implement `docker trust` as plugin by thaJeztah · Pull Request #6121 · docker/cli

thaJeztah · 2025-06-02T15:31:12Z

supersedes, closes Remove "Docker Content Trust" #5896

Just a quick experiment to see if we can move the trust subcommands to a plugin, so that the subcommands can be installed separate from the docker trust integration in push/pull (for situations where trust verification happens on the daemon side).

make binary
go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust

docker info
Client:
 Version:    28.2.0-dev
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.24.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  trust: Manage trust on Docker images (Docker Inc.)
    Version:  unknown-version
    Path:     /usr/libexec/docker/cli-plugins/docker-trust

docker trust --help
Usage:  docker trust [OPTIONS] COMMAND

Extended build capabilities with BuildKit

Options:
  -D, --debug   Enable debug logging

Management Commands:
  key         Manage keys for signing Docker images
  signer      Manage entities who can sign Docker images

Commands:
  inspect     Return low-level information about keys and signatures
  revoke      Remove trust for an image
  sign        Sign an image

Run 'docker trust COMMAND --help' for more information on a command.

makes the CLI binaries somewhat smaller as well:

Before:

ls -l docker-*-arm64
-rwxr-xr-x 1 root root 40428066 Nov  5 08:42 docker-darwin-arm64
-rwxr-xr-x 1 root root 38465413 Nov  5 08:43 docker-linux-arm64

ls -lh docker-*-arm64
-rwxr-xr-x 1 root root 39M Nov  5 08:42 docker-darwin-arm64
-rwxr-xr-x 1 root root 37M Nov  5 08:43 docker-linux-arm64

After:

ls -l docker-*-arm64
-rwxr-xr-x 1 root root 38669586 Nov  5 08:45 docker-darwin-arm64
-rwxr-xr-x 1 root root 37130029 Nov  5 08:45 docker-linux-arm64
ls -lh docker-*-arm64
-rwxr-xr-x 1 root root 37M Nov  5 08:45 docker-darwin-arm64
-rwxr-xr-x 1 root root 36M Nov  5 08:45 docker-linux-arm64

- What I did

- How I did it

- How to verify it

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

codecov-commenter · 2025-06-02T15:32:49Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

thaJeztah · 2025-06-05T13:29:34Z

It's currently expected that this fails, because the e2e test require the plugin to be installed (what we currently don't do).

This error is interesting though; for some reason it shows an error about API version mismatch, but after that it shows docker version output where it correctly downgraded the version, and was successfully able to connect 🤔

Waiting for docker daemon to become available at ssh://penguin@172.18.0.3
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Cannot connect to the Docker daemon at http://docker.example.com./ Is the docker daemon running?
Error response from daemon: client version 1.50 is too new. Maximum supported API version is 1.42
Client:
 Version:           28.2.0-dev
 API version:       1.42 (downgraded from 1.50)
 Go version:        go1.24.3
 Git commit:        d271c02
 Built:             Mon Jun  2 15:32:03 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.6
  API version:      1.42 (minimum version 1.12)

thaJeztah · 2025-11-04T13:16:38Z

vendor.mod

-	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-events v0.0.0-20250808211157-605354379745 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect


Unfortunately, this brings back libtrust as an indirect dependency; still looking what pulls it in (but probably docker/distribution)

thaJeztah · 2025-11-04T13:38:39Z

OK, so when removing the trust code, we land up with validation failing on the CLI not being statically linked 🤔

0.126 + go build -o /out/docker-linux-amd64 -tags ' osusergo' -ldflags ' -X "github.com/docker/cli/cli/version.GitCommit=85196f6" -X "github.com/docker/cli/cli/version.BuildTime=2025-11-04T13:14:44Z" -X "github.com/docker/cli/cli/version.Version=pr-6121" -extldflags -static' '-buildmode=pie' github.com/docker/cli/cmd/docker
33.79 file /out/docker is not statically linked: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, BuildID[sha1]=91eec6b2219ceadc50d015fd512b11142b2e438c, with debug_info, not stripped

move the `trust` subcommands to a plugin, so that the subcommands can be installed separate from the `docker trust` integration in push/pull (for situations where trust verification happens on the daemon side). make binary go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust docker info Client: Version: 28.2.0-dev Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.24.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx trust: Manage trust on Docker images (Docker Inc.) Version: unknown-version Path: /usr/libexec/docker/cli-plugins/docker-trust docker trust --help Usage: docker trust [OPTIONS] COMMAND Extended build capabilities with BuildKit Options: -D, --debug Enable debug logging Management Commands: key Manage keys for signing Docker images signer Manage entities who can sign Docker images Commands: inspect Return low-level information about keys and signatures revoke Remove trust for an image sign Sign an image Run 'docker trust COMMAND --help' for more information on a command. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

skip cmd/docker-trust in tests, as it's a separate module. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Create a copy of the registry package to use, so that code used only for trust can be removed from the cli/internal package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Prevent the linter from recursing to other modules (cmd/docker-trust), which don't have their dependencies vendored. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah mentioned this pull request Jun 10, 2025

api-version negotiation sometimes fails over SSH connection #6125

Open

thaJeztah force-pushed the trust_plugin branch 2 times, most recently from 3fea064 to e612749 Compare July 8, 2025 14:33

This comment was marked as resolved.

Sign in to view

thaJeztah force-pushed the trust_plugin branch 6 times, most recently from bc004be to 6c5320c Compare July 9, 2025 11:32

thaJeztah mentioned this pull request Jul 9, 2025

e2e/global: TestPromptExitCode: check for trailing newline #6170

Merged

thaJeztah force-pushed the trust_plugin branch 4 times, most recently from b50e878 to 51a9993 Compare November 4, 2025 13:13

thaJeztah added status/2-code-review area/trust area/packaging labels Nov 4, 2025

thaJeztah added this to the 29.0.0 milestone Nov 4, 2025

thaJeztah commented Nov 4, 2025

View reviewed changes

thaJeztah force-pushed the trust_plugin branch from 51a9993 to 3508f0a Compare November 4, 2025 13:37

thaJeztah force-pushed the trust_plugin branch 2 times, most recently from fd1c1a2 to 615e313 Compare November 4, 2025 13:43

thaJeztah mentioned this pull request Nov 5, 2025

lint: don't disable modules #6618

Merged

thaJeztah force-pushed the trust_plugin branch 3 times, most recently from 98b079f to f0c94bf Compare November 5, 2025 12:19

thaJeztah force-pushed the trust_plugin branch 2 times, most recently from 449ea26 to 6730f40 Compare November 5, 2025 16:11

thaJeztah mentioned this pull request Nov 6, 2025

Fix static build + CGO #6631

Merged

thaJeztah force-pushed the trust_plugin branch 4 times, most recently from 54b98ec to 824028f Compare November 6, 2025 12:19

thaJeztah added 5 commits November 6, 2025 15:24

make trust-plugin a separate module

06914dd

skip cmd/docker-trust in tests, as it's a separate module. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

cmd/docker-trust: remove dependency on cli/internal

c1a53ae

Create a copy of the registry package to use, so that code used only for trust can be removed from the cli/internal package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

scripts/build/binary: remove pkcs11 build tag

b2aa690

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

lint: run in go-modules mode

cee9ea6

Prevent the linter from recursing to other modules (cmd/docker-trust), which don't have their dependencies vendored. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

thaJeztah force-pushed the trust_plugin branch from 824028f to cee9ea6 Compare November 6, 2025 14:24

thaJeztah marked this pull request as ready for review November 6, 2025 16:13

thaJeztah requested a review from a team as a code owner November 6, 2025 16:13

vvoland approved these changes Nov 6, 2025

View reviewed changes

thaJeztah merged commit cc7275c into docker:master Nov 6, 2025
109 of 111 checks passed

thaJeztah deleted the trust_plugin branch November 6, 2025 19:30

thaJeztah mentioned this pull request Dec 24, 2025

gha: run unit-tests in go modules mode, to prevent traversing nested modules #6725

Merged

vvoland mentioned this pull request Jan 9, 2026

unknown flag: --pretty and unknown command - trust as per the new docker version 29.1.3 #6733

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

implement `docker trust` as plugin#6121

implement `docker trust` as plugin#6121
thaJeztah merged 5 commits intodocker:masterfrom
thaJeztah:trust_plugin

thaJeztah commented Jun 2, 2025 •

edited

Loading

Uh oh!

codecov-commenter commented Jun 2, 2025 •

edited

Loading

Uh oh!

thaJeztah commented Jun 5, 2025

Uh oh!

This comment was marked as resolved.

thaJeztah Nov 4, 2025

Uh oh!

thaJeztah commented Nov 4, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

thaJeztah commented Jun 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov-commenter commented Jun 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

thaJeztah commented Jun 5, 2025

Uh oh!

This comment was marked as resolved.

thaJeztah Nov 4, 2025

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Nov 4, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

thaJeztah commented Jun 2, 2025 •

edited

Loading

codecov-commenter commented Jun 2, 2025 •

edited

Loading