Image encryption/decryption support in skopeo #732
Conversation
harche
force-pushed
the
pr_branch
branch
2 times, most recently
from
f51d9e0
to
c1c53ee
Compare
There was a problem hiding this comment.
Just a few nits and comments. Overall, LGTM 👍
Since it's not yet in the OCI spec and potentially subject to change, I prefer marking the {de,en}cryption supports in the man pages and the help message as experimental to avoid users from depending on it.
@mtrmac @mrunalp @rhatdan WDYT?
@TomSweeneyRedHat, could you have a look? Your doc-reviewing skills would be greatly appreciated :)
docs/skopeo-copy.1.md
Outdated
| openssl genrsa -out private.key 1024 | ||
| openssl rsa -in private.key -pubout > public.key | ||
|
|
||
| ./skopeo copy --encryption-key jwe:./public.key oci:local_nginx:latest oci:try-encrypt:enc |
There was a problem hiding this comment.
Can we name the destination oci:local_nginx:encrypted? I think this will highlight the relationship with the source a bit more. Same for the commands below.
docs/skopeo-copy.1.md
Outdated
| @@ -80,6 +84,25 @@ To copy and sign an image: | |||
| $ skopeo copy --sign-by dev@example.com atomic:example/busybox:streaming atomic:example/busybox:gold | |||
| ``` | |||
|
|
|||
| To encrypt an image: | |||
| ```sh | |||
| ./skopeo copy docker://docker.io/library/nginx:latest oci:local_nginx:latest | |||
There was a problem hiding this comment.
s/\.skopeo/\$ skopeo/ same for the commands below (including openssl).
integration/copy_test.go
Outdated
| defer os.RemoveAll(dir3) | ||
| dir4, err := ioutil.TempDir("", "copy-4") | ||
| c.Assert(err, check.IsNil) | ||
| defer os.RemoveAll(dir4) |
There was a problem hiding this comment.
Can we name those variables as something more descriptive? E.g., dir1 as unencryptedDir? It make the tests easier to understand and ultimately easier to maintain in the future.
docs/skopeo-copy.1.md
Outdated
| @@ -30,6 +30,10 @@ If the authorization state is not found there, $HOME/.docker/config.json is chec | |||
|
|
|||
| **--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_ | |||
|
|
|||
| **--encryption-key** _Key_ a reference prefixed with the encryption protocol to use. e.g. jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file | |||
There was a problem hiding this comment.
Which protocols are supported? Are there any other requirements? We should add a sentence (or two) about that.
vrothberg
changed the title
|
I added a |
| encryptionKeys := opts.encryptionKeys.Value() | ||
| ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{}) | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Please wrap almost all errors at the top level in fmt.Errorf that add end-user context, e.g. in this case making it clear that it’s the --encryption-key option list that is invalid.
There was a problem hiding this comment.
While fixing I realized that if the user specifies both --encryption-key and --decryption-key it won't be possible to tell which one is invalid. So I moved that check outside in a separate if condition.
cmd/skopeo/copy.go
Outdated
| var encLayers *[]int | ||
| if len(ccs) > 0 { | ||
| cc := encconfig.CombineCryptoConfigs(ccs) | ||
| if len(opts.decryptionKeys.Value()) > 0 { |
There was a problem hiding this comment.
Does this need to be in two stages checking opts.decryptionKeys.Value() twice? AFAICS CombineCryptoConfigs only combines encryption configs with encryption configs, and decryption configs with decryption configs. Actually because it checks opts.decryptionKeys.Value, and not cc.EncryptConfig, it seems clear that CombineCryptoConfigs can’t affect do any encryption-decryption interactions without breaking this logic anyway.
(Why have encryption and decryption in a single config type at all, if they are always segregated by use?)
Yeah, there’s the dependency cycle between only releasing a final version of the code after a final version of an interoperable specification, and only releasing a final version of an interoperable specification after there is a production implementation (or two?). At this point I think making it as experimental is appropriate, as well as being careful about implying any endorsement by OCI (which this PR does not do). |
@mtrmac there are some reviews on this but they are not part of the current repo since it was moved. "Archived" discussions on the ocicrypt library can be found in the PRs listed below. There were quite a bit of discussion on calls as well. the discussions were between IBM, our internal NIST counterpart and Docker. In addition to that, there are some notes on the discussions in the OCI weekly dev call as well in the HackMD. Of course, more reviews are always welcome :) Reviews: |
harche
force-pushed
the
pr_branch
branch
2 times, most recently
from
be068e4
to
9e4bf8b
Compare
harche
force-pushed
the
pr_branch
branch
2 times, most recently
from
2a76e2f
to
3134246
Compare
|
The c/image PR is merged now, so we can vendor c/image directly. The CI is currently failing with the vendor checks as we're now enforcing go 1.13. This version of golang behaves slightly different and removes some unneeded files from ./vendor. I'll open a PR to add a If you don't have 1.13 installed, you can use a container: $ podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.13 make vendor |
|
@vrothberg I just pushed by updating vendor with go 1.13.4. About directly importing |
go.mod
Outdated
| @@ -21,3 +22,5 @@ require ( | |||
| github.com/urfave/cli v1.22.1 | |||
| go4.org v0.0.0-20190218023631-ce4c26f7be8e // indirect | |||
| ) | |||
|
|
|||
| replace github.com/containers/image/v5 => github.com/lumjjb/image/v5 v5.0.0-20191125184705-a298da5c535d | |||
There was a problem hiding this comment.
Please drop the replace here and use commit 502848a1358b for vendoring c/image/v5.
We need to vendor commit 502848a1358b from c/image as we don't want to depend on a private fork of c/image but to always use the latest required commit. Once we cut a new release for skopeo, we should vendor a release of c/image though. |
harche
force-pushed
the
pr_branch
branch
2 times, most recently
from
9451589
to
5fbf26c
Compare
Done. Thanks. |
Signed-off-by: Harshal Patil <harshal.patil@in.ibm.com> Signed-off-by: Brandon Lum <lumjjb@gmail.com>
vrothberg
changed the title
Add support for image encryption/decryption in
skopeoFor this to work,
containers/imageneeds to support encrypted images. There is a PR by @lumjjb to add the support incontainers/image, containers/image#673. As soon as that PR is merged and is vendored intoskopeoI will update this PR to use vendoredcontainers/image.Signed-off-by: Harshal Patil harshal.patil@in.ibm.com
Signed-off-by: Brandon Lum lumjjb@gmail.com