mirror of
https://github.com/docker/cli.git
synced 2026-01-26 15:41:42 +03:00
c9bb291154
move the `trust` subcommands to a plugin, so that the subcommands can
be installed separate from the `docker trust` integration in push/pull
(for situations where trust verification happens on the daemon side).
make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust
docker info
Client:
Version: 28.2.0-dev
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
trust: Manage trust on Docker images (Docker Inc.)
Version: unknown-version
Path: /usr/libexec/docker/cli-plugins/docker-trust
docker trust --help
Usage: docker trust [OPTIONS] COMMAND
Extended build capabilities with BuildKit
Options:
-D, --debug Enable debug logging
Management Commands:
key Manage keys for signing Docker images
signer Manage entities who can sign Docker images
Commands:
inspect Return low-level information about keys and signatures
revoke Remove trust for an image
sign Sign an image
Run 'docker trust COMMAND --help' for more information on a command.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
120 lines
4.0 KiB
Go
120 lines
4.0 KiB
Go
package trust
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"runtime"
|
|
|
|
"github.com/docker/cli/cli"
|
|
"github.com/docker/cli/cli/command"
|
|
"github.com/docker/cli/cmd/docker-trust/internal/trust"
|
|
"github.com/spf13/cobra"
|
|
"github.com/theupdateframework/notary"
|
|
"github.com/theupdateframework/notary/storage"
|
|
"github.com/theupdateframework/notary/trustmanager"
|
|
tufutils "github.com/theupdateframework/notary/tuf/utils"
|
|
)
|
|
|
|
const (
|
|
nonOwnerReadWriteMask = 0o077
|
|
)
|
|
|
|
type keyLoadOptions struct {
|
|
keyName string
|
|
}
|
|
|
|
func newKeyLoadCommand(dockerCLI command.Streams) *cobra.Command {
|
|
var options keyLoadOptions
|
|
cmd := &cobra.Command{
|
|
Use: "load [OPTIONS] KEYFILE",
|
|
Short: "Load a private key file for signing",
|
|
Args: cli.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return loadPrivKey(dockerCLI, args[0], options)
|
|
},
|
|
DisableFlagsInUseLine: true,
|
|
}
|
|
flags := cmd.Flags()
|
|
flags.StringVar(&options.keyName, "name", "signer", "Name for the loaded key")
|
|
return cmd
|
|
}
|
|
|
|
func loadPrivKey(streams command.Streams, keyPath string, options keyLoadOptions) error {
|
|
// validate the key name if provided
|
|
if options.keyName != "" && !validKeyName(options.keyName) {
|
|
return fmt.Errorf("key name \"%s\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character", options.keyName)
|
|
}
|
|
trustDir := trust.GetTrustDirectory()
|
|
keyFileStore, err := storage.NewPrivateKeyFileStorage(trustDir, notary.KeyExtension)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
privKeyImporters := []trustmanager.Importer{keyFileStore}
|
|
|
|
_, _ = fmt.Fprintf(streams.Out(), "Loading key from \"%s\"...\n", keyPath)
|
|
|
|
// Always use a fresh passphrase retriever for each import
|
|
passRet := trust.GetPassphraseRetriever(streams.In(), streams.Out())
|
|
keyBytes, err := getPrivKeyBytesFromPath(keyPath)
|
|
if err != nil {
|
|
return fmt.Errorf("refusing to load key from %s: %w", keyPath, err)
|
|
}
|
|
if err := loadPrivKeyBytesToStore(keyBytes, privKeyImporters, keyPath, options.keyName, passRet); err != nil {
|
|
return fmt.Errorf("error importing key from %s: %w", keyPath, err)
|
|
}
|
|
_, _ = fmt.Fprintln(streams.Out(), "Successfully imported key from", keyPath)
|
|
return nil
|
|
}
|
|
|
|
func getPrivKeyBytesFromPath(keyPath string) ([]byte, error) {
|
|
if runtime.GOOS != "windows" {
|
|
fileInfo, err := os.Stat(keyPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if fileInfo.Mode()&nonOwnerReadWriteMask != 0 {
|
|
return nil, fmt.Errorf("private key file %s must not be readable or writable by others", keyPath)
|
|
}
|
|
}
|
|
|
|
from, err := os.OpenFile(keyPath, os.O_RDONLY, notary.PrivExecPerms)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer from.Close()
|
|
|
|
return io.ReadAll(from)
|
|
}
|
|
|
|
func loadPrivKeyBytesToStore(privKeyBytes []byte, privKeyImporters []trustmanager.Importer, keyPath, keyName string, passRet notary.PassRetriever) error {
|
|
var err error
|
|
if _, _, err = tufutils.ExtractPrivateKeyAttributes(privKeyBytes); err != nil {
|
|
return fmt.Errorf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add", keyPath)
|
|
}
|
|
if privKeyBytes, err = decodePrivKeyIfNecessary(privKeyBytes, passRet); err != nil {
|
|
return fmt.Errorf("cannot load key from provided file %s: %w", keyPath, err)
|
|
}
|
|
// Make a reader, rewind the file pointer
|
|
return trustmanager.ImportKeys(bytes.NewReader(privKeyBytes), privKeyImporters, keyName, "", passRet)
|
|
}
|
|
|
|
func decodePrivKeyIfNecessary(privPemBytes []byte, passRet notary.PassRetriever) ([]byte, error) {
|
|
pemBlock, _ := pem.Decode(privPemBytes)
|
|
_, containsDEKInfo := pemBlock.Headers["DEK-Info"]
|
|
if containsDEKInfo || pemBlock.Type == "ENCRYPTED PRIVATE KEY" {
|
|
// if we do not have enough information to properly import, try to decrypt the key
|
|
if _, ok := pemBlock.Headers["path"]; !ok {
|
|
privKey, _, err := trustmanager.GetPasswdDecryptBytes(passRet, privPemBytes, "", "encrypted")
|
|
if err != nil {
|
|
return []byte{}, errors.New("could not decrypt key")
|
|
}
|
|
privPemBytes = privKey.Private()
|
|
}
|
|
}
|
|
return privPemBytes, nil
|
|
}
|