diff --git a/cmd/skopeo/main.go b/cmd/skopeo/main.go index 3c791076..28b26229 100644 --- a/cmd/skopeo/main.go +++ b/cmd/skopeo/main.go @@ -5,6 +5,7 @@ import ( "os" "github.com/Sirupsen/logrus" + "github.com/containers/image/signature" "github.com/projectatomic/skopeo/version" "github.com/urfave/cli" ) @@ -50,6 +51,11 @@ func createApp() *cli.App { Name: "tls-verify", Usage: "verify certificates", }, + cli.StringFlag{ + Name: "policy", + Value: "", + Usage: "Path to a signature verification policy file", + }, } app.Before = func(c *cli.Context) error { if c.GlobalBool("debug") { @@ -75,3 +81,19 @@ func main() { logrus.Fatal(err) } } + +// getPolicyContext handles the global "policy" flag. +func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) { + policyPath := c.GlobalString("policy") + var policy *signature.Policy // This could be cached across calls, if we had an application context. + var err error + if policyPath == "" { + policy, err = signature.DefaultPolicy(nil) + } else { + policy, err = signature.NewPolicyFromFile(policyPath) + } + if err != nil { + return nil, err + } + return signature.NewPolicyContext(policy) +} diff --git a/docs/skopeo.1.md b/docs/skopeo.1.md index 90852d6f..957f4211 100644 --- a/docs/skopeo.1.md +++ b/docs/skopeo.1.md @@ -43,6 +43,9 @@ Most commands refer to container images, using a _transport_`:`_details_ format. **--cert-path** _path_ Use certificates at _path_ (cert.pem, key.pem) to connect to the registry + **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and + deciding whether an image is accepted, instead of the default policy. + **--tls-verify** _bool-value_ Verify certificates **--help**|**-h** Show help @@ -128,6 +131,11 @@ Verify a signature using local files, digest will be printed on success. ## skopeo help show help for `skopeo` +# FILES + **/etc/containers/policy.json** + Default signature verification policy file, if **--policy** is not specified. + The policy format is documented in https://github.com/containers/image/blob/master/docs/policy.json.md . + # EXAMPLES ## skopeo copy