Add a --sign-by flag to the (skopeo copy) command.

This expects a GPG key fingerprint as a value of the argument (though other key identification methods, like mitr@volny.cz, happen to work). Do we need to namespace this (gpg:…)? Note that this is unusable at the moment because only the dir: backend implements storing signatures, and this backend does can not determine the canonical Docker reference to use as a signed image identity.
2025-08-31 14:20:21 +00:00 · 2016-05-02 21:06:39 +02:00
parent da24e319af
commit 026acb2a57
2 changed files with 32 additions and 2 deletions
--- a/copy.go
+++ b/copy.go
@@ -6,6 +6,7 @@ import (

 	"github.com/Sirupsen/logrus"
 	"github.com/codegangsta/cli"
+	"github.com/projectatomic/skopeo/signature"
 )

 // FIXME: Also handle schema2, and put this elsewhere:
@@ -38,6 +39,7 @@ func copyHandler(context *cli.Context) {
 	if err != nil {
 		logrus.Fatalf("Error initializing %s: %s", context.Args()[1], err.Error())
 	}
+	signBy := context.String("sign-by")

 	manifest, digest, err := src.GetManifest()
 	if err != nil {
@@ -64,6 +66,24 @@ func copyHandler(context *cli.Context) {
 	if err != nil {
 		logrus.Fatalf("Error reading signatures: %s", err.Error())
 	}
+
+	if signBy != "" {
+		mech, err := signature.NewGPGSigningMechanism()
+		if err != nil {
+			logrus.Fatalf("Error initializing GPG: %s", err.Error())
+		}
+		dockerReference, err := dest.CanonicalDockerReference()
+		if err != nil {
+			logrus.Fatalf("Error determining canonical Docker reference: %s", err.Error())
+		}
+
+		newSig, err := signature.SignDockerManifest(manifest, dockerReference, mech, signBy)
+		if err != nil {
+			logrus.Fatalf("Error creating signature: %s", err.Error())
+		}
+		sigs = append(sigs, newSig)
+	}
+
 	if err := dest.PutSignatures(sigs); err != nil {
 		logrus.Fatalf("Error writing signatures: %s", err.Error())
 	}
@@ -77,4 +97,11 @@ func copyHandler(context *cli.Context) {
 var copyCmd = cli.Command{
 	Name:   "copy",
 	Action: copyHandler,
+	// FIXME: Do we need to namespace the GPG aspect?
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "sign-by",
+			Usage: "sign the image using a GPG key with the specified fingerprint",
+		},
+	},
 }
--- a/man1/skopeo.1
+++ b/man1/skopeo.1
@@ -8,7 +8,7 @@
 .SH NAME
 skopeo \(em Inspect Docker images and repositories on registries
 .SH SYNOPSIS
-\fBskopeo copy\fR source-location destination-location
+\fBskopeo copy\fR [\fB--sign-by=\fRkey-ID] source-location destination-location
 .PP
 \fBskopeo inspect\fR image-name [\fB--raw\fR]
 .PP
@@ -55,7 +55,10 @@ Copy an image (manifest, filesystem layers, signatures) from one location to ano
 and
 .B destination-location
 can be \fBdocker://\fRdocker-reference, \fBdir:\fRlocal-path, or \fBatomic:\fRimagestream-name\fB:\fRtag .
-
+.sp
+\fB\-\-sign\-by=\fRkey-id
+Add a signature by the specified key ID for image name corresponding to \fBdestination-location\fR.
+Existing signatures, if any, are preserved as well.
 .TP
 .B inspect
 Return low-level information on images in a registry