implement docker trust as plugin
#6121
Draft
+164
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Just a quick experiment to see if we can move the `trust` subcommands
to a plugin, so that the subcommands can be installed separate from
the `docker trust` integration in push/pull (for situations where
trust verification happens on the daemon side).
make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust
docker info
Client:
Version: 28.2.0-dev
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.24.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
trust: Manage trust on Docker images (Docker Inc.)
Version: unknown-version
Path: /usr/libexec/docker/cli-plugins/docker-trust
docker trust --help
Usage: docker trust [OPTIONS] COMMAND
Extended build capabilities with BuildKit
Options:
-D, --debug Enable debug logging
Management Commands:
key Manage keys for signing Docker images
signer Manage entities who can sign Docker images
Commands:
inspect Return low-level information about keys and signatures
revoke Remove trust for an image
sign Sign an image
Run 'docker trust COMMAND --help' for more information on a command.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #6121 +/- ##
==========================================
+ Coverage 55.03% 55.34% +0.30%
==========================================
Files 361 357 -4
Lines 30153 29988 -165
==========================================
Hits 16596 16596
+ Misses 12599 12434 -165
Partials 958 958 🚀 New features to boost your workflow:
|
|
It's currently expected that this fails, because the e2e test require the plugin to be installed (what we currently don't do). This error is interesting though; for some reason it shows an error about API version mismatch, but after that it shows Waiting for docker daemon to become available at ssh://penguin@172.18.0.3
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Error response from daemon: client version 1.50 is too new. Maximum supported API version is 1.42
Client:
Version: 28.2.0-dev
API version: 1.42 (downgraded from 1.50)
Go version: go1.24.3
Git commit: d271c02
Built: Mon Jun 2 15:32:03 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.6
API version: 1.42 (minimum version 1.12) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just a quick experiment to see if we can move the
trustsubcommands to a plugin, so that the subcommands can be installed separate from thedocker trustintegration in push/pull (for situations where trust verification happens on the daemon side).- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)