New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trust sign: add --local flag #575

Merged
merged 1 commit into from Nov 7, 2017

Conversation

@eiais
Contributor

eiais commented Sep 29, 2017

The --local flag will force the signing of a local image.

cc @riyazdf @ashfall

Signed-off-by: Kyle Spiers kyle@spiers.me

@codecov-io

This comment has been minimized.

Show comment
Hide comment
@codecov-io

codecov-io Sep 29, 2017

Codecov Report

Merging #575 into master will decrease coverage by 0.66%.
The diff coverage is 90%.

@@            Coverage Diff             @@
##           master     #575      +/-   ##
==========================================
- Coverage   50.09%   49.43%   -0.67%     
==========================================
  Files         216      208       -8     
  Lines       17696    17170     -526     
==========================================
- Hits         8865     8488     -377     
+ Misses       8387     8249     -138     
+ Partials      444      433      -11

codecov-io commented Sep 29, 2017

Codecov Report

Merging #575 into master will decrease coverage by 0.66%.
The diff coverage is 90%.

@@            Coverage Diff             @@
##           master     #575      +/-   ##
==========================================
- Coverage   50.09%   49.43%   -0.67%     
==========================================
  Files         216      208       -8     
  Lines       17696    17170     -526     
==========================================
- Hits         8865     8488     -377     
+ Misses       8387     8249     -138     
+ Partials      444      433      -11
@mistyhacks

One question and a small nit

@@ -16,10 +16,14 @@ keywords: "sign, notary, trust"
# trust sign
```markdown
Usage: docker trust sign IMAGE:TAG
Usage: docker trust sign [OPTIONS] IMAGE:TAG

This comment has been minimized.

@mistyhacks

mistyhacks Sep 29, 2017

Contributor

I think @riyazdf pulled [OPTIONS] out of a bunch of the other commands. Is it OK here?

@mistyhacks

mistyhacks Sep 29, 2017

Contributor

I think @riyazdf pulled [OPTIONS] out of a bunch of the other commands. Is it OK here?

This comment has been minimized.

@eiais

eiais Sep 29, 2017

Contributor

Yes, we pulled it out because they didn't have options yet. This one now does.

@eiais

eiais Sep 29, 2017

Contributor

Yes, we pulled it out because they didn't have options yet. This one now does.

Show outdated Hide outdated cli/command/trust/sign_test.go Outdated
@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Oct 2, 2017

Member

I also left a similar proposal in the original PR: #472 (review)

Wondering if it's always desirable to push the image, or if there should be an option to either make pushing optional, or to disable pushing.

An alternative could be to have a --push flag, but @riyazdf is more familiar with the common workflow / expectations than I am 😅

Member

thaJeztah commented Oct 2, 2017

I also left a similar proposal in the original PR: #472 (review)

Wondering if it's always desirable to push the image, or if there should be an option to either make pushing optional, or to disable pushing.

An alternative could be to have a --push flag, but @riyazdf is more familiar with the common workflow / expectations than I am 😅

@riyazdf

This comment has been minimized.

Show comment
Hide comment
@riyazdf

riyazdf Oct 2, 2017

@thaJeztah: yup - this is a followup PR that addresses your feedback, though in a slightly different fashion.

In the context of docker, it doesn't really make sense to have a signature without a pushed image - so we've deliberately made the workflows such that if you sign an image there should always be an associated image in the registry unless you manually delete images in the registry or the signatures with notary.

Taking this into account on docker trust sign: if the image doesn't exist in a signed repository then it will push and sign. However, if the image does exist with signatures docker trust sign will multi-sign over the same digest/tag without pushing anything to the registry.

This PR adds a --local flag to always attempt pushing and signing a locally tagged image, even if signatures already exist, potentially clobbering the digest for the tag if it was previously signed.

riyazdf commented Oct 2, 2017

@thaJeztah: yup - this is a followup PR that addresses your feedback, though in a slightly different fashion.

In the context of docker, it doesn't really make sense to have a signature without a pushed image - so we've deliberately made the workflows such that if you sign an image there should always be an associated image in the registry unless you manually delete images in the registry or the signatures with notary.

Taking this into account on docker trust sign: if the image doesn't exist in a signed repository then it will push and sign. However, if the image does exist with signatures docker trust sign will multi-sign over the same digest/tag without pushing anything to the registry.

This PR adds a --local flag to always attempt pushing and signing a locally tagged image, even if signatures already exist, potentially clobbering the digest for the tag if it was previously signed.

Show outdated Hide outdated cli/command/trust/sign.go Outdated
Show outdated Hide outdated cli/command/trust/sign_test.go Outdated
Show outdated Hide outdated cli/command/trust/sign.go Outdated
Show outdated Hide outdated cli/command/trust/sign.go Outdated
@vdemeester

LGTM 🐸

Show outdated Hide outdated docs/reference/commandline/trust_sign.md Outdated
cmd := newSignCommand(cli)
cmd.SetArgs([]string{"--local", "reg-name.io/image:red"})
cmd.SetOutput(ioutil.Discard)
testutil.ErrorContains(t, cmd.Execute(), "error during connect: Get /images/reg-name.io/image:red/json: unsupported protocol scheme")

This comment has been minimized.

@dnephin

dnephin Oct 30, 2017

Collaborator

This seems like a strange expectation for a test case. Can't this use the notary fakes we have in client_test.go to make it a success case?

@dnephin

dnephin Oct 30, 2017

Collaborator

This seems like a strange expectation for a test case. Can't this use the notary fakes we have in client_test.go to make it a success case?

Show outdated Hide outdated cli/command/trust/sign.go Outdated
Show outdated Hide outdated cli/command/trust/sign.go Outdated
Show outdated Hide outdated cli/command/trust/sign.go Outdated

@GordonTheTurtle GordonTheTurtle added dco/no and removed dco/no labels Oct 30, 2017

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Oct 30, 2017

Member

Linting failure, @eiais

cli/command/trust/sign.go:1::warning: file is not gofmted with -s (gofmt)
cli/command/trust/sign.go:1::warning: file is not goimported (goimports)
Member

thaJeztah commented Oct 30, 2017

Linting failure, @eiais

cli/command/trust/sign.go:1::warning: file is not gofmted with -s (gofmt)
cli/command/trust/sign.go:1::warning: file is not goimported (goimports)
trust sign: add --local flag
Signed-off-by: Kyle Spiers <kyle@spiers.me>

@docker docker deleted a comment from GordonTheTurtle Oct 31, 2017

@dnephin

dnephin approved these changes Nov 7, 2017

LGTM

@dnephin dnephin merged commit ee0615d into docker:master Nov 7, 2017

9 checks passed

ci/circleci: cross Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: shellcheck Your tests passed on CircleCI!
Details
ci/circleci: test Your tests passed on CircleCI!
Details
ci/circleci: validate Your tests passed on CircleCI!
Details
codecov/patch 90% of diff hit (target 50%)
Details
codecov/project Absolute coverage decreased by -0.66% but relative coverage increased by +39.9% compared to 96b8d15
Details
continuous-integration/jenkins/pr-head This commit looks good
Details
dco-signed All commits are signed

@GordonTheTurtle GordonTheTurtle added this to the 17.12.0 milestone Nov 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment