Skip to content

Canonicalize docker references in signature.VerifyDockerManifestSignature #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtrmac merged 1 commit into from
Jan 30, 2017
Merged

Canonicalize docker references in signature.VerifyDockerManifestSignature #227

mtrmac merged 1 commit into from
Jan 30, 2017

Conversation

@mtrmac
Copy link
Collaborator

@mtrmac mtrmac commented Jan 24, 2017
edited
Loading

After #220, and especially future #221, signing docker/distribution/reference.Named.String() would use the new fully-expanded normalization (as opposed to containers/image/docker/reference.Named.String(), which is minimized).

For interoperability between various versions and signers, parse and normalize the expected and signed references before comparing them.

This should be equivalent to prmMatchExact.matchesDockerReference().

It is also fairly tempting to use a reference.Named instead of a string as the parameters to the public functions in docker.go; however, the Named interface does not really guarantee what kind of canonicalization is used. (Right now, due to the extra methods in containers/image/docker/reference.Named, it is impossible to substitute an upstream docker/distribution/reference.Named implementation, but #221 would again make that untrue.) For now I have leaned towards not changing things.

@mtrmac mtrmac mentioned this pull request Jan 24, 2017
Merged
@runcom
Copy link
Member

runcom commented Jan 25, 2017
edited
Loading

LGTM

@mtrmac do we wait for #223 to be fully sorted out or just get this in now? I mean, feel free to bring this is

Approved with PullApprove

@mtrmac
Canonicalize docker references in signature.VerifyDockerManifestSigna…
73dfbc6 
…ture

After containers#220, and especially
future containers#221, signing
docker/distribution/reference.Named.String() would use the new
fully-expanded normalization (as opposed to
containers/image/docker/reference.Named.String(), which is minimized).

For interoperability between various versions and signers, parse and normalize
the expected and signed references before comparing them.

This should be equivalent to prmMatchExact.matchesDockerReference().

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac mtrmac force-pushed the canonicalize-VerifyDockerManifestSignature branch from 0a4e6b6 to 73dfbc6 Compare January 30, 2017 17:24
@mtrmac
Copy link
Collaborator Author

mtrmac commented Jan 30, 2017
edited by runcom
Loading

👍

Approved with PullApprove

@mtrmac mtrmac merged commit e22c6fd into containers:master Jan 30, 2017
@mtrmac mtrmac deleted the canonicalize-VerifyDockerManifestSignature branch January 30, 2017 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrmac @runcom