New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker trust inspect #694

Merged
merged 3 commits into from Nov 29, 2017

Conversation

@riyazdf

riyazdf commented Nov 16, 2017

Introduces a docker trust inspect command for JSON output with the same information presented in the human-readable docker trust view.

I refactored some of the existing view code so that it could be shared with inspect and added a docs page.

cc @ashfall @eiais for additional review, and @rn to confirm that this information is what he was looking for from the original issue (#659)

shortened and modified example here:

馃惓 $ docker trust inspect my-image:purple
[
  {
    "Name": "my-image:purple",
    "SignedTags": [
      {
        "SignedTag": "purple",
        "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557",
        "Signers": [
          "alice",
          "bob",
          "carol"
        ]
      }
    ],
    "Signers": [
      {
        "Name": "alice",
        "Keys": [
                {     
                          "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3"
                },
                {
                          "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8"
                }
        ]
      },
      {
        "Name": "bob",
        "Keys": [
                {
                          "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba"
                }
        ]
      },
      {
        "Name": "carol",
        "Keys": [
                {
                          "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9"
                },
                {
                          "ID":  "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606"
                }
        ]
      }
    ],
    "AdminstrativeKeys": [
      {
        "Name": "Repository",
        "Keys": [
                {
                          "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44"
                }
        ]
      },
      {
        "Name": "Root",
        "Keys": [
                {
                          "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f"
                }
        ]
      }
    ]
  }
]

Closes #659

@rn

This comment has been minimized.

Show comment
Hide comment
@rn

rn Nov 16, 2017

Thanks. the output looks good to me

rn commented Nov 16, 2017

Thanks. the output looks good to me

Show outdated Hide outdated cli/command/trust/inspect.go Outdated
@dnephin

LGTM

@vdemeester

LGTM 馃惛
cc @thaJeztah for docs

@thaJeztah

Thanks! See my comments inline 馃槃

Show outdated Hide outdated cli/command/trust/inspect.go Outdated
"SignedTag": "latest",
"Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
"Signers": [
"Repo Admin"

This comment has been minimized.

@thaJeztah

thaJeztah Nov 17, 2017

Member

I'm wondering if more information about signers is available, or will be available/needed at some point; basically, I love the simplicity of a []string, but if we anticipate more information is needed at some point, perhaps a []sometype{} ?

Definitely open to input here 馃憤

@thaJeztah

thaJeztah Nov 17, 2017

Member

I'm wondering if more information about signers is available, or will be available/needed at some point; basically, I love the simplicity of a []string, but if we anticipate more information is needed at some point, perhaps a []sometype{} ?

Definitely open to input here 馃憤

This comment has been minimized.

@riyazdf

riyazdf Nov 17, 2017

if there's more info it will be specified in the top level Signers key struct - do you think that's ok? Let me know if I'm misinterpreting your comment.

@riyazdf

riyazdf Nov 17, 2017

if there's more info it will be specified in the top level Signers key struct - do you think that's ok? Let me know if I'm misinterpreting your comment.

Show outdated Hide outdated docs/reference/commandline/trust_inspect.md Outdated
Show outdated Hide outdated cli/command/trust/view.go Outdated
Show outdated Hide outdated docs/reference/commandline/trust_inspect.md Outdated
Show outdated Hide outdated docs/reference/commandline/trust_inspect.md Outdated
```
### Get details about signatures for all image tags in a repository

This comment has been minimized.

@thaJeztah

thaJeztah Nov 17, 2017

Member

Can you add a short introduction here? Just to lead in the example

@thaJeztah

thaJeztah Nov 17, 2017

Member

Can you add a short introduction here? Just to lead in the example

This comment has been minimized.

@riyazdf

riyazdf Nov 17, 2017

馃憤 added!

@riyazdf

riyazdf Nov 17, 2017

馃憤 added!

### Get details about signatures for multiple images

This comment has been minimized.

@thaJeztah

thaJeztah Nov 17, 2017

Member

Can you add a short introduction here? Just to lead in the example

@thaJeztah

thaJeztah Nov 17, 2017

Member

Can you add a short introduction here? Just to lead in the example

This comment has been minimized.

@riyazdf
@riyazdf

riyazdf Nov 17, 2017

added!

cmd := &cobra.Command{
Use: "inspect IMAGE[:TAG] [IMAGE[:TAG]...]",
Short: "Return low-level information about keys and signatures",
Args: cli.RequiresMinArgs(1),

This comment has been minimized.

@thaJeztah

thaJeztah Nov 17, 2017

Member

We should either disallow specifying multiple repositories, or add the repository name to the output. The output as it is, is not useful if you specify multiple repositories;

$ docker trust inspect alpine hello-world | jq

Produces (removed some entries to keep it short):

[
  {
    "SignedTags": [
      {
        "SignedTag": "2.6",
        "Digest": "9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "latest",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      }
    ],
    "AdminstrativeKeys": [
      {
        "Name": "Root",
        "Keys": [
          "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
        ]
      },
      {
        "Name": "Repository",
        "Keys": [
          "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
        ]
      }
    ]
  },
  {
    "SignedTags": [
      {
        "SignedTag": "latest",
        "Digest": "0e06ef5e1945a718b02a8c319e15bae44f47039005530bc617a5d071190ed3fc",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "linux",
        "Digest": "452733afb5319f624b88aec51006a077bccf036a87167fd657057e2e31f42736",
        "Signers": [
          "Repo Admin"
        ]
      },
    ],
    "AdminstrativeKeys": [
      {
        "Name": "Root",
        "Keys": [
          "ff544c7f4ffa0a61b2fb836fb581182181c971acd58a7023c9a3b049dc952edd"
        ]
      },
      {
        "Name": "Repository",
        "Keys": [
          "8d2aaa7461b4305f74dc80bb946ccad962829a57bd0412a480e17a2413b18ec9"
        ]
      }
    ]
  }
]

With that information alone, I don't know which repository the :latest tag belongs to

@thaJeztah

thaJeztah Nov 17, 2017

Member

We should either disallow specifying multiple repositories, or add the repository name to the output. The output as it is, is not useful if you specify multiple repositories;

$ docker trust inspect alpine hello-world | jq

Produces (removed some entries to keep it short):

[
  {
    "SignedTags": [
      {
        "SignedTag": "2.6",
        "Digest": "9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "latest",
        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
        "Signers": [
          "Repo Admin"
        ]
      }
    ],
    "AdminstrativeKeys": [
      {
        "Name": "Root",
        "Keys": [
          "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
        ]
      },
      {
        "Name": "Repository",
        "Keys": [
          "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
        ]
      }
    ]
  },
  {
    "SignedTags": [
      {
        "SignedTag": "latest",
        "Digest": "0e06ef5e1945a718b02a8c319e15bae44f47039005530bc617a5d071190ed3fc",
        "Signers": [
          "Repo Admin"
        ]
      },
      {
        "SignedTag": "linux",
        "Digest": "452733afb5319f624b88aec51006a077bccf036a87167fd657057e2e31f42736",
        "Signers": [
          "Repo Admin"
        ]
      },
    ],
    "AdminstrativeKeys": [
      {
        "Name": "Root",
        "Keys": [
          "ff544c7f4ffa0a61b2fb836fb581182181c971acd58a7023c9a3b049dc952edd"
        ]
      },
      {
        "Name": "Repository",
        "Keys": [
          "8d2aaa7461b4305f74dc80bb946ccad962829a57bd0412a480e17a2413b18ec9"
        ]
      }
    ]
  }
]

With that information alone, I don't know which repository the :latest tag belongs to

This comment has been minimized.

@riyazdf

riyazdf Nov 17, 2017

sounds good, I added Name as the first field 馃憤

@riyazdf

riyazdf Nov 17, 2017

sounds good, I added Name as the first field 馃憤

Show outdated Hide outdated cli/command/trust/inspect.go Outdated
@thaJeztah

Left some notes for the docs, but LGTM otherwise

Show outdated Hide outdated docs/reference/commandline/trust_inspect.md Outdated
]
},
{
"SignedTag": "3.6",

This comment has been minimized.

@thaJeztah

thaJeztah Nov 21, 2017

Member

When updating for the new format, can you also shorten the output of this example a bit? Only 1 .. 2 tags should be needed to show what it does 馃槃

@thaJeztah

thaJeztah Nov 21, 2017

Member

When updating for the new format, can you also shorten the output of this example a bit? Only 1 .. 2 tags should be needed to show what it does 馃槃

@thaJeztah

LGTM, but may need some squashing 馃憤

riyazdf added some commits Nov 15, 2017

add docker trust inspect command for JSON viewing
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
support multiple arguments to trust inspect
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Use default inspect formatting, remove omitempty, update docs
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
@thaJeztah

LGTM, thanks!

@thaJeztah thaJeztah merged commit d921d5c into docker:master Nov 29, 2017

7 checks passed

ci/circleci: cross Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: shellcheck Your tests passed on CircleCI!
Details
ci/circleci: test Your tests passed on CircleCI!
Details
ci/circleci: validate Your tests passed on CircleCI!
Details
continuous-integration/jenkins/pr-head This commit looks good
Details
dco-signed All commits are signed

@GordonTheTurtle GordonTheTurtle added this to the 17.12.0 milestone Nov 29, 2017

@riyazdf riyazdf deleted the riyazdf:trust-inspect branch Nov 29, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment