docker-library
Update notary with attestation
Diff for 6ed0a4bc25336f0b2300ee302f780153ad34d93b:
diff --git a/_bashbrew-cat b/_bashbrew-cat
index c7e8026..6317de3 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,9 +1,12 @@
Maintainers: Justin Cormack (@justincormack)
Architectures: amd64, arm32v6, arm64v8, i386, ppc64le, s390x
GitRepo: https://github.com/docker/notary-official-images.git
-GitCommit: 77b9b7833f8dd6be07104b214193788795a320ff
+GitCommit: d1a94cf525b59aa7452a436d7cdc3d65f2a64fd8
Builder: buildkit
+Tags: 0.7.0-builder, builder
+Directory: notary-builder
+
Tags: server-0.7.0, server
Directory: notary-server
diff --git a/_bashbrew-list b/_bashbrew-list
index 1536ef2..20bb963 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -1,3 +1,5 @@
+notary:0.7.0-builder
+notary:builder
notary:server
notary:server-0.7.0
notary:signer
diff --git a/_bashbrew-list-build-order b/_bashbrew-list-build-order
index a1ae2ae..0fd222a 100644
--- a/_bashbrew-list-build-order
+++ b/_bashbrew-list-build-order
@@ -1,2 +1,3 @@
+notary:builder
notary:server
notary:signer
diff --git a/notary_server/Dockerfile b/notary_builder/Dockerfile
similarity index 65%
copy from notary_server/Dockerfile
copy to notary_builder/Dockerfile
index 832912f..cb3c0d0 100644
--- a/notary_server/Dockerfile
+++ b/notary_builder/Dockerfile
@@ -1,4 +1,10 @@
-FROM golang:1.19-alpine3.16 AS build
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM golang:1.19-alpine3.16
RUN apk add --no-cache git make
@@ -20,24 +26,6 @@ RUN set -eux; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
- /notary-signer --version
-
-FROM alpine:3.16
-
-RUN adduser -D -H -g "" notary
-EXPOSE 4443
-
-ENV INSTALLDIR /notary/server
-ENV PATH=$PATH:${INSTALLDIR}
-WORKDIR ${INSTALLDIR}
-
-COPY --from=build /notary-server ./
-RUN ./notary-server --version
-
-COPY ./server-config.json .
-COPY ./entrypoint.sh .
-
-USER notary
-
-ENTRYPOINT [ "entrypoint.sh" ]
-CMD [ "notary-server", "--version" ]
+ /notary-signer --version; \
+ \
+ echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"notary-sbom","packages":[{"name":"notary","versionInfo":"0.7.0","SPDXID":"SPDXRef-Package--notary","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/[email protected]?os_name=alpine&os_version=3.16"}],"licenseDeclared":"Apache-2.0"}]}' > /notary.spdx.json;
diff --git a/notary_server/Dockerfile b/notary_server/Dockerfile
index 832912f..285818a 100644
--- a/notary_server/Dockerfile
+++ b/notary_server/Dockerfile
@@ -1,26 +1,8 @@
-FROM golang:1.19-alpine3.16 AS build
-
-RUN apk add --no-cache git make
-
-ENV NOTARYPKG github.com/theupdateframework/notary
-ENV TAG v0.7.0
-
-ENV GOFLAGS -mod=vendor
-
-WORKDIR /go/src/$NOTARYPKG
-RUN set -eux; \
- git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
-# https://github.com/notaryproject/notary/pull/1635
- git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
- git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
-# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
- go get github.com/dvsekhvalnov/[email protected]; \
- go mod vendor; \
-# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
- make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
- cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
- /notary-server --version; \
- /notary-signer --version
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
FROM alpine:3.16
@@ -31,7 +13,7 @@ ENV INSTALLDIR /notary/server
ENV PATH=$PATH:${INSTALLDIR}
WORKDIR ${INSTALLDIR}
-COPY --from=build /notary-server ./
+COPY --from=notary:0.7.0-builder /notary-server /notary.spdx.json ./
RUN ./notary-server --version
COPY ./server-config.json .
diff --git a/notary_signer/Dockerfile b/notary_signer/Dockerfile
index 15bab3f..ddc1b20 100644
--- a/notary_signer/Dockerfile
+++ b/notary_signer/Dockerfile
@@ -1,26 +1,8 @@
-FROM golang:1.19-alpine3.16 AS build
-
-RUN apk add --no-cache git make
-
-ENV NOTARYPKG github.com/theupdateframework/notary
-ENV TAG v0.7.0
-
-ENV GOFLAGS -mod=vendor
-
-WORKDIR /go/src/$NOTARYPKG
-RUN set -eux; \
- git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
-# https://github.com/notaryproject/notary/pull/1635
- git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
- git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
-# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
- go get github.com/dvsekhvalnov/[email protected]; \
- go mod vendor; \
-# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
- make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
- cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
- /notary-server --version; \
- /notary-signer --version
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
FROM alpine:3.16
@@ -32,7 +14,7 @@ ENV INSTALLDIR /notary/signer
ENV PATH=$PATH:${INSTALLDIR}
WORKDIR ${INSTALLDIR}
-COPY --from=build /notary-signer ./
+COPY --from=notary:0.7.0-builder /notary-signer /notary.spdx.json ./
RUN ./notary-signer --version
COPY ./signer-config.json .
Relevant Maintainers:
notary: @justincormack
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
The Test PR GHA failure is complaining about not being able to find golang:1.19-alpine3.16, but that image exists, https://hub.docker.com/_/golang/tags?page=1&name=1.19-alpine3.16.
Who can restart the GHA to retry?
@whalelines I think this is a problem of the tag existing but not being updated anymore (not supported).I do feel like upgrading to a supported version of Go goes beyond the scope of this change
Is this notary:builder image intended for end-user consumption? What's the use case?
@tianon it can be but this is mostly to prevent duplicate builds of the same thing
I'm not sure that the build is heavy (or non-deterministic) enough for that to make much difference, right? :sweat_smile:
(It feels like leaking an implementation detail of the new build system to users in a place that's already pretty consistently confusing: "which tag do I use?")
I could rework the upstream to use one Dockerfile with conditions with templating
Yeah, solving the "maintaining the same thing twice" problem sounds like a better fit for templating :bow: :heart:
Diff for 321ba0dfdf7650e89276bc8d73515e3c21a58aa4:
diff --git a/_bashbrew-cat b/_bashbrew-cat
index c7e8026..7aacc96 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,7 +1,7 @@
Maintainers: Justin Cormack (@justincormack)
Architectures: amd64, arm32v6, arm64v8, i386, ppc64le, s390x
GitRepo: https://github.com/docker/notary-official-images.git
-GitCommit: 77b9b7833f8dd6be07104b214193788795a320ff
+GitCommit: 6f17ffbcfd207a1783f20b65ba85d9577c84214f
Builder: buildkit
Tags: server-0.7.0, server
diff --git a/notary_server/Dockerfile b/notary_server/Dockerfile
index 832912f..d325276 100644
--- a/notary_server/Dockerfile
+++ b/notary_server/Dockerfile
@@ -1,3 +1,9 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
FROM golang:1.19-alpine3.16 AS build
RUN apk add --no-cache git make
@@ -10,6 +16,8 @@ ENV GOFLAGS -mod=vendor
WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+ echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
@@ -17,10 +25,12 @@ RUN set -eux; \
go get github.com/dvsekhvalnov/[email protected]; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+ sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
- /notary-signer --version
+ /notary-signer --version;
FROM alpine:3.16
diff --git a/notary_signer/Dockerfile b/notary_signer/Dockerfile
index 15bab3f..7cd6f79 100644
--- a/notary_signer/Dockerfile
+++ b/notary_signer/Dockerfile
@@ -1,3 +1,9 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
FROM golang:1.19-alpine3.16 AS build
RUN apk add --no-cache git make
@@ -10,6 +16,8 @@ ENV GOFLAGS -mod=vendor
WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+ echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
@@ -17,10 +25,12 @@ RUN set -eux; \
go get github.com/dvsekhvalnov/[email protected]; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+ sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
- /notary-signer --version
+ /notary-signer --version;
FROM alpine:3.16
Relevant Maintainers:
notary: @justincormack
How can we get the notary images to use more up to date base images than golang:1.19-alpine3.16 and alpine:3.16? (the cause of the failing "naughty" test)
Both of them are past end of life in their respective upstream releases: Go 1.19 on 06 Sep 2023 and Alpine 3.16 on 23 May 2024. The golang:1.19-alpine3.16 image was dropped from official images on May 11, 2023 (https://github.com/docker-library/official-images/pull/14638 / https://github.com/docker-library/golang/pull/460)
I've opened https://github.com/docker/notary-official-images/pull/38, but it might be worth considering how we can stay on top of it better (perhaps we need to get more folks with merge access/maintainership on that packaging repository so it doesn't always end up on Jonny's plate?)
(we should also update Maintainers: here, because that's surely not accurate)