Merge pull request #935 from n4ss/trust-out-of-experimental2

Move Docker Trust out of experimental
docker · Mar 13, 2018 · 176aa48 · 176aa48
2 parents 2731c71 + 09ec6d4
commit 176aa48
Show file tree

Hide file tree

Showing 11 changed files with 129 additions and 174 deletions.
diff --git a/cli/command/trust/cmd.go b/cli/command/trust/cmd.go
@@ -9,11 +9,10 @@ import (
 // NewTrustCommand returns a cobra command for `trust` subcommands
 func NewTrustCommand(dockerCli command.Cli) *cobra.Command {
  cmd := &cobra.Command{
- Use: "trust",
- Short: "Manage trust on Docker images (experimental)",
- Args: cli.NoArgs,
- RunE: command.ShowHelp(dockerCli.Err()),
- Annotations: map[string]string{"experimentalCLI": ""},
+ Use: "trust",
+ Short: "Manage trust on Docker images",
+ Args: cli.NoArgs,
+ RunE: command.ShowHelp(dockerCli.Err()),
  }
  cmd.AddCommand(
  newRevokeCommand(dockerCli),

diff --git a/cli/command/trust/key.go b/cli/command/trust/key.go
@@ -10,7 +10,7 @@ import (
 func newTrustKeyCommand(dockerCli command.Streams) *cobra.Command {
  cmd := &cobra.Command{
  Use: "key",
- Short: "Manage keys for signing Docker images (experimental)",
+ Short: "Manage keys for signing Docker images",
  Args: cli.NoArgs,
  RunE: command.ShowHelp(dockerCli.Err()),
  }

diff --git a/cli/command/trust/signer.go b/cli/command/trust/signer.go
@@ -10,7 +10,7 @@ import (
 func newTrustSignerCommand(dockerCli command.Cli) *cobra.Command {
  cmd := &cobra.Command{
  Use: "signer",
- Short: "Manage entities who can sign Docker images (experimental)",
+ Short: "Manage entities who can sign Docker images",
  Args: cli.NoArgs,
  RunE: command.ShowHelp(dockerCli.Err()),
  }

diff --git a/docs/reference/commandline/trust_inspect.md b/docs/reference/commandline/trust_inspect.md
@@ -1,7 +1,7 @@
 ---
 title: "trust inspect"
 description: "The inspect command description and usage"
-keywords: "view, notary, trust"
+keywords: "inspect, notary, trust"
 ---
 
 <!-- This file is maintained within the docker/cli GitHub
@@ -20,6 +20,9 @@ Usage: docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...]
 
 Return low-level information about keys and signatures
 
+Options:
+ --help Print usage
+ --pretty Print the information in a human friendly format
 ```
 
 ## Description
@@ -28,12 +31,6 @@ Return low-level information about keys and signatures
 This includes all image tags that are signed, who signed them, and who can sign
 new tags.
 
-`docker trust inspect` prints the trust information in a machine-readable format. Refer to
-[`docker trust view`](trust_view.md) for a human-friendly output.
-
-`docker trust inspect` is currently experimental.
-
-
 ## Examples
 
 ### Get low-level details about signatures for a single image tag
@@ -78,13 +75,13 @@ $ docker trust inspect alpine:latest
 ]
 ```
 
-The `SignedTags` key will list the `SignedTag` name, its `Digest`, and the `Signers` responsible for the signature.
+The `SignedTags` key will list the `SignedTag` name, its `Digest`,
+and the `Signers` responsible for the signature.
 
 `AdministrativeKeys` will list the `Repository` and `Root` keys.
 
-This format mirrors the output of `docker trust view` 
-
-If signers are set up for the repository via other `docker trust` commands, `docker trust inspect` includes a `Signers` key:
+If signers are set up for the repository via other `docker trust`
+commands, `docker trust inspect` includes a `Signers` key:
 
 ```bash
 $ docker trust inspect my-image:purple
@@ -156,14 +153,16 @@ $ docker trust inspect my-image:purple
 ]
 ```
 
-If the image tag is unsigned or unavailable, `docker trust inspect` does not display any signed tags.
+If the image tag is unsigned or unavailable, `docker trust inspect` does not
+display any signed tags.
 
 ```bash
 $ docker trust inspect unsigned-img
 No signatures or cannot access unsigned-img
 ```
 
-However, if other tags are signed in the same image repository, `docker trust inspect` reports relevant key information:
+However, if other tags are signed in the same image repository,
+`docker trust inspect` reports relevant key information:
 
 ```bash
 $ docker trust inspect alpine:unsigned
@@ -195,7 +194,8 @@ $ docker trust inspect alpine:unsigned
 
 ### Get details about signatures for all image tags in a repository
 
-If no tag is specified, `docker trust inspect` will report details for all signed tags in the repository:
+If no tag is specified, `docker trust inspect` will report details for all
+signed tags in the repository:
 
 ```bash
 $ docker trust inspect alpine
@@ -258,7 +258,8 @@ $ docker trust inspect alpine
 
 ### Get details about signatures for multiple images
 
-`docker trust inspect` can take multiple repositories and images as arguments, and reports the results in an ordered list:
+`docker trust inspect` can take multiple repositories and images as arguments,
+and reports the results in an ordered list:
 
 ```bash
 $ docker trust inspect alpine notary
@@ -362,3 +363,108 @@ $ docker trust inspect alpine notary
  }
 ]
 ```
+
+### Formatting
+
+You can print the inspect output in a human-readable format instead of the default
+JSON output, by using the `--pretty` option:
+
+### Get details about signatures for a single image tag
+
+```bash
+$ docker trust inspect --pretty alpine:latest
+
+SIGNED TAG DIGEST SIGNERS
+latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
+
+Administrative keys for alpine:latest:
+Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+The `SIGNED TAG` is the signed image tag with a unique content-addressable
+`DIGEST`. `SIGNERS` lists all entities who have signed.
+
+The administrative keys listed specify the root key of trust, as well as
+the administrative repository key. These keys are responsible for modifying
+signers, and rotating keys for the signed repository.
+
+If signers are set up for the repository via other `docker trust` commands,
+`docker trust inspect --pretty` displays them appropriately as a `SIGNER`
+and specify their `KEYS`:
+
+```bash
+$ docker trust inspect --pretty my-image:purple
+SIGNED TAG DIGEST SIGNERS
+purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol
+
+List of signers and their keys:
+
+SIGNER KEYS
+alice 47caae5b3e61, a85aab9d20a4
+bob 034370bcbd77, 82a66673242c
+carol b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+```
+
+However, if other tags are signed in the same image repository,
+`docker trust inspect` reports relevant key information.
+
+```bash
+$ docker trust inspect --pretty alpine:unsigned
+
+No signatures for alpine:unsigned
+
+
+Administrative keys for alpine:unsigned:
+Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+### Get details about signatures for all image tags in a repository
+
+```bash
+$ docker trust inspect --pretty alpine
+SIGNED TAG DIGEST SIGNERS
+2.6 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b (Repo Admin)
+2.7 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a (Repo Admin)
+3.1 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8 (Repo Admin)
+3.2 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7 (Repo Admin)
+3.3 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7 (Repo Admin)
+3.4 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9 (Repo Admin)
+3.5 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308 (Repo Admin)
+3.6 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
+edge 79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b (Repo Admin)
+latest 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe (Repo Admin)
+
+Administrative keys for alpine:
+Repository Key: 5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key: a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+Here's an example with signers that are set up by `docker trust` commands:
+
+```bash
+$ docker trust inspect --pretty my-image
+SIGNED TAG DIGEST SIGNERS
+red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice
+blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob
+green cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139 alice, bob
+yellow 9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba carol
+purple 941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557 alice, bob, carol
+orange d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c alice
+
+List of signers and their keys for my-image:
+
+SIGNER KEYS
+alice 47caae5b3e61, a85aab9d20a4
+bob 034370bcbd77, 82a66673242c
+carol b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key: 27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key: 40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+```
diff --git a/docs/reference/commandline/trust_key_generate.md b/docs/reference/commandline/trust_key_generate.md
@@ -1,7 +1,7 @@
 ---
 title: "key generate"
 description: "The key generate command description and usage"
-keywords: "Key, notary, trust"
+keywords: "key, notary, trust"
 ---
 
 <!-- This file is maintained within the docker/cli Github
@@ -30,8 +30,6 @@ Options:
 `docker trust key generate` generates a key-pair to be used with signing,
  and loads the private key into the local docker trust keystore.
 
-`docker trust key generate` is currently experimental.
-
 ## Examples
 
 ### Generate a key-pair

diff --git a/docs/reference/commandline/trust_key_load.md b/docs/reference/commandline/trust_key_load.md
@@ -1,7 +1,7 @@
 ---
 title: "key load"
 description: "The key load command description and usage"
-keywords: "Key, notary, trust"
+keywords: "key, notary, trust"
 ---
 
 <!-- This file is maintained within the docker/cli Github
@@ -29,8 +29,6 @@ Options:
 
 `docker trust key load` adds private keys to the local docker trust keystore. To add a signer to a repository use `docker trust signer add`.
 
-`docker trust key load` is currently experimental.
-
 ## Examples
 
 ### Load a single private key

diff --git a/docs/reference/commandline/trust_revoke.md b/docs/reference/commandline/trust_revoke.md
@@ -29,8 +29,6 @@ Options:
 
 `docker trust revoke` removes signatures from tags in signed repositories.
 
-`docker trust revoke` is currently experimental.
-
 ## Examples
 
 ### Revoke signatures from a signed tag

diff --git a/docs/reference/commandline/trust_sign.md b/docs/reference/commandline/trust_sign.md
@@ -30,8 +30,6 @@ Options:
 
 `docker trust sign` adds signatures to tags to create signed repositories.
 
-`docker trust sign` is currently experimental.
-
 ## Examples
 
 ### Sign a tag as a repo admin

diff --git a/docs/reference/commandline/trust_signer_add.md b/docs/reference/commandline/trust_signer_add.md
@@ -29,8 +29,6 @@ Options:
 
 `docker trust signer add` adds signers to signed repositories.
 
-`docker trust signer add` is currently experimental.
-
 ## Examples
 
 ### Add a signer to a repo

diff --git a/docs/reference/commandline/trust_signer_remove.md b/docs/reference/commandline/trust_signer_remove.md
@@ -29,8 +29,6 @@ Options:
 
 `docker trust signer remove` removes signers from signed repositories.
 
-`docker trust signer remove` is currently experimental.
-
 ## Examples
 
 ### Remove a signer from a repo