docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon projectatomic

RFC DO NOT MERGE: Store signatures in c/i/docker/daemon/extra

Open mtrmac opened this issue 7 years ago • 4 comments

Store signatures in c/i/docker/daemon/extra (https://github.com/containers/image/pull/288).

Whether or not we are verifying signatures, download them and store them in docker/daemon/extra.

Note that this means that containers/image/docker is now involved on every pull; failures of the c/i/docker client, or inability to download (possibly incorrectly configured but unused) signatures are now fatal.

Alternatively, we could make the storing of signatures to extra silently fail in such cases.

This does not add any user of the signatures, though https://github.com/containers/image/pull/288 shows how the signatures stored by this PR can be used to cryptographically authenticate the expected layer DiffID`s (a prerequisite for verifying extracted layers). See also https://github.com/containers/image/pull/301 for a necessary policy scoping enhancement.

Affects only V2 pulls, and the information is stored only for schema2 images: for schema1 images the daemon itself is creating a new config.json in code, and that config.json cannot be directly authenticated. (We could do another schema1→schema2 conversion and then compare the results, but that’s tricky; let’s start by hoping that schema1 will die out quickly enough, and we can revisit this if necessary later).

mtrmac avatar Jul 06 '17 20:07 mtrmac

Do not merge before https://github.com/containers/image/pull/288 !

Note that this rebases containers/image fairly significantly, including some of the deps. Also I guess equivalent changes will need to happen in other branches as well.

@runcom PTAL.

mtrmac avatar Jul 06 '17 20:07 mtrmac

RHEL system level integration testing for https://github.com/projectatomic/docker/commit/6a760a64e46a1a4937ba92684cbb16b823b66e26- PASS

Fedora system level integration testing for https://github.com/projectatomic/docker/commit/6a760a64e46a1a4937ba92684cbb16b823b66e26- PASS

Log - https://aos-ci.s3.amazonaws.com/projectatomic/docker/projectatomic-docker-integration-tests-prs/43/262-system-level-results.txt

rh-atomic-bot avatar Jul 06 '17 20:07 rh-atomic-bot

RHEL system level integration testing for https://github.com/projectatomic/docker/commit/357118e132dc7a8a3c30ea12215536c7449507e6- PASS

Fedora system level integration testing for https://github.com/projectatomic/docker/commit/357118e132dc7a8a3c30ea12215536c7449507e6- PASS

Log - https://aos-ci.s3.amazonaws.com/projectatomic/docker/projectatomic-docker-integration-tests-prs/44/262-system-level-results.txt

rh-atomic-bot avatar Jul 10 '17 17:07 rh-atomic-bot

RHEL system level integration testing for https://github.com/projectatomic/docker/commit/419a747d71eec5c55bd5efa482e907a4ec950290- FAIL

Fedora system level integration testing for https://github.com/projectatomic/docker/commit/419a747d71eec5c55bd5efa482e907a4ec950290- FAIL

Log - https://aos-ci.s3.amazonaws.com/projectatomic/docker/projectatomic-docker-integration-tests-prs/46/262-system-level-results.txt

rh-atomic-bot avatar Jul 18 '17 21:07 rh-atomic-bot