The Go behavior of boolean flags is as follows:
Accepted values are --flag, which is the same as --flag=true, and --flag=false,
which is the default (except for OptionalBoolFlag).
--flag {false,true} is parsed as --flag=true with a non-option {false,true} argument.
So, for almost all flags, document them just as --flag, not
mentioning the [={false,true}] part, because users can just
omit =true, or the whole flag instead of =false.
OTOH, for tls-verify, document only the tls-verify={true,false}
variant, because the primary use is tls-verify=false, and because
tls-verify is not "the default", but equivalent to an explicit
tls-verify=true (overriding registries.conf).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
To support signing images without prompting the user, add CLI flags for
providing a passphrase file.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Port of changes from https://github.com/containers/podman/pull/12997 and
https://github.com/containers/podman/pull/13005 to the workflow in this
repository.
***Note***: Impractical to automatically verify these changes until
they're merged into `main`. Though the similar changes made in the
podman repo. have been manually confirmed to function as intended.
Signed-off-by: Chris Evich <cevich@redhat.com>
> go get github.com/containerd/containerd@latest
> make vendor
... because 1.5.9 contains a vulnerability fix, and we
want to silence scanners.
NOTE: Skopeo DOES NOT use the vulnerable code that
was fixed in containerd 1.5.9, so it is NOT vulnerable to
GHSA-mvff-h3cj-wj9c .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/opencontainers/image-spec@a5463b7f9c8451553af3adcba2cab538469df00c
> make vendor
Primarily we want to use a 1.0.3-0... version rather than 1.0.2-0..., so that
dependencies on 1.0.2 don't cause Skopeo to use 1.0.2 instead of
the later main-branch code.
Go has some logic to prevent using pseudo-version that don't follow
a released version (which is the case here, where 1.0.2 is on a branch,
and we want to use a main-branch commit instead); luckily some later
PRs on the main branch include the full contents of the 1.0.2 branch.
So, update a bit further along the main branch.
This particular commit corresponds to the choice in
https://github.com/containers/image/pull/1433 .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to silence warnings about CVE-2021-43784
/ GHSA-v95c-p5hm-xq8f .
NOTE: The vulnerable code was not used in this package,
so Skopeo is has not been vulnerable to this issue.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Sadly...I swear I had tested this at one point, but it was
*definitely* not the intention that we just return the container
runtime configuration.
I need a method to return the full image configuration. At some point
I must have accidentally added a redundant `.Config`.
This whole new method `GetFullConfig` is like `GetConfig` but
returns the whole image configuration. A specific motivation
here is that it's only in the image configuration that we can
stick arbitrary metadata (labels) that will survive a round trip through
docker schema v2.
just to keep various dependency checkers happy.
> go get github.com/containerd/containerd@v1.5.8
NOTE: This is NOT a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh ,
that was fixed in Skopeo 1.5.2.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to a version past 1.0.2, just to keep various
dependency checkers happy.
> go get github.com/opencontainers/image-spec@v1.0.2-0.20211123152302-43a7dee1ec31
The commit is intended to match https://github.com/containers/image/pull/1419
to minimize churn.
NOTE: This is NOT a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh ,
that was fixed in Skopeo 1.5.2.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The new --multi-arch option allows the user to select between copying the
image associated with the system platform, all images in the index, or
just the index itself without attempting to copy the images.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
This test was incorrectly assuming that nothing would be made on disk,
but it was putting files into the source directory.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Includes a fix for CVE-2021-41190 / GHSA-77vh-xpmg-72qh .
- use fedora:latest in contrib/skopeoimage/*/Dockerfile
- Fix test bug that prevented useful diagnostics on registry fail
- proxy: Add an API to fetch the config upconverted to OCI
- proxy: Add support for manifest lists
- proxy: Uncapitalize all errors
- Cirrus: Bump Fedora to release 35 & Ubuntu to 21.10
- Update to c/image v5.17.0
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
