cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

implement `docker trust` as plugin

Open thaJeztah opened this issue 9 months ago • 2 comments

Just a quick experiment to see if we can move the trust subcommands to a plugin, so that the subcommands can be installed separate from the docker trust integration in push/pull (for situations where trust verification happens on the daemon side).

make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust

docker info
Client:
 Version:    28.2.0-dev
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.24.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  trust: Manage trust on Docker images (Docker Inc.)
    Version:  unknown-version
    Path:     /usr/libexec/docker/cli-plugins/docker-trust

docker trust --help
Usage:  docker trust [OPTIONS] COMMAND

Extended build capabilities with BuildKit

Options:
  -D, --debug   Enable debug logging

Management Commands:
  key         Manage keys for signing Docker images
  signer      Manage entities who can sign Docker images

Commands:
  inspect     Return low-level information about keys and signatures
  revoke      Remove trust for an image
  sign        Sign an image

Run 'docker trust COMMAND --help' for more information on a command.

- What I did

- How I did it

- How to verify it

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

thaJeztah avatar Jun 02 '25 15:06 thaJeztah

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests.

:loudspeaker: Thoughts on this report? Let us know!

codecov-commenter avatar Jun 02 '25 15:06 codecov-commenter

It's currently expected that this fails, because the e2e test require the plugin to be installed (what we currently don't do).

This error is interesting though; for some reason it shows an error about API version mismatch, but after that it shows docker version output where it correctly downgraded the version, and was successfully able to connect 🤔

Waiting for docker daemon to become available at ssh://[email protected]
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Error response from daemon: client version 1.50 is too new. Maximum supported API version is 1.42
Client:
 Version:           28.2.0-dev
 API version:       1.42 (downgraded from 1.50)
 Go version:        go1.24.3
 Git commit:        d271c02
 Built:             Mon Jun  2 15:32:03 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.6
  API version:      1.42 (minimum version 1.12)

thaJeztah avatar Jun 05 '25 13:06 thaJeztah

Mostly green now, with one failure;

=== Failed
=== FAIL: e2e/global TestPromptExitCode/revoke_trust (0.11s)
    cli_test.go:232: assertion failed: 1 (int) != 0 (int): expected exit code to be 0, got 1

I wonder if the CLI plugin takes the CLI's config-dir into account, and if it could be something related to that perhaps? (e.g. the cli being run with CONFIG_DIR or --config=xxx, and the CLI plugin not using that 🤔

thaJeztah avatar Jul 08 '25 14:07 thaJeztah

OK, so when removing the trust code, we land up with validation failing on the CLI not being statically linked 🤔

0.126 + go build -o /out/docker-linux-amd64 -tags ' osusergo' -ldflags ' -X "github.com/docker/cli/cli/version.GitCommit=85196f6" -X "github.com/docker/cli/cli/version.BuildTime=2025-11-04T13:14:44Z" -X "github.com/docker/cli/cli/version.Version=pr-6121" -extldflags -static' '-buildmode=pie' github.com/docker/cli/cmd/docker
33.79 file /out/docker is not statically linked: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, BuildID[sha1]=91eec6b2219ceadc50d015fd512b11142b2e438c, with debug_info, not stripped

thaJeztah avatar Nov 04 '25 13:11 thaJeztah