Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update notary with attestation #15568

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

LaurentGoderre
Copy link
Member

No description provided.

@LaurentGoderre LaurentGoderre changed the title Update notary Update notary weith builder image and attestation Oct 18, 2023
@LaurentGoderre LaurentGoderre changed the title Update notary weith builder image and attestation Update notary with builder image and attestation Oct 18, 2023
@github-actions

This comment has been minimized.

@whalelines
Copy link
Contributor

The Test PR GHA failure is complaining about not being able to find golang:1.19-alpine3.16, but that image exists, https://hub.docker.com/_/golang/tags?page=1&name=1.19-alpine3.16.

Who can restart the GHA to retry?

@LaurentGoderre
Copy link
Member Author

@whalelines I think this is a problem of the tag existing but not being updated anymore (not supported).I do feel like upgrading to a supported version of Go goes beyond the scope of this change

@tianon
Copy link
Member

tianon commented Dec 1, 2023

Is this notary:builder image intended for end-user consumption? What's the use case?

@LaurentGoderre
Copy link
Member Author

@tianon it can be but this is mostly to prevent duplicate builds of the same thing

@tianon
Copy link
Member

tianon commented Dec 6, 2023

I'm not sure that the build is heavy (or non-deterministic) enough for that to make much difference, right? 😅

(It feels like leaking an implementation detail of the new build system to users in a place that's already pretty consistently confusing: "which tag do I use?")

@LaurentGoderre
Copy link
Member Author

I could rework the upstream to use one Dockerfile with conditions with templating

@tianon
Copy link
Member

tianon commented Dec 7, 2023

Yeah, solving the "maintaining the same thing twice" problem sounds like a better fit for templating 🙇 ❤️

Copy link

Diff for 321ba0d:
diff --git a/_bashbrew-cat b/_bashbrew-cat
index c7e8026..7aacc96 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,7 +1,7 @@
 Maintainers: Justin Cormack (@justincormack)
 Architectures: amd64, arm32v6, arm64v8, i386, ppc64le, s390x
 GitRepo: https://github.com/docker/notary-official-images.git
-GitCommit: 77b9b7833f8dd6be07104b214193788795a320ff
+GitCommit: 6f17ffbcfd207a1783f20b65ba85d9577c84214f
 Builder: buildkit
 
 Tags: server-0.7.0, server
diff --git a/notary_server/Dockerfile b/notary_server/Dockerfile
index 832912f..d325276 100644
--- a/notary_server/Dockerfile
+++ b/notary_server/Dockerfile
@@ -1,3 +1,9 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
 FROM golang:1.19-alpine3.16 AS build
 
 RUN apk add --no-cache git make
@@ -10,6 +16,8 @@ ENV GOFLAGS -mod=vendor
 WORKDIR /go/src/$NOTARYPKG
 RUN set -eux; \
 	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+	echo "${TAG//v/}" > NOTARY_VERSION; \
 # https://github.com/notaryproject/notary/pull/1635
 	git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
 	git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
@@ -17,10 +25,12 @@ RUN set -eux; \
 	go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
 	go mod vendor; \
 # TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+	sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
 	make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
 	cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
 	/notary-server --version; \
-	/notary-signer --version
+	/notary-signer --version;
 
 FROM alpine:3.16
 
diff --git a/notary_signer/Dockerfile b/notary_signer/Dockerfile
index 15bab3f..7cd6f79 100644
--- a/notary_signer/Dockerfile
+++ b/notary_signer/Dockerfile
@@ -1,3 +1,9 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
 FROM golang:1.19-alpine3.16 AS build
 
 RUN apk add --no-cache git make
@@ -10,6 +16,8 @@ ENV GOFLAGS -mod=vendor
 WORKDIR /go/src/$NOTARYPKG
 RUN set -eux; \
 	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+	echo "${TAG//v/}" > NOTARY_VERSION; \
 # https://github.com/notaryproject/notary/pull/1635
 	git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
 	git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
@@ -17,10 +25,12 @@ RUN set -eux; \
 	go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
 	go mod vendor; \
 # TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+	sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
 	make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
 	cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
 	/notary-server --version; \
-	/notary-signer --version
+	/notary-signer --version;
 
 FROM alpine:3.16

Relevant Maintainers:

@LaurentGoderre LaurentGoderre changed the title Update notary with builder image and attestation Update notary with attestation Aug 26, 2024
Copy link
Contributor

@whalelines whalelines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Should we wait to merge this until the signing code has been updated?

@yosifkit
Copy link
Member

yosifkit commented Sep 6, 2024

How can we get the notary images to use more up to date base images than golang:1.19-alpine3.16 and alpine:3.16? (the cause of the failing "naughty" test)

Both of them are past end of life in their respective upstream releases: Go 1.19 on 06 Sep 2023 and Alpine 3.16 on 23 May 2024. The golang:1.19-alpine3.16 image was dropped from official images on May 11, 2023 (#14638 / docker-library/golang#460)

@tianon
Copy link
Member

tianon commented Sep 6, 2024

I've opened docker/notary-official-images#38, but it might be worth considering how we can stay on top of it better (perhaps we need to get more folks with merge access/maintainership on that packaging repository so it doesn't always end up on Jonny's plate?)

@tianon
Copy link
Member

tianon commented Sep 6, 2024

(we should also update Maintainers: here, because that's surely not accurate)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants