mirror of https://github.com/docker/cli.git
Merge pull request #935 from n4ss/trust-out-of-experimental2
Move Docker Trust out of experimental
This commit is contained in:
commit
176aa4865c
|
@ -10,10 +10,9 @@ import (
|
|||
func NewTrustCommand(dockerCli command.Cli) *cobra.Command {
|
||||
cmd := &cobra.Command{
|
||||
Use: "trust",
|
||||
Short: "Manage trust on Docker images (experimental)",
|
||||
Short: "Manage trust on Docker images",
|
||||
Args: cli.NoArgs,
|
||||
RunE: command.ShowHelp(dockerCli.Err()),
|
||||
Annotations: map[string]string{"experimentalCLI": ""},
|
||||
}
|
||||
cmd.AddCommand(
|
||||
newRevokeCommand(dockerCli),
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
func newTrustKeyCommand(dockerCli command.Streams) *cobra.Command {
|
||||
cmd := &cobra.Command{
|
||||
Use: "key",
|
||||
Short: "Manage keys for signing Docker images (experimental)",
|
||||
Short: "Manage keys for signing Docker images",
|
||||
Args: cli.NoArgs,
|
||||
RunE: command.ShowHelp(dockerCli.Err()),
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
func newTrustSignerCommand(dockerCli command.Cli) *cobra.Command {
|
||||
cmd := &cobra.Command{
|
||||
Use: "signer",
|
||||
Short: "Manage entities who can sign Docker images (experimental)",
|
||||
Short: "Manage entities who can sign Docker images",
|
||||
Args: cli.NoArgs,
|
||||
RunE: command.ShowHelp(dockerCli.Err()),
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
title: "trust inspect"
|
||||
description: "The inspect command description and usage"
|
||||
keywords: "view, notary, trust"
|
||||
keywords: "inspect, notary, trust"
|
||||
---
|
||||
|
||||
<!-- This file is maintained within the docker/cli GitHub
|
||||
|
@ -20,6 +20,9 @@ Usage: docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...]
|
|||
|
||||
Return low-level information about keys and signatures
|
||||
|
||||
Options:
|
||||
--help Print usage
|
||||
--pretty Print the information in a human friendly format
|
||||
```
|
||||
|
||||
## Description
|
||||
|
@ -28,12 +31,6 @@ Return low-level information about keys and signatures
|
|||
This includes all image tags that are signed, who signed them, and who can sign
|
||||
new tags.
|
||||
|
||||
`docker trust inspect` prints the trust information in a machine-readable format. Refer to
|
||||
[`docker trust view`](trust_view.md) for a human-friendly output.
|
||||
|
||||
`docker trust inspect` is currently experimental.
|
||||
|
||||
|
||||
## Examples
|
||||
|
||||
### Get low-level details about signatures for a single image tag
|
||||
|
@ -78,13 +75,13 @@ $ docker trust inspect alpine:latest
|
|||
]
|
||||
```
|
||||
|
||||
The `SignedTags` key will list the `SignedTag` name, its `Digest`, and the `Signers` responsible for the signature.
|
||||
The `SignedTags` key will list the `SignedTag` name, its `Digest`,
|
||||
and the `Signers` responsible for the signature.
|
||||
|
||||
`AdministrativeKeys` will list the `Repository` and `Root` keys.
|
||||
|
||||
This format mirrors the output of `docker trust view`
|
||||
|
||||
If signers are set up for the repository via other `docker trust` commands, `docker trust inspect` includes a `Signers` key:
|
||||
If signers are set up for the repository via other `docker trust`
|
||||
commands, `docker trust inspect` includes a `Signers` key:
|
||||
|
||||
```bash
|
||||
$ docker trust inspect my-image:purple
|
||||
|
@ -156,14 +153,16 @@ $ docker trust inspect my-image:purple
|
|||
]
|
||||
```
|
||||
|
||||
If the image tag is unsigned or unavailable, `docker trust inspect` does not display any signed tags.
|
||||
If the image tag is unsigned or unavailable, `docker trust inspect` does not
|
||||
display any signed tags.
|
||||
|
||||
```bash
|
||||
$ docker trust inspect unsigned-img
|
||||
No signatures or cannot access unsigned-img
|
||||
```
|
||||
|
||||
However, if other tags are signed in the same image repository, `docker trust inspect` reports relevant key information:
|
||||
However, if other tags are signed in the same image repository,
|
||||
`docker trust inspect` reports relevant key information:
|
||||
|
||||
```bash
|
||||
$ docker trust inspect alpine:unsigned
|
||||
|
@ -195,7 +194,8 @@ $ docker trust inspect alpine:unsigned
|
|||
|
||||
### Get details about signatures for all image tags in a repository
|
||||
|
||||
If no tag is specified, `docker trust inspect` will report details for all signed tags in the repository:
|
||||
If no tag is specified, `docker trust inspect` will report details for all
|
||||
signed tags in the repository:
|
||||
|
||||
```bash
|
||||
$ docker trust inspect alpine
|
||||
|
@ -258,7 +258,8 @@ $ docker trust inspect alpine
|
|||
|
||||
### Get details about signatures for multiple images
|
||||
|
||||
`docker trust inspect` can take multiple repositories and images as arguments, and reports the results in an ordered list:
|
||||
`docker trust inspect` can take multiple repositories and images as arguments,
|
||||
and reports the results in an ordered list:
|
||||
|
||||
```bash
|
||||
$ docker trust inspect alpine notary
|
||||
|
@ -362,3 +363,108 @@ $ docker trust inspect alpine notary
|
|||
}
|
||||
]
|
||||
```
|
||||
|
||||
### Formatting
|
||||
|
||||
You can print the inspect output in a human-readable format instead of the default
|
||||
JSON output, by using the `--pretty` option:
|
||||
|
||||
### Get details about signatures for a single image tag
|
||||
|
||||
```bash
|
||||
$ docker trust inspect --pretty alpine:latest
|
||||
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
|
||||
|
||||
Administrative keys for alpine:latest:
|
||||
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
|
||||
Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
|
||||
```
|
||||
|
||||
The `SIGNED TAG` is the signed image tag with a unique content-addressable
|
||||
`DIGEST`. `SIGNERS` lists all entities who have signed.
|
||||
|
||||
The administrative keys listed specify the root key of trust, as well as
|
||||
the administrative repository key. These keys are responsible for modifying
|
||||
signers, and rotating keys for the signed repository.
|
||||
|
||||
If signers are set up for the repository via other `docker trust` commands,
|
||||
`docker trust inspect --pretty` displays them appropriately as a `SIGNER`
|
||||
and specify their `KEYS`:
|
||||
|
||||
```bash
|
||||
$ docker trust inspect --pretty my-image:purple
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol
|
||||
|
||||
List of signers and their keys:
|
||||
|
||||
SIGNER KEYS
|
||||
alice 47caae5b3e61, a85aab9d20a4
|
||||
bob 034370bcbd77, 82a66673242c
|
||||
carol b6f9f8e1aab0
|
||||
|
||||
Administrative keys for my-image:
|
||||
Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
|
||||
Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
|
||||
```
|
||||
|
||||
However, if other tags are signed in the same image repository,
|
||||
`docker trust inspect` reports relevant key information.
|
||||
|
||||
```bash
|
||||
$ docker trust inspect --pretty alpine:unsigned
|
||||
|
||||
No signatures for alpine:unsigned
|
||||
|
||||
|
||||
Administrative keys for alpine:unsigned:
|
||||
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
|
||||
Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
|
||||
```
|
||||
|
||||
### Get details about signatures for all image tags in a repository
|
||||
|
||||
```bash
|
||||
$ docker trust inspect --pretty alpine
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
2.6 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b (Repo Admin)
|
||||
2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a (Repo Admin)
|
||||
3.1 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8 (Repo Admin)
|
||||
3.2 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7 (Repo Admin)
|
||||
3.3 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7 (Repo Admin)
|
||||
3.4 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9 (Repo Admin)
|
||||
3.5 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308 (Repo Admin)
|
||||
3.6 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
|
||||
edge 79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b (Repo Admin)
|
||||
latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
|
||||
|
||||
Administrative keys for alpine:
|
||||
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
|
||||
Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
|
||||
```
|
||||
|
||||
Here's an example with signers that are set up by `docker trust` commands:
|
||||
|
||||
```bash
|
||||
$ docker trust inspect --pretty my-image
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice
|
||||
blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob
|
||||
green cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139 alice, bob
|
||||
yellow 9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba carol
|
||||
purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol
|
||||
orange d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c alice
|
||||
|
||||
List of signers and their keys for my-image:
|
||||
|
||||
SIGNER KEYS
|
||||
alice 47caae5b3e61, a85aab9d20a4
|
||||
bob 034370bcbd77, 82a66673242c
|
||||
carol b6f9f8e1aab0
|
||||
|
||||
Administrative keys for my-image:
|
||||
Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
|
||||
Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
|
||||
```
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
title: "key generate"
|
||||
description: "The key generate command description and usage"
|
||||
keywords: "Key, notary, trust"
|
||||
keywords: "key, notary, trust"
|
||||
---
|
||||
|
||||
<!-- This file is maintained within the docker/cli Github
|
||||
|
@ -30,8 +30,6 @@ Options:
|
|||
`docker trust key generate` generates a key-pair to be used with signing,
|
||||
and loads the private key into the local docker trust keystore.
|
||||
|
||||
`docker trust key generate` is currently experimental.
|
||||
|
||||
## Examples
|
||||
|
||||
### Generate a key-pair
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
title: "key load"
|
||||
description: "The key load command description and usage"
|
||||
keywords: "Key, notary, trust"
|
||||
keywords: "key, notary, trust"
|
||||
---
|
||||
|
||||
<!-- This file is maintained within the docker/cli Github
|
||||
|
@ -29,8 +29,6 @@ Options:
|
|||
|
||||
`docker trust key load` adds private keys to the local docker trust keystore. To add a signer to a repository use `docker trust signer add`.
|
||||
|
||||
`docker trust key load` is currently experimental.
|
||||
|
||||
## Examples
|
||||
|
||||
### Load a single private key
|
||||
|
|
|
@ -29,8 +29,6 @@ Options:
|
|||
|
||||
`docker trust revoke` removes signatures from tags in signed repositories.
|
||||
|
||||
`docker trust revoke` is currently experimental.
|
||||
|
||||
## Examples
|
||||
|
||||
### Revoke signatures from a signed tag
|
||||
|
|
|
@ -30,8 +30,6 @@ Options:
|
|||
|
||||
`docker trust sign` adds signatures to tags to create signed repositories.
|
||||
|
||||
`docker trust sign` is currently experimental.
|
||||
|
||||
## Examples
|
||||
|
||||
### Sign a tag as a repo admin
|
||||
|
|
|
@ -29,8 +29,6 @@ Options:
|
|||
|
||||
`docker trust signer add` adds signers to signed repositories.
|
||||
|
||||
`docker trust signer add` is currently experimental.
|
||||
|
||||
## Examples
|
||||
|
||||
### Add a signer to a repo
|
||||
|
|
|
@ -29,8 +29,6 @@ Options:
|
|||
|
||||
`docker trust signer remove` removes signers from signed repositories.
|
||||
|
||||
`docker trust signer remove` is currently experimental.
|
||||
|
||||
## Examples
|
||||
|
||||
### Remove a signer from a repo
|
||||
|
|
|
@ -1,138 +0,0 @@
|
|||
---
|
||||
title: "trust view"
|
||||
description: "The view command description and usage"
|
||||
keywords: "view, notary, trust"
|
||||
---
|
||||
|
||||
<!-- This file is maintained within the docker/cli GitHub
|
||||
repository at https://github.com/docker/cli/. Make all
|
||||
pull requests against that repo. If you see this file in
|
||||
another repository, consider it read-only there, as it will
|
||||
periodically be overwritten by the definitive file. Pull
|
||||
requests which include edits to this file in other repositories
|
||||
will be rejected.
|
||||
-->
|
||||
|
||||
# trust view
|
||||
|
||||
```markdown
|
||||
Usage: docker trust view IMAGE[:TAG]
|
||||
|
||||
Display detailed information about keys and signatures
|
||||
|
||||
```
|
||||
|
||||
## Description
|
||||
|
||||
`docker trust view` provides detailed information on signed repositories.
|
||||
This includes all image tags that are signed, who signed them, and who can sign
|
||||
new tags.
|
||||
|
||||
By default, `docker trust view` renders results in a table.
|
||||
|
||||
`docker trust view` is currently experimental.
|
||||
|
||||
|
||||
## Examples
|
||||
|
||||
### Get details about signatures for a single image tag
|
||||
|
||||
|
||||
```bash
|
||||
$ docker trust view alpine:latest
|
||||
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
|
||||
|
||||
Administrative keys for alpine:latest:
|
||||
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
|
||||
Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
|
||||
```
|
||||
|
||||
The `SIGNED TAG` is the signed image tag with a unique content-addressable `DIGEST`. `SIGNERS` lists all entities who have signed.
|
||||
|
||||
The administrative keys listed specify the root key of trust, as well as the administrative repository key. These keys are responsible for modifying signers, and rotating keys for the signed repository.
|
||||
|
||||
If signers are set up for the repository via other `docker trust` commands, `docker trust view` displays them appropriately as a `SIGNER` and specify their `KEYS`:
|
||||
|
||||
```bash
|
||||
$ docker trust view my-image:purple
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol
|
||||
|
||||
List of signers and their keys:
|
||||
|
||||
SIGNER KEYS
|
||||
alice 47caae5b3e61, a85aab9d20a4
|
||||
bob 034370bcbd77, 82a66673242c
|
||||
carol b6f9f8e1aab0
|
||||
|
||||
Administrative keys for my-image:
|
||||
Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
|
||||
Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
|
||||
```
|
||||
|
||||
If the image tag is unsigned or unavailable, `docker trust view` does not display any signed tags.
|
||||
|
||||
```bash
|
||||
$ docker trust view unsigned-img
|
||||
No signatures or cannot access unsigned-img
|
||||
```
|
||||
|
||||
However, if other tags are signed in the same image repository, `docker trust view` reports relevant key information.
|
||||
|
||||
```bash
|
||||
$ docker trust view alpine:unsigned
|
||||
|
||||
No signatures for alpine:unsigned
|
||||
|
||||
|
||||
Administrative keys for alpine:unsigned:
|
||||
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
|
||||
Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
|
||||
```
|
||||
|
||||
### Get details about signatures for all image tags in a repository
|
||||
|
||||
```bash
|
||||
$ docker trust view alpine
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
2.6 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b (Repo Admin)
|
||||
2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a (Repo Admin)
|
||||
3.1 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8 (Repo Admin)
|
||||
3.2 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7 (Repo Admin)
|
||||
3.3 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7 (Repo Admin)
|
||||
3.4 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9 (Repo Admin)
|
||||
3.5 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308 (Repo Admin)
|
||||
3.6 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
|
||||
edge 79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b (Repo Admin)
|
||||
latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
|
||||
|
||||
Administrative keys for alpine:
|
||||
Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
|
||||
Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
|
||||
```
|
||||
|
||||
Here's an example with signers that are set up by `docker trust` commands:
|
||||
|
||||
```bash
|
||||
$ docker trust view my-image
|
||||
SIGNED TAG DIGEST SIGNERS
|
||||
red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice
|
||||
blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob
|
||||
green cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139 alice, bob
|
||||
yellow 9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba carol
|
||||
purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol
|
||||
orange d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c alice
|
||||
|
||||
List of signers and their keys for my-image:
|
||||
|
||||
SIGNER KEYS
|
||||
alice 47caae5b3e61, a85aab9d20a4
|
||||
bob 034370bcbd77, 82a66673242c
|
||||
carol b6f9f8e1aab0
|
||||
|
||||
Administrative keys for my-image:
|
||||
Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
|
||||
Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
|
||||
```
|
Loading…
Reference in New Issue