-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support copy --sign-by where the needed docker reference and push domain are different. #1588
Comments
sjhx
changed the title
Support copy --sign-by where the needed docker reference and push domain is different.
Support copy --sign-by where the needed docker reference and push domain are different.
Mar 8, 2022
Thanks for your report. Yes, this feature does make sense and should be fairly easy to wire up. (I imagine the CLI might be something like |
Jamstah
added a commit
to Jamstah/image
that referenced
this issue
Mar 29, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Underpins implementation for containers/skopeo#1588
Jamstah
added a commit
to Jamstah/image
that referenced
this issue
Mar 29, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Underpins implementation for containers/skopeo#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah
added a commit
to Jamstah/image
that referenced
this issue
Mar 30, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Underpins implementation for containers/skopeo#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah
added a commit
to Jamstah/skopeo
that referenced
this issue
Mar 30, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Closes containers#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah
added a commit
to Jamstah/skopeo
that referenced
this issue
Mar 30, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Closes containers#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah
added a commit
to Jamstah/skopeo
that referenced
this issue
Mar 30, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Closes containers#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah
added a commit
to Jamstah/skopeo
that referenced
this issue
Mar 30, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Closes containers#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Jamstah
added a commit
to Jamstah/skopeo
that referenced
this issue
Mar 30, 2022
This enables pushing to registries where the push and pull uris may be different, for example where pushed images are mirrored to a read only replica for distribution. Closes containers#1588 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
A feature proposal.
The scenario is that the image needs to be pushed to one domain e.g. one with write capability which is different to the domain that clients will pull the image from e.g. a read-only mirrored registry.
There could also be different variations on the docker reference (in repository / tag) such that the image can physically transit other system before becoming available for signature verified consumption at the intended destination.
While that can be achieved today with
standalone-sign
and a temporary directory store, from the documentation "This is primarily a debugging tool, useful for special cases, and usually should not be a part of your normal operational workflow; use skopeo copy --sign-by instead to publish and sign an image in one step."We are looking for something that is supported as "part of our normal workflow".
I envisage this could be provided using a new option on
copy --sign-by
such as--docker-reference "client.domain.io/my/product/image:tag"
which could perhaps be provided multiple times to create multiple signatures.The text was updated successfully, but these errors were encountered: