Add a --sign-by flag to the (skopeo copy) command.

This expects a GPG key fingerprint as a value of the argument (though
other key identification methods, like mitr@volny.cz, happen to work).

Do we need to namespace this (gpg:…)?

Note that this is unusable at the moment because only the dir: backend
implements storing signatures, and this backend does can not determine
the canonical Docker reference to use as a signed image identity.
This commit is contained in:
Miloslav Trmač 2016-05-02 21:06:39 +02:00
parent da24e319af
commit 026acb2a57
2 changed files with 32 additions and 2 deletions

27
copy.go
View File

@ -6,6 +6,7 @@ import (
"github.com/Sirupsen/logrus"
"github.com/codegangsta/cli"
"github.com/projectatomic/skopeo/signature"
)
// FIXME: Also handle schema2, and put this elsewhere:
@ -38,6 +39,7 @@ func copyHandler(context *cli.Context) {
if err != nil {
logrus.Fatalf("Error initializing %s: %s", context.Args()[1], err.Error())
}
signBy := context.String("sign-by")
manifest, digest, err := src.GetManifest()
if err != nil {
@ -64,6 +66,24 @@ func copyHandler(context *cli.Context) {
if err != nil {
logrus.Fatalf("Error reading signatures: %s", err.Error())
}
if signBy != "" {
mech, err := signature.NewGPGSigningMechanism()
if err != nil {
logrus.Fatalf("Error initializing GPG: %s", err.Error())
}
dockerReference, err := dest.CanonicalDockerReference()
if err != nil {
logrus.Fatalf("Error determining canonical Docker reference: %s", err.Error())
}
newSig, err := signature.SignDockerManifest(manifest, dockerReference, mech, signBy)
if err != nil {
logrus.Fatalf("Error creating signature: %s", err.Error())
}
sigs = append(sigs, newSig)
}
if err := dest.PutSignatures(sigs); err != nil {
logrus.Fatalf("Error writing signatures: %s", err.Error())
}
@ -77,4 +97,11 @@ func copyHandler(context *cli.Context) {
var copyCmd = cli.Command{
Name: "copy",
Action: copyHandler,
// FIXME: Do we need to namespace the GPG aspect?
Flags: []cli.Flag{
cli.StringFlag{
Name: "sign-by",
Usage: "sign the image using a GPG key with the specified fingerprint",
},
},
}

View File

@ -8,7 +8,7 @@
.SH NAME
skopeo \(em Inspect Docker images and repositories on registries
.SH SYNOPSIS
\fBskopeo copy\fR source-location destination-location
\fBskopeo copy\fR [\fB--sign-by=\fRkey-ID] source-location destination-location
.PP
\fBskopeo inspect\fR image-name [\fB--raw\fR]
.PP
@ -55,7 +55,10 @@ Copy an image (manifest, filesystem layers, signatures) from one location to ano
and
.B destination-location
can be \fBdocker://\fRdocker-reference, \fBdir:\fRlocal-path, or \fBatomic:\fRimagestream-name\fB:\fRtag .
.sp
\fB\-\-sign\-by=\fRkey-id
Add a signature by the specified key ID for image name corresponding to \fBdestination-location\fR.
Existing signatures, if any, are preserved as well.
.TP
.B inspect
Return low-level information on images in a registry