Skip to content
/ oima Public

oima (OCI/ Docker Image Signature Managemet Tool/ CLI) is a CLI that helps to manage OCI/ Docker signatures.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fabmation-gmbh/oima

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

168 Commits
.dev
.dev
 
 
.idea
.idea
 
 
cmd
cmd
 
 
examples
examples
 
 
internal
internal
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
RESULTS
RESULTS
 
 
glide.lock
glide.lock
 
 
glide.yaml
glide.yaml
 
 
main.go
main.go
 
 

Repository files navigation

oima

oima (OCI/ Docker Image Signature Managemet Tool/ CLI) is a CLI that helps to manage OCI/ Docker signatures.

Motivation

We have our signatures in two places: on a Notary-Server and an S3 Bucket.

We use the S3 Bucket because of the Pull Signature Check functionality of CRI-O.

So it's a huge effort to manage all signatures distributed to two places. For example, if we update one of our images, then the old image shouldn't be executed anymore in our K8s-Cluster. So then we have to delete the signatures of the old image from the S3 Bucket and from the Notary-Server. Also, the signatures of the images are saved with the content digest from Docker in this Format: [IMAGE_NAME]@[HASH_ALGO]=[CONTENT_DIGEST] for example: hello-world@sha256=92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a.

Usage

This CLI does not have any sub-commands (coming soon), but it has a working terminal UI.

oima Manages OCI/ Docker Image Signatures in your 'sigstore'.

It is very difficult to manually keep track of all signatures.

Example: Say you have to remove the signature for the
Docker image 'docker.io/library/hello_world:vulnerable':
then you have to determine the digest of the image and
manually delete the directory / signature.

This tool automates this process and helps to keep
track of all signed images.

Usage:
  oima <command> [flags]
  oima [command]

Available Commands:
  conf        Get configuration variables.
  help        Help for any command.
  image       Interact with images of the remote registry.

Flags:
      --config string   Which config file to use (default is $HOME/.oima.yaml).
      --debug           Print debug messages (defaults to false).
  -h, --help            Display help for oima.
      --version         Display version of oima.

Use "oima [command] --help" for more information about a command.

To get started, download a release and create a configuration file in $HOME/.oima.yaml. A sample configuration is located in examples/. The configuration file is self-explanatory.

Now run the application without any arguments (oima), you should now see a "UI".

Keyboard Strokes:

q, Ctrl+C               Quit. Exit the application.
e, E                    Exit the image info UI (only works in the image info UI).
d, D                    Delete the signature of a tag (only works in the image info UI).
i, I                    Open the image info UI.
Enter, Space            Expand/ collapse a tree node.
<Arrow Keys>            Move up/ down in the tree or the image info UI.

Image Info UI

All tags of an image are listed in the Image Info UI. Here you can check if a tag is signed (or has a signature) and delete signatures.

About

oima (OCI/ Docker Image Signature Managemet Tool/ CLI) is a CLI that helps to manage OCI/ Docker signatures.

Topics

docker kubernetes cli containers s3-bucket kubernetes-cluster oci k8s signatures k8s-cluster containerd notary cri-o notary-server docker-signatures

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Aug 13, 2019

Packages

No packages published

Contributors 2

  •  
  •  

Languages