-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correctly handle encryption/decryption changes in non-OCI formats #1932
Conversation
daa120c
to
4141d23
Compare
4141d23
to
f1ce56d
Compare
a796912
to
879a27a
Compare
879a27a
to
7eeed2c
Compare
7eeed2c
to
6ae3c59
Compare
... to cut down on the repetitiveness. Should not change (test) behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
6ae3c59
to
0f27515
Compare
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
0e54f28
to
ea39042
Compare
This is now ready for review. To test: openssl genrsa -out ociprivate.key 1024
openssl rsa -in ociprivate.key -pubout > ocipublic.key
skopeo --override-os linux --insecure-policy copy --encryption-key jwe:./ocipublic.key docker://quay.io/libpod/alpine oci:nginx_encrypted
bin/skopeo --debug --override-os linux --insecure-policy copy --decryption-key ./ociprivate.key oci:nginx_encrypted docker-archive:t.tar |
ea39042
to
f78377f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
internal/image/oci.go
Outdated
// FIXME: s/Zsdt/Zstd/ after ocicrypt with https://github.com/containers/ocicrypt/pull/91 is released | ||
case ociencspec.MediaTypeLayerEnc, ociencspec.MediaTypeLayerGzipEnc, ociencspec.MediaTypeLayerZstdEnc, | ||
ociencspec.MediaTypeLayerNonDistributableEnc, ociencspec.MediaTypeLayerNonDistributableGzipEnc, ociencspec.MediaTypeLayerNonDistributableZsdtEnc: | ||
return nil, fmt.Errorf("Error during manifest conversion: %q: encrypted layers are not supported in docker images", layers[idx].MediaType) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't start error messages with Error.
Otherwize podman and buildah end up with
Error: Error ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know there are other examples, which I can open a PR to fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the reminder, I have fixed the newly added errors at least.
... and add tests. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
…rmats Previously this would try first converting to the other format, and that would fail because the other format can't represent encrypted layers. So, do the layer edits for decryption first. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
…yption Signed-off-by: Miloslav Trmač <mitr@redhat.com>
f78377f
to
cc1d30b
Compare
LGTM |
This