mirror of
https://github.com/containers/skopeo.git
synced 2025-08-01 06:55:43 +00:00
Add a --sign-by flag to the (skopeo copy) command.
This expects a GPG key fingerprint as a value of the argument (though other key identification methods, like mitr@volny.cz, happen to work). Do we need to namespace this (gpg:…)? Note that this is unusable at the moment because only the dir: backend implements storing signatures, and this backend does can not determine the canonical Docker reference to use as a signed image identity.
This commit is contained in:
parent
da24e319af
commit
026acb2a57
27
copy.go
27
copy.go
@ -6,6 +6,7 @@ import (
|
||||
|
||||
"github.com/Sirupsen/logrus"
|
||||
"github.com/codegangsta/cli"
|
||||
"github.com/projectatomic/skopeo/signature"
|
||||
)
|
||||
|
||||
// FIXME: Also handle schema2, and put this elsewhere:
|
||||
@ -38,6 +39,7 @@ func copyHandler(context *cli.Context) {
|
||||
if err != nil {
|
||||
logrus.Fatalf("Error initializing %s: %s", context.Args()[1], err.Error())
|
||||
}
|
||||
signBy := context.String("sign-by")
|
||||
|
||||
manifest, digest, err := src.GetManifest()
|
||||
if err != nil {
|
||||
@ -64,6 +66,24 @@ func copyHandler(context *cli.Context) {
|
||||
if err != nil {
|
||||
logrus.Fatalf("Error reading signatures: %s", err.Error())
|
||||
}
|
||||
|
||||
if signBy != "" {
|
||||
mech, err := signature.NewGPGSigningMechanism()
|
||||
if err != nil {
|
||||
logrus.Fatalf("Error initializing GPG: %s", err.Error())
|
||||
}
|
||||
dockerReference, err := dest.CanonicalDockerReference()
|
||||
if err != nil {
|
||||
logrus.Fatalf("Error determining canonical Docker reference: %s", err.Error())
|
||||
}
|
||||
|
||||
newSig, err := signature.SignDockerManifest(manifest, dockerReference, mech, signBy)
|
||||
if err != nil {
|
||||
logrus.Fatalf("Error creating signature: %s", err.Error())
|
||||
}
|
||||
sigs = append(sigs, newSig)
|
||||
}
|
||||
|
||||
if err := dest.PutSignatures(sigs); err != nil {
|
||||
logrus.Fatalf("Error writing signatures: %s", err.Error())
|
||||
}
|
||||
@ -77,4 +97,11 @@ func copyHandler(context *cli.Context) {
|
||||
var copyCmd = cli.Command{
|
||||
Name: "copy",
|
||||
Action: copyHandler,
|
||||
// FIXME: Do we need to namespace the GPG aspect?
|
||||
Flags: []cli.Flag{
|
||||
cli.StringFlag{
|
||||
Name: "sign-by",
|
||||
Usage: "sign the image using a GPG key with the specified fingerprint",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -8,7 +8,7 @@
|
||||
.SH NAME
|
||||
skopeo \(em Inspect Docker images and repositories on registries
|
||||
.SH SYNOPSIS
|
||||
\fBskopeo copy\fR source-location destination-location
|
||||
\fBskopeo copy\fR [\fB--sign-by=\fRkey-ID] source-location destination-location
|
||||
.PP
|
||||
\fBskopeo inspect\fR image-name [\fB--raw\fR]
|
||||
.PP
|
||||
@ -55,7 +55,10 @@ Copy an image (manifest, filesystem layers, signatures) from one location to ano
|
||||
and
|
||||
.B destination-location
|
||||
can be \fBdocker://\fRdocker-reference, \fBdir:\fRlocal-path, or \fBatomic:\fRimagestream-name\fB:\fRtag .
|
||||
|
||||
.sp
|
||||
\fB\-\-sign\-by=\fRkey-id
|
||||
Add a signature by the specified key ID for image name corresponding to \fBdestination-location\fR.
|
||||
Existing signatures, if any, are preserved as well.
|
||||
.TP
|
||||
.B inspect
|
||||
Return low-level information on images in a registry
|
||||
|
Loading…
Reference in New Issue
Block a user