Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC DO NOT MERGE: Store signatures in c/i/docker/daemon/extra #262

Open
wants to merge 5 commits into
base: docker-1.12.6
Choose a base branch
from
Open

RFC DO NOT MERGE: Store signatures in c/i/docker/daemon/extra #262

wants to merge 5 commits into from

Conversation

mtrmac
Copy link

@mtrmac mtrmac commented Jul 6, 2017

Store signatures in c/i/docker/daemon/extra (containers/image#288).

Whether or not we are verifying signatures, download them and store them in docker/daemon/extra.

Note that this means that containers/image/docker is now involved on every pull; failures of the c/i/docker client, or inability to download (possibly incorrectly configured but unused) signatures are now fatal.

Alternatively, we could make the storing of signatures to extra silently fail in such cases.

This does not add any user of the signatures, though containers/image#288 shows how the signatures stored by this PR can be used to cryptographically authenticate the expected layer DiffID`s (a prerequisite for verifying extracted layers). See also containers/image#301 for a necessary policy scoping enhancement.

Affects only V2 pulls, and the information is stored only for schema2 images: for schema1 images the daemon itself is creating a new config.json in code, and that config.json cannot be directly authenticated. (We could do another schema1→schema2 conversion and then compare the results, but that’s tricky; let’s start by hoping that schema1 will die out quickly enough, and we can revisit this if necessary later).

@mtrmac
Copy link
Author

mtrmac commented Jul 6, 2017

Do not merge before containers/image#288 !

Note that this rebases containers/image fairly significantly, including some of the deps. Also I guess equivalent changes will need to happen in other branches as well.

@runcom PTAL.

@rh-atomic-bot
Copy link

RHEL system level integration testing for 6a760a64e46a1a4937ba92684cbb16b823b66e26- PASS

Fedora system level integration testing for 6a760a64e46a1a4937ba92684cbb16b823b66e26- PASS

Log - https://aos-ci.s3.amazonaws.com/projectatomic/docker/projectatomic-docker-integration-tests-prs/43/262-system-level-results.txt

@mtrmac mtrmac force-pushed the signature-storage branch from 6a760a6 to 357118e Compare July 10, 2017 17:02
@rh-atomic-bot
Copy link

RHEL system level integration testing for 357118e132dc7a8a3c30ea12215536c7449507e6- PASS

Fedora system level integration testing for 357118e132dc7a8a3c30ea12215536c7449507e6- PASS

Log - https://aos-ci.s3.amazonaws.com/projectatomic/docker/projectatomic-docker-integration-tests-prs/44/262-system-level-results.txt

@mtrmac mtrmac force-pushed the signature-storage branch from 357118e to 419a747 Compare July 18, 2017 20:47
@rh-atomic-bot
Copy link

RHEL system level integration testing for 419a747d71eec5c55bd5efa482e907a4ec950290- FAIL

Fedora system level integration testing for 419a747d71eec5c55bd5efa482e907a4ec950290- FAIL

Log - https://aos-ci.s3.amazonaws.com/projectatomic/docker/projectatomic-docker-integration-tests-prs/46/262-system-level-results.txt

@mtrmac mtrmac force-pushed the signature-storage branch 2 times, most recently from 0641df3 to 0716787 Compare October 14, 2017 18:52
@mtrmac mtrmac force-pushed the signature-storage branch from 0716787 to dc39ceb Compare October 16, 2017 20:30
@mtrmac mtrmac force-pushed the signature-storage branch 5 times, most recently from e640974 to bfba127 Compare December 2, 2017 06:06
@mtrmac mtrmac force-pushed the signature-storage branch from bfba127 to 3022a47 Compare December 9, 2017 03:18
mtrmac added 5 commits December 9, 2017 04:23
@mtrmac
Vendor containers/image from mtrmac/image:dockerd-verification
e7232ea 
Update dependencies to allow it to build.  Also drop k8s and
dependencies now that we do not import all containers/image transports.

WARNING: This DOES NOT BUILD because it references sirupsen/logrus, not
Sirupsen/logrus.
@mtrmac
EDIT vendored containers/image
86d4ca2 
s/sirupsen/Sirupsen/g
@mtrmac
Store signatures in c/i/docker/daemon/signatures
c462174 
Whether or not we are verifying signatures, download them and store them
in docker/daemon/signatures.

Note that this means that containers/image/docker is now involved on
_every_ pull; failures of the c/i/docker client, or inability to
download (possibly incorrectly configured but unused) signatures are now
fatal.

Alternatively, we could make the storing of signatures to c/i/d/d/s silently
fail in such cases.

WARNING: This DOES NOT BUILD because it references sirupsen/logrus, not
Sirupsen/logrus.
@mtrmac
EDIT vendored containers/image
ad2dd40 
s/sirupsen/Sirupsen/g
@mtrmac
Use c/i/types.UnparsedImage for signature verification
3ae0ae5 
i.e. defer parsing of the manifest to obtain the config digest
only after the signatures have been verified.
@mtrmac mtrmac force-pushed the signature-storage branch from 3022a47 to 3ae0ae5 Compare December 9, 2017 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtrmac @rh-atomic-bot