github/skopeo
1
0
Fork 0
mirror of https://github.com/containers/skopeo.git synced 2025-09-13 13:33:13 +00:00
Code Issues Projects Releases Wiki Activity

Add a new --policy flag.

Browse Source 
This ordinarily uses the compiled-in default, but allows per-command
override.  No users yet.

Note that this adds an URL to policy documentation within
containers/image, and that URL does not exist at the moment.
This commit is contained in:
Miloslav Trmač
2016-06-06 16:48:57 +02:00
parent 8826f09cf4
commit d5d6bc28f7
2 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cmd/skopeo/main.go
View File

@@ -5,6 +5,7 @@ import (
"os" "os"
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
"github.com/containers/image/signature"
"github.com/projectatomic/skopeo/version" "github.com/projectatomic/skopeo/version"
"github.com/urfave/cli" "github.com/urfave/cli"
) )
@@ -50,6 +51,11 @@ func createApp() *cli.App {
Name: "tls-verify", Name: "tls-verify",
Usage: "verify certificates", Usage: "verify certificates",
}, },
cli.StringFlag{
Name: "policy",
Value: "",
Usage: "Path to a signature verification policy file",
},
} }
app.Before = func(c *cli.Context) error { app.Before = func(c *cli.Context) error {
if c.GlobalBool("debug") { if c.GlobalBool("debug") {
@@ -75,3 +81,19 @@ func main() {
logrus.Fatal(err) logrus.Fatal(err)
} }
} }
// getPolicyContext handles the global "policy" flag.
func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) {
policyPath := c.GlobalString("policy")
var policy *signature.Policy // This could be cached across calls, if we had an application context.
var err error
if policyPath == "" {
policy, err = signature.DefaultPolicy(nil)
} else {
policy, err = signature.NewPolicyFromFile(policyPath)
}
if err != nil {
return nil, err
}
return signature.NewPolicyContext(policy)
}

8
docs/skopeo.1.md
View File

@@ -43,6 +43,9 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
**--cert-path** _path_ Use certificates at _path_ (cert.pem, key.pem) to connect to the registry **--cert-path** _path_ Use certificates at _path_ (cert.pem, key.pem) to connect to the registry
**--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and
deciding whether an image is accepted, instead of the default policy.
**--tls-verify** _bool-value_ Verify certificates **--tls-verify** _bool-value_ Verify certificates
**--help**|**-h** Show help **--help**|**-h** Show help
@@ -128,6 +131,11 @@ Verify a signature using local files, digest will be printed on success.
## skopeo help ## skopeo help
show help for `skopeo` show help for `skopeo`
# FILES
**/etc/containers/policy.json**
Default signature verification policy file, if **--policy** is not specified.
The policy format is documented in https://github.com/containers/image/blob/master/docs/policy.json.md .
# EXAMPLES # EXAMPLES
## skopeo copy ## skopeo copy