Skip to content

oima (OCI/ Docker Image Signature Managemet Tool/ CLI) is a CLI that helps to manage OCI/ Docker signatures.

License

Notifications You must be signed in to change notification settings

fabmation-gmbh/oima

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

oima

oima (OCI/ Docker Image Signature Managemet Tool/ CLI) is a CLI that helps to manage OCI/ Docker signatures.

Motivation

We have our signatures in two places: on a Notary-Server and an S3 Bucket.

We use the S3 Bucket because of the Pull Signature Check functionality of CRI-O.

So it's a huge effort to manage all signatures distributed to two places. For example, if we update one of our images, then the old image shouldn't be executed anymore in our K8s-Cluster. So then we have to delete the signatures of the old image from the S3 Bucket and from the Notary-Server. Also, the signatures of the images are saved with the content digest from Docker in this Format: [IMAGE_NAME]@[HASH_ALGO]=[CONTENT_DIGEST] for example: hello-world@sha256=92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a.

Usage

This CLI does not have any sub-commands (coming soon), but it has a working terminal UI.

oima Manages OCI/ Docker Image Signatures in your 'sigstore'.

It is very difficult to manually keep track of all signatures.

Example: Say you have to remove the signature for the
Docker image 'docker.io/library/hello_world:vulnerable':
then you have to determine the digest of the image and
manually delete the directory / signature.

This tool automates this process and helps to keep
track of all signed images.

Usage:
  oima <command> [flags]
  oima [command]

Available Commands:
  conf        Get configuration variables.
  help        Help for any command.
  image       Interact with images of the remote registry.

Flags:
      --config string   Which config file to use (default is $HOME/.oima.yaml).
      --debug           Print debug messages (defaults to false).
  -h, --help            Display help for oima.
      --version         Display version of oima.

Use "oima [command] --help" for more information about a command.

To get started, download a release and create a configuration file in $HOME/.oima.yaml. A sample configuration is located in examples/. The configuration file is self-explanatory.

Now run the application without any arguments (oima), you should now see a "UI".

Keyboard Strokes:

q, Ctrl+C               Quit. Exit the application.
e, E                    Exit the image info UI (only works in the image info UI).
d, D                    Delete the signature of a tag (only works in the image info UI).
i, I                    Open the image info UI.
Enter, Space            Expand/ collapse a tree node.
<Arrow Keys>            Move up/ down in the tree or the image info UI.

Image Info UI

All tags of an image are listed in the Image Info UI. Here you can check if a tag is signed (or has a signature) and delete signatures.