Highlights:
- A new sif: transport
- New options --multi-arch, --preserve-digests, --sign-passphrase-file
- Use a dynamic temp dir for test
- Add an option to allow copying image indexes alone
- proxy: Add a GetFullConfig method
- proxy: Also bump compatible semver
- Add option to preserve digests on copy
- Run codespell on code
- prompt-less signing via passphrase file
- add a SIF systemtest
- Merge pull request #1550 from vrothberg/sif-test
- Improve the documentation of the argument to (skopeo inspect)
- Document where various fields of (skopeo inspect) come from
- Improve the documentation of boolean flags
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The Go behavior of boolean flags is as follows:
Accepted values are --flag, which is the same as --flag=true, and --flag=false,
which is the default (except for OptionalBoolFlag).
--flag {false,true} is parsed as --flag=true with a non-option {false,true} argument.
So, for almost all flags, document them just as --flag, not
mentioning the [={false,true}] part, because users can just
omit =true, or the whole flag instead of =false.
OTOH, for tls-verify, document only the tls-verify={true,false}
variant, because the primary use is tls-verify=false, and because
tls-verify is not "the default", but equivalent to an explicit
tls-verify=true (overriding registries.conf).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
To support signing images without prompting the user, add CLI flags for
providing a passphrase file.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Port of changes from https://github.com/containers/podman/pull/12997 and
https://github.com/containers/podman/pull/13005 to the workflow in this
repository.
***Note***: Impractical to automatically verify these changes until
they're merged into `main`. Though the similar changes made in the
podman repo. have been manually confirmed to function as intended.
Signed-off-by: Chris Evich <cevich@redhat.com>
> go get github.com/containerd/containerd@latest
> make vendor
... because 1.5.9 contains a vulnerability fix, and we
want to silence scanners.
NOTE: Skopeo DOES NOT use the vulnerable code that
was fixed in containerd 1.5.9, so it is NOT vulnerable to
GHSA-mvff-h3cj-wj9c .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/opencontainers/image-spec@a5463b7f9c8451553af3adcba2cab538469df00c
> make vendor
Primarily we want to use a 1.0.3-0... version rather than 1.0.2-0..., so that
dependencies on 1.0.2 don't cause Skopeo to use 1.0.2 instead of
the later main-branch code.
Go has some logic to prevent using pseudo-version that don't follow
a released version (which is the case here, where 1.0.2 is on a branch,
and we want to use a main-branch commit instead); luckily some later
PRs on the main branch include the full contents of the 1.0.2 branch.
So, update a bit further along the main branch.
This particular commit corresponds to the choice in
https://github.com/containers/image/pull/1433 .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to silence warnings about CVE-2021-43784
/ GHSA-v95c-p5hm-xq8f .
NOTE: The vulnerable code was not used in this package,
so Skopeo is has not been vulnerable to this issue.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Sadly...I swear I had tested this at one point, but it was
*definitely* not the intention that we just return the container
runtime configuration.
I need a method to return the full image configuration. At some point
I must have accidentally added a redundant `.Config`.
This whole new method `GetFullConfig` is like `GetConfig` but
returns the whole image configuration. A specific motivation
here is that it's only in the image configuration that we can
stick arbitrary metadata (labels) that will survive a round trip through
docker schema v2.
