From bc95cd66af2f6f3e417f884b875944de168bfb47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Sat, 4 Mar 2017 06:16:38 +0100 Subject: [PATCH 1/2] Do not use Windows-reserved ':' in sigstore file names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit i.e. use …/busybox@sha256=… instead of ../busybox@sha256:… . See https://github.com/containers/image/issues/187 for more discussion. Signed-off-by: Miloslav Trmač --- docker/lookaside.go | 2 +- docker/lookaside_test.go | 19 ++++++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docker/lookaside.go b/docker/lookaside.go index 8896b758e0..6b6fe27da3 100644 --- a/docker/lookaside.go +++ b/docker/lookaside.go @@ -195,6 +195,6 @@ func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest return nil } url := *base - url.Path = fmt.Sprintf("%s@%s/signature-%d", url.Path, manifestDigest.String(), index+1) + url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1) return &url } diff --git a/docker/lookaside_test.go b/docker/lookaside_test.go index 7cab4b8804..f74e994b17 100644 --- a/docker/lookaside_test.go +++ b/docker/lookaside_test.go @@ -252,26 +252,27 @@ func TestRegistryNamespaceSignatureTopLevel(t *testing.T) { } func TestSignatureStorageBaseSignatureStorageURL(t *testing.T) { - const md = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" + const mdInput = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" + const mdMapped = "sha256=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" - assert.True(t, signatureStorageURL(nil, md, 0) == nil) + assert.True(t, signatureStorageURL(nil, mdInput, 0) == nil) for _, c := range []struct { base string index int expected string }{ - {"file:///tmp", 0, "file:///tmp@" + md + "/signature-1"}, - {"file:///tmp", 1, "file:///tmp@" + md + "/signature-2"}, - {"https://localhost:5555/root", 0, "https://localhost:5555/root@" + md + "/signature-1"}, - {"https://localhost:5555/root", 1, "https://localhost:5555/root@" + md + "/signature-2"}, - {"http://localhost:5555/root", 0, "http://localhost:5555/root@" + md + "/signature-1"}, - {"http://localhost:5555/root", 1, "http://localhost:5555/root@" + md + "/signature-2"}, + {"file:///tmp", 0, "file:///tmp@" + mdMapped + "/signature-1"}, + {"file:///tmp", 1, "file:///tmp@" + mdMapped + "/signature-2"}, + {"https://localhost:5555/root", 0, "https://localhost:5555/root@" + mdMapped + "/signature-1"}, + {"https://localhost:5555/root", 1, "https://localhost:5555/root@" + mdMapped + "/signature-2"}, + {"http://localhost:5555/root", 0, "http://localhost:5555/root@" + mdMapped + "/signature-1"}, + {"http://localhost:5555/root", 1, "http://localhost:5555/root@" + mdMapped + "/signature-2"}, } { url, err := url.Parse(c.base) require.NoError(t, err) expectedURL, err := url.Parse(c.expected) require.NoError(t, err) - res := signatureStorageURL(url, md, c.index) + res := signatureStorageURL(url, mdInput, c.index) assert.Equal(t, expectedURL, res, c.expected) } } From ec116a0cb34ad6df6f441ed30dab568858e626aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Sat, 4 Mar 2017 06:22:35 +0100 Subject: [PATCH 2/2] Remove host name from sigstore paths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See a long meandering discussion in https://github.com/containers/image/pull/120 . Note that the repo name within a single host is still used within the signstore path, only the host name has been dropped. Signed-off-by: Miloslav Trmač --- docker/lookaside.go | 10 +++++----- docker/lookaside_test.go | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docker/lookaside.go b/docker/lookaside.go index 6b6fe27da3..ba2bd9b4bb 100644 --- a/docker/lookaside.go +++ b/docker/lookaside.go @@ -9,12 +9,12 @@ import ( "path/filepath" "strings" + "github.com/Sirupsen/logrus" + "github.com/containers/image/docker/reference" + "github.com/containers/image/types" "github.com/ghodss/yaml" "github.com/opencontainers/go-digest" "github.com/pkg/errors" - - "github.com/Sirupsen/logrus" - "github.com/containers/image/types" ) // systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage. @@ -64,8 +64,8 @@ func configuredSignatureStorageBase(ctx *types.SystemContext, ref dockerReferenc return nil, errors.Wrapf(err, "Invalid signature storage URL %s", topLevel) } // FIXME? Restrict to explicitly supported schemes? - repo := ref.ref.Name() // Note that this is without a tag or digest. - if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references + repo := reference.Path(ref.ref) // Note that this is without a tag or digest. + if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references return nil, errors.Errorf("Unexpected path elements in Docker reference %s for signature storage", ref.ref.String()) } url.Path = url.Path + "/" + repo diff --git a/docker/lookaside_test.go b/docker/lookaside_test.go index f74e994b17..43eed7822b 100644 --- a/docker/lookaside_test.go +++ b/docker/lookaside_test.go @@ -46,7 +46,7 @@ func TestConfiguredSignatureStorageBase(t *testing.T) { dockerRefFromString(t, "//example.com/my/project"), false) assert.NoError(t, err) require.NotNil(t, base) - assert.Equal(t, "https://sigstore.example.com/example.com/my/project", (*url.URL)(base).String()) + assert.Equal(t, "https://sigstore.example.com/my/project", (*url.URL)(base).String()) } func TestRegistriesDirPath(t *testing.T) {