Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Hypotenuse - a tool for extracting the base images out of a Dockerfile. #189

Closed
wants to merge 1 commit into from
Closed

WIP: Hypotenuse - a tool for extracting the base images out of a Dockerfile. #189

wants to merge 1 commit into from

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented Mar 28, 2021
edited
Loading

I'm sending this one up for fun and discussion! This should not be merged as is :)

This introduces a small tool that can be used to parse a Dockerfile and extract the base images from inside it. The tool fully resolves those base image entries to a digest (hopefully the same one that would be used in the docker build that's about to follow. These references are then passed over stdout, one per line, where they can be consumed by other tools. Like cosign!

You can use this to verify the base images in a Dockerfile have all been signed before you do a build. This is related and complementary to #188.

See this gif!

The name hypotenuse is probably my worst pun yet.

hypotenuse

@ahmetb
Copy link
Contributor

ahmetb commented Mar 29, 2021

Several different experiences come to mind:

  1. hypotenuse command works as you illustrated, but we make cosign verify accept the input for IMAGE from stdin (one image reference per line)

  2. we directly integrate this into cosign verify, e.g. -f Dockerfile since cosign is meant to be end-user friendly. if we want a print-only mode, we can do -print-only that just resolves image references. This way, user doesn't need to see a new hypotenuse command.

@dlorenc
Copy link
Member Author

dlorenc commented Mar 29, 2021

2. we directly integrate this into cosign verify, e.g. -f Dockerfile since cosign is meant to be end-user friendly. if we want a print-only mode, we can do -print-only that just resolves image references. This way, user doesn't need to see a new hypotenuse command.

Yup! @jonjohnsonjr had some other ideas on using this to rewrite (or pin the Dockerfiles), or intercept and pass back into docker build . -f <(...)

@font
Copy link
Member

font commented Mar 29, 2021

Neat @dlorenc ! I was thinking of something like this, but was hoping it was possible to do this from an already built image. I didn't immediately find anything meaningful though.

@dlorenc
Copy link
Member Author

dlorenc commented Mar 29, 2021

@font i have some ideas here with @imjasonh. When do you need something by? I can hack something up pretty quickly as a POC.

@dlorenc dlorenc mentioned this pull request Apr 21, 2021
Closed
@dlorenc dlorenc mentioned this pull request May 5, 2021
Closed
@dekkagaijin
Copy link
Member

dekkagaijin commented Jul 1, 2021
edited
Loading

Obsoleted by #395

@dekkagaijin dekkagaijin closed this Jul 1, 2021
@Dentrax Dentrax mentioned this pull request Nov 30, 2021
Open
tommyd450 pushed a commit to tommyd450/cosign that referenced this pull request Jun 5, 2024
@JasonPowr
Merge pull request sigstore#189 from securesign/konflux/references/main
447c2f9 
Update RHTAP references
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dlorenc @ahmetb @font @dekkagaijin