Add verification for CNAB bundles #17

radu-matei · 2019-08-14T01:20:11Z

$ ./bin/signy sign --type cnab bundle.json docker.io/radumatei/cnab-signing:v1
Pushed trust data for docker.io/radumatei/cnab-signing:v1: 607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475
Starting to copy image cnab/helloworld:0.1.1..
Completed image cnab/helloworld:0.1.1 copy 

Generated relocation map: bundle.ImageRelocationMap{"cnab/helloworld:0.1.1":"docker.io/radumatei/cnab-signing@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6"}

Pushed successfully, with digest "sha256:086ef83113475d4582a7431b4b9bc98634d4f71ad1289cca45e661153fc9a46e"

$ ./bin/signy list docker.io/radumatei/cnab-signing
v1      607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475

$ ./bin/signy verify --type cnab docker.io/radumatei/cnab-signing:v1
Pulled trust data for docker.io/radumatei/cnab-signing:v1 - SHA256: 607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475

Pulling bundle from registry: docker.io/radumatei/cnab-signing                                                                                         

Relocation map map[cnab/helloworld:0.1.1:radumatei/cnab-signing@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6]

SHA256 of pulled bundle: 607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475

$ ./bin/signy sign --type cnab bundle.json docker.io/radumatei/cnab-signing-another-repo:v42

Root key found, using: 1569d4a83b43c76d65cbcf7f639bde71bc6e27b13b08819a126753c4874479a0
Pushed trust data for docker.io/radumatei/cnab-signing-another-repo:v42: 607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475

Starting to copy image cnab/helloworld:0.1.1... 
Completed image cnab/helloworld:0.1.1 copy

Generated relocation map: bundle.ImageRelocationMap{"cnab/helloworld:0.1.1":"docker.io/radumatei/cnab-signing-another-repo@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6"}

Pushed successfully, with digest "sha256:086ef83113475d4582a7431b4b9bc98634d4f71ad1289cca45e661153fc9a46e"

radu:signy$ ./bin/signy verify --type cnab docker.io/radumatei/cnab-signing-another-repo:v42
Pulled trust data for docker.io/radumatei/cnab-signing-another-repo:v42 - SHA256: 607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475

Pulling bundle from registry: docker.io/radumatei/cnab-signing-another-repo

Relocation map map[cnab/helloworld:0.1.1:radumatei/cnab-signing-another-repo@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6]


SHA256 of pulled bundle: 607ddb1d998e2155104067f99065659b202b0b19fa9ae52349ba3e9248635475

closes #14

Signed-off-by: Radu M <[email protected]>

cmd/verify.go

radu-matei · 2019-08-14T01:28:57Z

cmd/sign.go

-	return trust.SignAndPublish(trustDir, trustServer, s.gun, s.file, tlscacert, s.rootKey)
+	switch s.artifactType {
+	case "plaintext":
+		_, err := trust.SignAndPublish(trustDir, trustServer, s.gun, s.file, tlscacert, s.rootKey)


Maybe display the digest for plain text files as well?

cmd/verify.go

pkg/cnab/push.go

radu-matei · 2019-08-14T01:31:36Z

pkg/cnab/push.go

+		return err
+	}
+
+	resolver := createResolver(nil)


Handle options for pushing an pulling to the registry.

radu-matei · 2019-08-14T01:31:47Z

pkg/cnab/push.go

+
+	relocationMap, err := remotes.FixupBundle(context.Background(), &b, n, resolver, remotes.WithEventCallback(displayEvent),
+		remotes.WithInvocationImagePlatforms(nil),
+		remotes.WithComponentImagePlatforms(nil))


Handle options for pushing an pulling to the registry.

radu-matei · 2019-08-14T01:32:41Z

pkg/trust/sign.go

@@ -51,30 +51,31 @@ func SignAndPublish(trustDir, trustServer, ref, file, tlscacert, rootKey string)
 		case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
 			rootKeyIDs, err := importRootKey(rootKey, repo, getPassphraseRetriever())


Ensure existing root keys are passed correctly.

cmd/verify.go

Signed-off-by: Radu M <[email protected]>

Radu M added 2 commits August 14, 2019 04:19

Add verification for CNAB bundles

e5611b7

Signed-off-by: Radu M <[email protected]>

Update dependencies

4c7b2f5

Signed-off-by: Radu M <[email protected]>

radu-matei commented Aug 14, 2019

View reviewed changes

cmd/verify.go Outdated Show resolved Hide resolved

Refactor verification

eb13b61

Signed-off-by: Radu M <[email protected]>

radu-matei merged commit 4c85865 into cnabio:master Aug 14, 2019

radu-matei deleted the cnab branch August 14, 2019 05:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add verification for CNAB bundles #17

Add verification for CNAB bundles #17

radu-matei commented Aug 14, 2019 •

edited

Loading

radu-matei Aug 14, 2019

radu-matei Aug 14, 2019

radu-matei Aug 14, 2019

radu-matei Aug 14, 2019

radu-matei Aug 14, 2019

radu-matei Aug 14, 2019

		@@ -51,30 +51,31 @@ func SignAndPublish(trustDir, trustServer, ref, file, tlscacert, rootKey string)
		case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
		rootKeyIDs, err := importRootKey(rootKey, repo, getPassphraseRetriever())

Add verification for CNAB bundles #17

Add verification for CNAB bundles #17

Conversation

radu-matei commented Aug 14, 2019 • edited Loading

radu-matei Aug 14, 2019

Choose a reason for hiding this comment

radu-matei Aug 14, 2019

Choose a reason for hiding this comment

radu-matei Aug 14, 2019

Choose a reason for hiding this comment

radu-matei Aug 14, 2019

Choose a reason for hiding this comment

radu-matei Aug 14, 2019

Choose a reason for hiding this comment

radu-matei Aug 14, 2019

Choose a reason for hiding this comment

radu-matei commented Aug 14, 2019 •

edited

Loading