cosign: fix docs and shell completions

Signed-off-by: Akihiro Suda <[email protected]>
containerd · Dec 10, 2021 · 3dda9f8 · 3dda9f8
1 parent 7df17e4
commit 3dda9f8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -128,6 +128,7 @@ Major:
 - [P2P image distribution using IPFS](./docs/ipfs.md): `nerdctl run ipfs://CID`
 - Recursive read-only (RRO) bind-mount: `nerdctl run -v /mnt:/mnt:rro` (make children such as `/mnt/usb` to be read-only, too).
   Requires kernel >= 5.12, and crun >= 1.4 or runc >= 1.1 (PR [#3272](https://github.com/opencontainers/runc/pull/3272)).
+- [Cosign integration](./docs/cosign.md): `nerdctl pull --verify=cosign` and `nerdctl push --sign=cosign`
 
 Minor:
 - Namespacing: `nerdctl --namespace=<NS> ps` .
@@ -718,6 +719,8 @@ Flags:
 - :nerd_face: `--all-platforms`: Pull content for all platforms
 - :nerd_face: `--unpack`: Unpack the image for the current single platform (auto/true/false)
 - :whale: `-q, --quiet`: Suppress verbose output
+- :nerd_face: `--verify`: Verify the image (none|cosign). See [`docs/cosign.md`](./docs/cosign.md) for details.
+- :nerd_face: `--cosign-key`: Path to the public key file, KMS, URI or Kubernetes Secret for `--verify=cosign`
 
 Unimplemented `docker pull` flags: `--all-tags`, `--disable-content-trust` (default true)
 
@@ -731,6 +734,8 @@ Usage: `nerdctl push [OPTIONS] NAME[:TAG]`
 Flags:
 - :nerd_face: `--platform=(amd64|arm64|...)`: Push content for a specific platform
 - :nerd_face: `--all-platforms`: Push content for all platforms
+- :nerd_face: `--sign`: Sign the image (none|cosign). See [`docs/cosign.md`](./docs/cosign.md) for details.
+- :nerd_face: `--cosign-key`: Path to the private key file, KMS, URI or Kubernetes Secret for `--sign=cosign`
 
 Unimplemented `docker push` flags: `--all-tags`, `--disable-content-trust` (default true), `--quiet`
 
@@ -1222,7 +1227,7 @@ Image:
 
 - `docker image prune`
 
-- `docker trust *`
+- `docker trust *` (Instead, nerdctl supports `nerdctl pull --verify=cosign` and `nerdctl push --sign=cosign`. See [`./docs/cosign.md`](docs/cosign.md).)
 - `docker manifest *`
 
 Network management:

diff --git a/cmd/nerdctl/pull.go b/cmd/nerdctl/pull.go
@@ -45,9 +45,6 @@ func newPullCommand() *cobra.Command {
 		SilenceErrors: true,
 	}
 	pullCommand.Flags().String("unpack", "auto", "Unpack the image for the current single platform (auto/true/false)")
-	pullCommand.Flags().String("cosign-key", "",
-		"path to the public key file, KMS, URI or Kubernetes Secret")
-
 	pullCommand.RegisterFlagCompletionFunc("unpack", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"auto", "true", "false"}, cobra.ShellCompDirectiveNoFileComp
 	})
@@ -57,8 +54,16 @@ func newPullCommand() *cobra.Command {
 	pullCommand.Flags().StringSlice("platform", nil, "Pull content for a specific platform")
 	pullCommand.RegisterFlagCompletionFunc("platform", shellCompletePlatforms)
 	pullCommand.Flags().Bool("all-platforms", false, "Pull content for all platforms")
-	pullCommand.Flags().String("verify", "none", "Verify the image with none|cosign. Default none")
 	// #endregion
+
+	// #region verify flags
+	pullCommand.Flags().String("verify", "none", "Verify the image (none|cosign)")
+	pullCommand.RegisterFlagCompletionFunc("verify", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return []string{"none", "cosign"}, cobra.ShellCompDirectiveNoFileComp
+	})
+	pullCommand.Flags().String("cosign-key", "", "Path to the public key file, KMS, URI or Kubernetes Secret for --verify=cosign")
+	// #endregion
+
 	pullCommand.Flags().BoolP("quiet", "q", false, "Suppress verbose output")
 
 	return pullCommand

diff --git a/cmd/nerdctl/push.go b/cmd/nerdctl/push.go
@@ -64,10 +64,13 @@ func newPushCommand() *cobra.Command {
 	pushCommand.Flags().Bool("estargz", false, "Convert the image into eStargz")
 	pushCommand.Flags().Bool("ipfs-ensure-image", true, "Ensure the entire contents of the image is locally available before push")
 
-	pushCommand.Flags().String("sign", "none", "Sign the image with none|cosign. Default none")
-
-	pushCommand.Flags().String("cosign-key", "",
-		"path to the private key file, KMS URI or Kubernetes Secret")
+	// #region sign flags
+	pushCommand.Flags().String("sign", "none", "Sign the image (none|cosign")
+	pushCommand.RegisterFlagCompletionFunc("sign", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return []string{"none", "cosign"}, cobra.ShellCompDirectiveNoFileComp
+	})
+	pushCommand.Flags().String("cosign-key", "", "Path to the private key file, KMS URI or Kubernetes Secret for --sign=cosign")
+	// #endregion
 
 	return pushCommand
 }