-
Notifications
You must be signed in to change notification settings - Fork 769
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image encryption/decryption support in skopeo #732
Conversation
f51d9e0
to
c1c53ee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few nits and comments. Overall, LGTM 👍
Since it's not yet in the OCI spec and potentially subject to change, I prefer marking the {de,en}cryption supports in the man pages and the help message as experimental to avoid users from depending on it.
@mtrmac @mrunalp @rhatdan WDYT?
@TomSweeneyRedHat, could you have a look? Your doc-reviewing skills would be greatly appreciated :)
docs/skopeo-copy.1.md
Outdated
openssl genrsa -out private.key 1024 | ||
openssl rsa -in private.key -pubout > public.key | ||
|
||
./skopeo copy --encryption-key jwe:./public.key oci:local_nginx:latest oci:try-encrypt:enc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name the destination oci:local_nginx:encrypted
? I think this will highlight the relationship with the source a bit more. Same for the commands below.
docs/skopeo-copy.1.md
Outdated
@@ -80,6 +84,25 @@ To copy and sign an image: | |||
$ skopeo copy --sign-by dev@example.com atomic:example/busybox:streaming atomic:example/busybox:gold | |||
``` | |||
|
|||
To encrypt an image: | |||
```sh | |||
./skopeo copy docker://docker.io/library/nginx:latest oci:local_nginx:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/\.skopeo/\$ skopeo/
same for the commands below (including openssl).
integration/copy_test.go
Outdated
defer os.RemoveAll(dir3) | ||
dir4, err := ioutil.TempDir("", "copy-4") | ||
c.Assert(err, check.IsNil) | ||
defer os.RemoveAll(dir4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name those variables as something more descriptive? E.g., dir1
as unencryptedDir
? It make the tests easier to understand and ultimately easier to maintain in the future.
docs/skopeo-copy.1.md
Outdated
@@ -30,6 +30,10 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec | |||
|
|||
**--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_ | |||
|
|||
**--encryption-key** _Key_ a reference prefixed with the encryption protocol to use. e.g. jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e.g.
-> For instance,
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which protocols are supported? Are there any other requirements? We should add a sentence (or two) about that.
I added a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(This is a full review, apart from the actual ocicrypt
design/implementation. Is anyone going to review that, or are we just going to accept that on faith?)
encryptionKeys := opts.encryptionKeys.Value() | ||
ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{}) | ||
if err != nil { | ||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please wrap almost all errors at the top level in fmt.Errorf
that add end-user context, e.g. in this case making it clear that it’s the --encryption-key
option list that is invalid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While fixing I realized that if the user specifies both --encryption-key
and --decryption-key
it won't be possible to tell which one is invalid. So I moved that check outside in a separate if condition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd/skopeo/copy.go
Outdated
var encLayers *[]int | ||
if len(ccs) > 0 { | ||
cc := encconfig.CombineCryptoConfigs(ccs) | ||
if len(opts.decryptionKeys.Value()) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this need to be in two stages checking opts.decryptionKeys.Value()
twice? AFAICS CombineCryptoConfigs
only combines encryption configs with encryption configs, and decryption configs with decryption configs. Actually because it checks opts.decryptionKeys.Value
, and not cc.EncryptConfig
, it seems clear that CombineCryptoConfigs
can’t affect do any encryption-decryption interactions without breaking this logic anyway.
(Why have encryption and decryption in a single config type at all, if they are always segregated by use?)
Yeah, there’s the dependency cycle between only releasing a final version of the code after a final version of an interoperable specification, and only releasing a final version of an interoperable specification after there is a production implementation (or two?). At this point I think making it as experimental is appropriate, as well as being careful about implying any endorsement by OCI (which this PR does not do). |
@mtrmac there are some reviews on this but they are not part of the current repo since it was moved. "Archived" discussions on the ocicrypt library can be found in the PRs listed below. There were quite a bit of discussion on calls as well. the discussions were between IBM, our internal NIST counterpart and Docker. In addition to that, there are some notes on the discussions in the OCI weekly dev call as well in the HackMD. Of course, more reviews are always welcome :) Reviews: |
be068e4
to
9e4bf8b
Compare
2a76e2f
to
3134246
Compare
The c/image PR is merged now, so we can vendor c/image directly. The CI is currently failing with the vendor checks as we're now enforcing go 1.13. This version of golang behaves slightly different and removes some unneeded files from ./vendor. I'll open a PR to add a If you don't have 1.13 installed, you can use a container: $ podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.13 make vendor |
@vrothberg I just pushed by updating vendor with go 1.13.4. About directly importing |
go.mod
Outdated
@@ -21,3 +22,5 @@ require ( | |||
github.com/urfave/cli v1.22.1 | |||
go4.org v0.0.0-20190218023631-ce4c26f7be8e // indirect | |||
) | |||
|
|||
replace github.com/containers/image/v5 => github.com/lumjjb/image/v5 v5.0.0-20191125184705-a298da5c535d |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please drop the replace here and use commit 502848a1358b
for vendoring c/image/v5.
We need to vendor commit 502848a1358b from c/image as we don't want to depend on a private fork of c/image but to always use the latest required commit. Once we cut a new release for skopeo, we should vendor a release of c/image though. |
9451589
to
5fbf26c
Compare
Done. Thanks. |
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com> Signed-off-by: Brandon Lum <lumjjb@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@rhatdan @giuseppe @TomSweeneyRedHat PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add support for image encryption/decryption in
skopeo
For this to work,
containers/image
needs to support encrypted images. There is a PR by @lumjjb to add the support incontainers/image
, containers/image#673. As soon as that PR is merged and is vendored intoskopeo
I will update this PR to use vendoredcontainers/image
.Signed-off-by: Harshal Patil harshal.patil@in.ibm.com
Signed-off-by: Brandon Lum lumjjb@gmail.com