describe how to sign tags manually #3570
Conversation
rn
left a comment
rn
left a comment
There was a problem hiding this comment.
great idea, but if you have available, I asked for a bit more clarification. I think i may have the info somewhere burried in scripts etc but would need to dig it out
docs/packages.md
Outdated
| * docker notary signing key passphrase | ||
| 1. Set an env var with the name of the image **not** including tag. Make sure to include the registry host. For example, `IMAGE=docker.io/linuxkit/containerd` | ||
| 1. Set an env var with the tag. For example, `TAG=a4aa19c608556f7d786852557c36136255220c1f`. This example is a multi-arch manifest tag, but you could just as easily sign any other tag, such as the tag of an individual arch-specific image, `TAG=a4aa19c608556f7d786852557c36136255220c1f-s390x`. | ||
| 1. Set an env var with the size of the artifact that is pointed to by the tag, in bytes. If the tag points to an index, then it is the size of the index; if it is a specific manifest, then it is the size of the manifest. For example, `SIZE=1052`. |
There was a problem hiding this comment.
it would be good to expand on how to get this size. I used the manifest-tool for this, but maybe some docker image inspect | jq magic does this too. I remember a few years back I struggled a lot to get this size value
There was a problem hiding this comment.
I actually cheat. I have my own utility that retrieves this. I will add general documentation and reference to my own utility. docker image inspect does not provide this IIRC.
docs/packages.md
Outdated
| 1. Set an env var with the name of the image **not** including tag. Make sure to include the registry host. For example, `IMAGE=docker.io/linuxkit/containerd` | ||
| 1. Set an env var with the tag. For example, `TAG=a4aa19c608556f7d786852557c36136255220c1f`. This example is a multi-arch manifest tag, but you could just as easily sign any other tag, such as the tag of an individual arch-specific image, `TAG=a4aa19c608556f7d786852557c36136255220c1f-s390x`. | ||
| 1. Set an env var with the size of the artifact that is pointed to by the tag, in bytes. If the tag points to an index, then it is the size of the index; if it is a specific manifest, then it is the size of the manifest. For example, `SIZE=1052`. | ||
| 1. Set an env var with the hash of the artifact that is pointed to by the tag, **not** including the `sha256:` header. If the tag points ot an index, then it is the hash of the index; if it is a specific manifest, then it is the hash of the manifest. For example, `HASH=66b3d74aeb855f393ddb85e7371a00d5f7994cc26b425825df2ce910583d74dc` |
There was a problem hiding this comment.
Again, might be worth expanding on how to get this piece of information
|
Updated @rn ; take a look. |
|
You may as well remove the You can make a curl version, based on |
|
OK |
Signed-off-by: Avi Deitcher <avi@deitcher.net>
|
Updated @justincormack . I included all the relevant media types. |
3 participants
Signed-off-by: Avi Deitcher avi@deitcher.net
- What I did
Expanded the
packages.mddoc to describe how to sign a tag manually. I needed this once in a while, so it is good to know how it works under the covers.- How I did it
Writing markdown.
- How to verify it
Read it.
- Description for the changelog
Describe how tag signing works.