Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support copy --sign-by where the needed docker reference and push domain are different. #1588

Closed
sjhx opened this issue Mar 8, 2022 · 1 comment · Fixed by #1610
Closed

Support copy --sign-by where the needed docker reference and push domain are different. #1588

sjhx opened this issue Mar 8, 2022 · 1 comment · Fixed by #1610
Labels
locked - please file new issue/PR

Comments

@sjhx
Copy link

sjhx commented Mar 8, 2022

A feature proposal.

The scenario is that the image needs to be pushed to one domain e.g. one with write capability which is different to the domain that clients will pull the image from e.g. a read-only mirrored registry.
There could also be different variations on the docker reference (in repository / tag) such that the image can physically transit other system before becoming available for signature verified consumption at the intended destination.

While that can be achieved today with standalone-sign and a temporary directory store, from the documentation "This is primarily a debugging tool, useful for special cases, and usually should not be a part of your normal operational workflow; use skopeo copy --sign-by instead to publish and sign an image in one step."

We are looking for something that is supported as "part of our normal workflow".

I envisage this could be provided using a new option on copy --sign-by such as --docker-reference "client.domain.io/my/product/image:tag" which could perhaps be provided multiple times to create multiple signatures.
@sjhx sjhx changed the title Support copy --sign-by where the needed docker reference and push domain is different. Support copy --sign-by where the needed docker reference and push domain are different. Mar 8, 2022
@mtrmac
Copy link
Collaborator

mtrmac commented Mar 8, 2022

Thanks for your report.

Yes, this feature does make sense and should be fairly easy to wire up. (I imagine the CLI might be something like --sign-identity, to match the policy.json syntax.)

Jamstah added a commit to Jamstah/image that referenced this issue Mar 29, 2022
@Jamstah
Add option to specify the identity for signing
88d420d 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Underpins implementation for containers/skopeo#1588
Jamstah added a commit to Jamstah/image that referenced this issue Mar 29, 2022
@Jamstah
Add option to specify the identity for signing
a43d61a 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Underpins implementation for containers/skopeo#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
@Jamstah Jamstah mentioned this issue Mar 29, 2022
Merged
Jamstah added a commit to Jamstah/image that referenced this issue Mar 30, 2022
@Jamstah
Add option to specify the identity for signing
7dde4a3 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Underpins implementation for containers/skopeo#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah added a commit to Jamstah/skopeo that referenced this issue Mar 30, 2022
@Jamstah
Add option to specify the identity for signing
b1d34f6 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Closes containers#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
@Jamstah Jamstah mentioned this issue Mar 30, 2022
Merged
Jamstah added a commit to Jamstah/skopeo that referenced this issue Mar 30, 2022
@Jamstah
Add option to specify the identity for signing
db1747d 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Closes containers#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah added a commit to Jamstah/skopeo that referenced this issue Mar 30, 2022
@Jamstah
Add option to specify the identity for signing
3802bfc 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Closes containers#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah added a commit to Jamstah/skopeo that referenced this issue Mar 30, 2022
@Jamstah
Add option to specify the identity for signing
b211b57 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Closes containers#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah added a commit to Jamstah/skopeo that referenced this issue Mar 30, 2022
@Jamstah
Add option to specify the identity for signing
4ef35a3 
This enables pushing to registries where the push and pull uris may be
different, for example where pushed images are mirrored to a read only
replica for distribution.

Closes containers#1588

Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add option to specify the identity for signing Jamstah/skopeo
2 participants
@sjhx @mtrmac