In order to verify signatures, users could upload their certificates and public keys using these routes:
-> for public keys:
/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
-> for certificates:
/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
- AuthzHandler has now been split in BaseAuthzHandler and DistSpecAuthzHandler
The former populates context with user specific data needed in most handlers, while
the latter executes access logic specific to distribution-spec handlers.
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Also modify zli to retry in case of such errors,
assuming the trivyDB will eventually be downloaded by the scheduled task.
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
because UI routes will setup a http.FileServer on '/'
any router setup after UI will be ignored at runtime
becuase gorrilla will route it to http.Fileserver instead.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
before syncing an image we first check if it's already present in our storage
to do that we get the manifest from remote and compare it with the local one
but in the case of syncing docker images, because the conversion to OCI format is done while
syncing, we get a docker manifest before conversion, so sync detects that local manifest and
remote one are different, so it starts syncing again.
to overcome this, convert remote docker manifests to OCI manifests and then compare.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
this causes a bug in extensions by not having the identity for the
authenticated user and couldn't apply his permissions, just the default ones.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
ci(workflow): show disk usage and free up disk space used by unneeded tooling
ci(tests): routes tests: do not copy large images if they are not used later
ci(trivy): update a test: download trivy.db to a temporary folder
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
fix(storage/local): also put deduped blobs in cache, not just origin blobs
this caused an error when trying to delete deduped blobs
from multiple repositories
fix(storage/s3): check blob is present in cache before deleting
this is an edge case where dedupe is false but cacheDriver is not nil
(because in s3 we open the cache.db if storage find it in rootDir)
it caused an error when trying to delete blobs uploaded with dedupe false
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Currently, when pushing an image, validation is performed to check that
a layer/blob in the manifest already exists. For non-distributable
layers, that check needs to be skipped.
Fixes issue #1394
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
