To support signing images without prompting the user, add CLI flags for
providing a passphrase file.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Port of changes from https://github.com/containers/podman/pull/12997 and
https://github.com/containers/podman/pull/13005 to the workflow in this
repository.
***Note***: Impractical to automatically verify these changes until
they're merged into `main`. Though the similar changes made in the
podman repo. have been manually confirmed to function as intended.
Signed-off-by: Chris Evich <cevich@redhat.com>
> go get github.com/containerd/containerd@latest
> make vendor
... because 1.5.9 contains a vulnerability fix, and we
want to silence scanners.
NOTE: Skopeo DOES NOT use the vulnerable code that
was fixed in containerd 1.5.9, so it is NOT vulnerable to
GHSA-mvff-h3cj-wj9c .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/opencontainers/image-spec@a5463b7f9c8451553af3adcba2cab538469df00c
> make vendor
Primarily we want to use a 1.0.3-0... version rather than 1.0.2-0..., so that
dependencies on 1.0.2 don't cause Skopeo to use 1.0.2 instead of
the later main-branch code.
Go has some logic to prevent using pseudo-version that don't follow
a released version (which is the case here, where 1.0.2 is on a branch,
and we want to use a main-branch commit instead); luckily some later
PRs on the main branch include the full contents of the 1.0.2 branch.
So, update a bit further along the main branch.
This particular commit corresponds to the choice in
https://github.com/containers/image/pull/1433 .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to silence warnings about CVE-2021-43784
/ GHSA-v95c-p5hm-xq8f .
NOTE: The vulnerable code was not used in this package,
so Skopeo is has not been vulnerable to this issue.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Sadly...I swear I had tested this at one point, but it was
*definitely* not the intention that we just return the container
runtime configuration.
I need a method to return the full image configuration. At some point
I must have accidentally added a redundant `.Config`.
This whole new method `GetFullConfig` is like `GetConfig` but
returns the whole image configuration. A specific motivation
here is that it's only in the image configuration that we can
stick arbitrary metadata (labels) that will survive a round trip through
docker schema v2.
just to keep various dependency checkers happy.
> go get github.com/containerd/containerd@v1.5.8
NOTE: This is NOT a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh ,
that was fixed in Skopeo 1.5.2.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to a version past 1.0.2, just to keep various
dependency checkers happy.
> go get github.com/opencontainers/image-spec@v1.0.2-0.20211123152302-43a7dee1ec31
The commit is intended to match https://github.com/containers/image/pull/1419
to minimize churn.
NOTE: This is NOT a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh ,
that was fixed in Skopeo 1.5.2.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The new --multi-arch option allows the user to select between copying the
image associated with the system platform, all images in the index, or
just the index itself without attempting to copy the images.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
This test was incorrectly assuming that nothing would be made on disk,
but it was putting files into the source directory.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Includes a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh .
- use fedora:latest in contrib/skopeoimage/*/Dockerfile
- Fix test bug that prevented useful diagnostics on registry fail
- proxy: Add an API to fetch the config upconverted to OCI
- proxy: Add support for manifest lists
- proxy: Uncapitalize all errors
- Cirrus: Bump Fedora to release 35 & Ubuntu to 21.10
- Update to c/image v5.17.0
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The Fedora 35 cloud images have switched to UEFI boot with a GPT
partition. Formerly, all Fedora images included support for runtime
re-partitioning. However, the requirement to test alternate storage
has since been dropped/removed. Rather than maintain a disused
feature, and supporting scripts, these Fedora VM images have reverted
to the default: Automatically resize to 100% on boot.
Signed-off-by: Chris Evich <cevich@redhat.com>
To fix compilation on MacOS.
I think actually we want to use this pervasively in our tests
on Linux; it doesn't really matter when run inside a transient
container, but `PDEATHSIG` is useful for persistent containers (e.g.)
toolbox and when running outside of a pid namespace, e.g. on a host
system shell directly or in systemd.
Signed-off-by: Colin Walters <walters@verbum.org>
We need to support manifest lists. I'm not sure how I missed this
originally. At least now we have integration tests that cover this.
The issue here is fairly subtle - the way c/image works right now,
`image.FromUnparsedImage` does pick a matching image from a list
by default. But it also overrides `GetManifest()` to return the
original manifest list, which defeats our goal here.
Handle this by adding explicit manifest list support code. We'll
want this anyways for future support for `GetRawManifest` or so
which exposes OCI manifest lists to the client.
Signed-off-by: Colin Walters <walters@verbum.org>
