mirror of
https://github.com/docker/cli.git
synced 2026-01-26 15:41:42 +03:00
c9bb291154
move the `trust` subcommands to a plugin, so that the subcommands can
be installed separate from the `docker trust` integration in push/pull
(for situations where trust verification happens on the daemon side).
make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust
docker info
Client:
Version: 28.2.0-dev
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
trust: Manage trust on Docker images (Docker Inc.)
Version: unknown-version
Path: /usr/libexec/docker/cli-plugins/docker-trust
docker trust --help
Usage: docker trust [OPTIONS] COMMAND
Extended build capabilities with BuildKit
Options:
-D, --debug Enable debug logging
Management Commands:
key Manage keys for signing Docker images
signer Manage entities who can sign Docker images
Commands:
inspect Return low-level information about keys and signatures
revoke Remove trust for an image
sign Sign an image
Run 'docker trust COMMAND --help' for more information on a command.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
131 lines
3.8 KiB
Go
131 lines
3.8 KiB
Go
package trust
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/docker/cli/cli"
|
|
"github.com/docker/cli/cli/command"
|
|
"github.com/docker/cli/cmd/docker-trust/internal/trust"
|
|
"github.com/docker/cli/internal/prompt"
|
|
"github.com/spf13/cobra"
|
|
"github.com/theupdateframework/notary/client"
|
|
"github.com/theupdateframework/notary/tuf/data"
|
|
)
|
|
|
|
type revokeOptions struct {
|
|
forceYes bool
|
|
}
|
|
|
|
func newRevokeCommand(dockerCLI command.Cli) *cobra.Command {
|
|
options := revokeOptions{}
|
|
cmd := &cobra.Command{
|
|
Use: "revoke [OPTIONS] IMAGE[:TAG]",
|
|
Short: "Remove trust for an image",
|
|
Args: cli.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return revokeTrust(cmd.Context(), dockerCLI, args[0], options)
|
|
},
|
|
DisableFlagsInUseLine: true,
|
|
}
|
|
flags := cmd.Flags()
|
|
flags.BoolVarP(&options.forceYes, "yes", "y", false, "Do not prompt for confirmation")
|
|
return cmd
|
|
}
|
|
|
|
func revokeTrust(ctx context.Context, dockerCLI command.Cli, remote string, options revokeOptions) error {
|
|
imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, authResolver(dockerCLI), remote)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
tag := imgRefAndAuth.Tag()
|
|
if imgRefAndAuth.Tag() == "" && imgRefAndAuth.Digest() != "" {
|
|
return errors.New("cannot use a digest reference for IMAGE:TAG")
|
|
}
|
|
if imgRefAndAuth.Tag() == "" && !options.forceYes {
|
|
deleteRemote, err := prompt.Confirm(ctx, dockerCLI.In(), dockerCLI.Out(), fmt.Sprintf("Confirm you would like to delete all signature data for %s?", remote))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !deleteRemote {
|
|
return cancelledErr{errors.New("trust revoke has been cancelled")}
|
|
}
|
|
}
|
|
|
|
notaryRepo, err := newNotaryClient(dockerCLI, imgRefAndAuth, trust.ActionsPushAndPull)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err = clearChangeList(notaryRepo); err != nil {
|
|
return err
|
|
}
|
|
defer clearChangeList(notaryRepo)
|
|
if err := revokeSignature(notaryRepo, tag); err != nil {
|
|
return fmt.Errorf("could not remove signature for %s: %w", remote, err)
|
|
}
|
|
_, _ = fmt.Fprintf(dockerCLI.Out(), "Successfully deleted signature for %s\n", remote)
|
|
return nil
|
|
}
|
|
|
|
type cancelledErr struct{ error }
|
|
|
|
func (cancelledErr) Cancelled() {}
|
|
|
|
func revokeSignature(notaryRepo client.Repository, tag string) error {
|
|
if tag != "" {
|
|
// Revoke signature for the specified tag
|
|
if err := revokeSingleSig(notaryRepo, tag); err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
// revoke all signatures for the image, as no tag was given
|
|
if err := revokeAllSigs(notaryRepo); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Publish change
|
|
return notaryRepo.Publish()
|
|
}
|
|
|
|
func revokeSingleSig(notaryRepo client.Repository, tag string) error {
|
|
releasedTargetWithRole, err := notaryRepo.GetTargetByName(tag, trust.ReleasesRole, data.CanonicalTargetsRole)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
releasedTarget := releasedTargetWithRole.Target
|
|
return getSignableRolesForTargetAndRemove(releasedTarget, notaryRepo)
|
|
}
|
|
|
|
func revokeAllSigs(notaryRepo client.Repository) error {
|
|
releasedTargetWithRoleList, err := notaryRepo.ListTargets(trust.ReleasesRole, data.CanonicalTargetsRole)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(releasedTargetWithRoleList) == 0 {
|
|
return errors.New("no signed tags to remove")
|
|
}
|
|
|
|
// we need all the roles that signed each released target so we can remove from all roles.
|
|
for _, releasedTargetWithRole := range releasedTargetWithRoleList {
|
|
// remove from all roles
|
|
if err := getSignableRolesForTargetAndRemove(releasedTargetWithRole.Target, notaryRepo); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// get all the roles that signed the target and removes it from all roles.
|
|
func getSignableRolesForTargetAndRemove(releasedTarget client.Target, notaryRepo client.Repository) error {
|
|
signableRoles, err := trust.GetSignableRoles(notaryRepo, &releasedTarget)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// remove from all roles
|
|
return notaryRepo.RemoveTarget(releasedTarget.Name, signableRoles...)
|
|
}
|