This pull request adds functionality to pull/push docker images digest SHA256 alongside in-toto metadata to TUF. When I found signy it was the only way to associate bundles or images with in-toto metadata. Unfortunately, that required using porter to create a bundle, even if you didn't need the full functionality of a bundle. This PR combined features of docker push and docker pull and combines it with signy sign and signy verify. While not part of the CNAB Security Spec, this will help users such as me who were searching for similar functionality.
**Also added new in-toto metadata, as old metadata expired. Upticked version of github-slug-action to 3.5.1 as well. Both of these were required to complete this PR.
Usage:
signy --tlscacert root-ca.crt push -i [image]
This command is nearly identical to the docker CLI command docker push when the environment variable DOCKER_CONTENT_TRUST=1 and DOCKER_CONTENT_TRUST_SERVER=[server:4443] are set. In addition to signing the digest, we additionally push the in-toto metadata to the trust server just like signy sign does.
To pull and image and verify it's digest SHA:
signy --tlscacert root-ca.crt pull -i [image]
This will pull the image from the registry, verify it's digest against what is stored in notary, and verify it's in-toto metadata that was pulled down from TUF.
This pull request adds functionality to pull/push docker images digest SHA256 alongside in-toto metadata to TUF. When I found signy it was the only way to associate bundles or images with in-toto metadata. Unfortunately, that required using porter to create a bundle, even if you didn't need the full functionality of a bundle. This PR combined features of
docker push
anddocker pull
and combines it withsigny sign
andsigny verify
. While not part of the CNAB Security Spec, this will help users such as me who were searching for similar functionality.**Also added new in-toto metadata, as old metadata expired. Upticked version of
github-slug-action
to 3.5.1 as well. Both of these were required to complete this PR.Usage:
signy --tlscacert root-ca.crt push -i [image]
This command is nearly identical to the docker CLI command
docker push
when the environment variableDOCKER_CONTENT_TRUST=1
andDOCKER_CONTENT_TRUST_SERVER=[server:4443]
are set. In addition to signing the digest, we additionally push the in-toto metadata to the trust server just likesigny sign
does.To pull and image and verify it's digest SHA:
signy --tlscacert root-ca.crt pull -i [image]
This will pull the image from the registry, verify it's digest against what is stored in notary, and verify it's in-toto metadata that was pulled down from TUF.