implement docker trust as plugin
#6121
Merged
+1,360
−25,245
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Member
Author
|
It's currently expected that this fails, because the e2e test require the plugin to be installed (what we currently don't do). This error is interesting though; for some reason it shows an error about API version mismatch, but after that it shows Waiting for docker daemon to become available at ssh://[email protected]
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Error response from daemon: client version 1.50 is too new. Maximum supported API version is 1.42
Client:
Version: 28.2.0-dev
API version: 1.42 (downgraded from 1.50)
Go version: go1.24.3
Git commit: d271c02
Built: Mon Jun 2 15:32:03 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.6
API version: 1.42 (minimum version 1.12) |
thaJeztah
force-pushed
the
trust_plugin
branch
2 times, most recently
from
3fea064 to
e612749
Compare
This comment was marked as resolved.
This comment was marked as resolved.
thaJeztah
force-pushed
the
trust_plugin
branch
6 times, most recently
from
bc004be to
6c5320c
Compare
thaJeztah
force-pushed
the
trust_plugin
branch
4 times, most recently
from
b50e878 to
51a9993
Compare
thaJeztah
commented
Nov 4, 2025
| github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect | ||
| github.com/docker/go-events v0.0.0-20250808211157-605354379745 // indirect | ||
| github.com/docker/go-metrics v0.0.1 // indirect | ||
| github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect |
Member
Author
There was a problem hiding this comment.
Unfortunately, this brings back libtrust as an indirect dependency; still looking what pulls it in (but probably docker/distribution)
thaJeztah
force-pushed
the
trust_plugin
branch
from
51a9993 to
3508f0a
Compare
Member
Author
|
OK, so when removing the |
thaJeztah
force-pushed
the
trust_plugin
branch
2 times, most recently
from
fd1c1a2 to
615e313
Compare
thaJeztah
force-pushed
the
trust_plugin
branch
3 times, most recently
from
98b079f to
f0c94bf
Compare
thaJeztah
force-pushed
the
trust_plugin
branch
2 times, most recently
from
449ea26 to
6730f40
Compare
Merged
thaJeztah
force-pushed
the
trust_plugin
branch
4 times, most recently
from
54b98ec to
824028f
Compare
move the `trust` subcommands to a plugin, so that the subcommands can
be installed separate from the `docker trust` integration in push/pull
(for situations where trust verification happens on the daemon side).
make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust
docker info
Client:
Version: 28.2.0-dev
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
trust: Manage trust on Docker images (Docker Inc.)
Version: unknown-version
Path: /usr/libexec/docker/cli-plugins/docker-trust
docker trust --help
Usage: docker trust [OPTIONS] COMMAND
Extended build capabilities with BuildKit
Options:
-D, --debug Enable debug logging
Management Commands:
key Manage keys for signing Docker images
signer Manage entities who can sign Docker images
Commands:
inspect Return low-level information about keys and signatures
revoke Remove trust for an image
sign Sign an image
Run 'docker trust COMMAND --help' for more information on a command.
Signed-off-by: Sebastiaan van Stijn <[email protected]>
skip cmd/docker-trust in tests, as it's a separate module. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Create a copy of the registry package to use, so that code used only for trust can be removed from the cli/internal package. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Prevent the linter from recursing to other modules (cmd/docker-trust), which don't have their dependencies vendored. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
trust_plugin
branch
from
824028f to
cee9ea6
Compare
vvoland
approved these changes
Nov 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just a quick experiment to see if we can move the
trustsubcommands to a plugin, so that the subcommands can be installed separate from thedocker trustintegration in push/pull (for situations where trust verification happens on the daemon side).makes the CLI binaries somewhat smaller as well:
Before:
After:
- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)