This pull request adds functionality to pull/push docker images digest SHA256 alongside in-toto metadata to TUF. When I found signy it was the only way to associate bundles or images with in-toto metadata. Unfortunately, that required using porter to create a bundle, even if you didn't need the full functionality of a bundle. This PR combined features of docker push and docker pull and combines it with signy sign and signy verify. While not part of the CNAB Security Spec, this will help users such as me who were searching for similar functionality.
**Also added new in-toto metadata, as old metadata expired. Upticked version of github-slug-action to 3.5.1 as well. Both of these were required to complete this PR.
Usage:
signy --tlscacert root-ca.crt push -i [image]
This command is nearly identical to the docker CLI command docker push when the environment variable DOCKER_CONTENT_TRUST=1 and DOCKER_CONTENT_TRUST_SERVER=[server:4443] are set. In addition to signing the digest, we additionally push the in-toto metadata to the trust server just like signy sign does.
To pull and image and verify it's digest SHA:
signy --tlscacert root-ca.crt pull -i [image]
This will pull the image from the registry, verify it's digest against what is stored in notary, and verify it's in-toto metadata that was pulled down from TUF.
This pull request adds functionality to pull/push docker images digest SHA256 alongside in-toto metadata to TUF. When I found signy it was the only way to associate bundles or images with in-toto metadata. Unfortunately, that required using porter to create a bundle, even if you didn't need the full functionality of a bundle. This PR combined features of
docker pushanddocker pulland combines it withsigny signandsigny verify. While not part of the CNAB Security Spec, this will help users such as me who were searching for similar functionality.**Also added new in-toto metadata, as old metadata expired. Upticked version of
github-slug-actionto 3.5.1 as well. Both of these were required to complete this PR.Usage:
signy --tlscacert root-ca.crt push -i [image]This command is nearly identical to the docker CLI command
docker pushwhen the environment variableDOCKER_CONTENT_TRUST=1andDOCKER_CONTENT_TRUST_SERVER=[server:4443]are set. In addition to signing the digest, we additionally push the in-toto metadata to the trust server just likesigny signdoes.To pull and image and verify it's digest SHA:
signy --tlscacert root-ca.crt pull -i [image]This will pull the image from the registry, verify it's digest against what is stored in notary, and verify it's in-toto metadata that was pulled down from TUF.