New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New version of notary with pkcs11 client integration #17937
New version of notary with pkcs11 client integration #17937
Conversation
ouch -- 7,239 additions and 1,854 deletions. |
the commits are separated to make it easier |
Ping @tianon there are various parts about this that I hate that I hope you have a better solution for but the 2 biggest ones:
Such struggles w this one I hate it all a bit myself |
|
yes i know I have informed them |
@jfrazelle does the software actually shell out to Until it moves out of experimental, we could do something like we do with putting echo 'yubico:Suggests=$(shell [ "$DOCKER_EXPERIMENTAL" ] && echo yubico-piv-tool)' >> debian/docker-engine.substvars there in Is this a tool users of a Yubi are likely to have installed for other Yubi things, or is it something more specific to the way we use the Yubi inside Notary? |
Also, if the tool isn't installed and a user attempts to use it for something within Docker, does a nice error message bubble up to the level of the client? |
It dlopens an so file or dylib depending on architecture so I think recommends? Or whatever you think is best |
Ok that makes sense, but the tool we're installing isn't the .so, so where
does it fit in?
|
It includes the so |
It does? https://packages.debian.org/sid/amd64/yubico-piv-tool/filelist
😄
We probably want that lib package it depends on instead (and in that case
it's just a .so so totally agree that recommends makes more sense).
|
Shit I think it's their deb package that it's in... :( this could be a problem because we were going to have to build these and I wasn't planning on building that one |
Because we have to have version 1.1.0 |
Let me look into the lib one making a patch for it so we can get 1.1.0 on like wheezy and jessie etc |
So close to flipping a table this entire PR is a gigantic nightmare |
FWIW the rpm installs the so :( so that ones correct |
This one is what I was going to package for our repo https://github.com/Yubico/yubico-piv-tool-dpkg |
@tianon @jfrazelle the yubico-piv-tool is actually necessary for anyone that wishes to check the mode on their yubikey/operate on keys (list, delete, etc)/advanced use cases not covered by docker. I would say that Recommend seems appropriate in this case. This is something that we can change in the future, as more functionality to manage yubikeys is added onto docker and notary, but for now this seems like the only way to have a decent experience with the yubikeys. Also, the use of pkcs11 is best-effort, if no .so's are found, notary silently ignores it. |
Thanks for confirming, Diogo! ❤️
Sounds good enough for me, assuming @jfrazelle can get happy about version
numbers. Do you want to add a note about version requirements of this to
PACKAGERS.md with this PR? Our "Recommends" entry should probably encode
the required version too (ie something like "yubico-piv-tool (>= 1.1.0~)").
|
9dc4c04
to
6edd5af
Compare
ok updated w windows fix and also tianons suggestions :) way better than the gross thing i did w install.sh |
dced1d2
to
a68f398
Compare
also updated packagers.md |
a68f398
to
61c1a92
Compare
Very minimal changes to engine side +1 Soft LGTM |
@cpuguy83 I have one for you. You can test it in Barcelona :) |
I've tested the following cases, both with a mac binary that I built on a mac using the same method as homebrew, and with a mac binary that @diogomonica built on linux using
Have not tested on Linux. LGTM as far as macs are concerned :) |
Tested pushing and key rotation with yubikey and all seemed to work. LGTM (no review of the packaging). |
@tianon would love your explicit LGTM, since this involves building magic. |
You need mine too ;) |
@jfrazelle would love your explicit LGTM, since this involves building magic. |
I won't say how long it took me to find that emoji keyword. |
LGTM |
I really wish this PR could've been in smaller chunks -- it's very hard to review being so massive. 😢 (I almost didn't even look at c86517e557c93c8cbb26305704d91409dd207e39 because it didn't sound related to building, but glad I did.) |
yeah sorry I specifically hated the sym,ink of clang in that one :( |
there are def aspects of this PR I hate, it blows |
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
61c1a92
to
52021ac
Compare
Ok, latest iteration LGTM |
No docs required as far as I can tell. |
…ration New version of notary with pkcs11 client integration
Vendoring in new notary version with client-side pkcs11 support.
@jfrazelle took care of all of the building bits that were necessary to have this successfully cross-compile. Thank you Jess!