TrimSuffix(fullImageName, ":") { if img == strings.TrimSuffix(fullImageName, ":") {
return true return true
} }
// and by removing a possible digest:
if img == strings.TrimSuffix(fullImageName, "@sha256:") {
return true
}
} }
for _, org := range config.Org { for _, org := range config.Org {
if strings.HasPrefix(fullImageName, org+"/") { if strings.HasPrefix(fullImageName, org+"/") {
}
return true return true
} }
}
return false return false
} }