almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Fixup: update docs

Browse source
This commit is contained in:
Alexis Métaireau 2025-02-05 15:40:36 +01:00
parent 02e62c93f6
commit dca0bd4bf2
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
1 changed files with 26 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
docs/developer/independent-container-updates.md
View file

@ -1,9 +1,11 @@
# Independent Container Updates # Independent Container Updates
Since version 0.9.0, Dangerzone is able to ship container images independently Since version 0.9.0, Dangerzone is able to ship container images independently
from releases. from releases of the software.
One of the main benefits of doing so is to lower the time needed to patch security issues inside the containers. One of the main benefits of doing so is to shorten the time neede to distribute the security fixes for the containers. Being the place where the actual conversion of documents happen, it's a way to keep dangerzone users secure.
If you are a dangerzone user, this all happens behind the curtain, and you should not have to know anything about that to enjoy these "in-app" updates. If you are using dangerzone in an air-gapped environment, check the sections below.
## Checking attestations ## Checking attestations
@ -20,7 +22,7 @@ In case of sucess, it will report back:
``` ```
🎉 Successfully verified image 🎉 Successfully verified image
'ghcr.io/apyrgio/dangerzone/dangerzone:20250129-0.8.0-149-gbf2f5ac@sha256:4da441235e84e93518778827a5c5745d532d7a4079886e1647924bee7ef1c14d' 'ghcr.io/freedomofpress/dangerzone/dangerzone:20250129-0.8.0-149-gbf2f5ac@sha256:4da441235e84e93518778827a5c5745d532d7a4079886e1647924bee7ef1c14d'
and its associated claims: and its associated claims:
- ✅ SLSA Level 3 provenance - ✅ SLSA Level 3 provenance
- ✅ GitHub repo: apyrgio/dangerzone - ✅ GitHub repo: apyrgio/dangerzone
@ -29,6 +31,19 @@ and its associated claims:
- ✅ Git commit: bf2f5accc24bd15a4f5c869a7f0b03b8fe48dfb6 - ✅ Git commit: bf2f5accc24bd15a4f5c869a7f0b03b8fe48dfb6
``` ```
## Sign and publish the remote image
Once the image has been reproduced locally, we can add a signature to the container registry,
and update the `latest` tag to point to the proper hash.
```bash
cosign sign --sk ghcr.io/freedomofpress/dangerzone/dangerzone:20250129-0.8.0-149-gbf2f5ac@sha256:4da441235e84e93518778827a5c5745d532d7a4079886e1647924bee7ef1c14d
# And mark bump latest
crane auth login ghcr.io -u USERNAME --password $(cat pat_token)
crane tag ghcr.io/freedomofpress/dangerzone/dangerzone@sha256:4da441235e84e93518778827a5c5745d532d7a4079886e1647924bee7ef1c14d latest
```
## Install updates ## Install updates
To check if a new container image has been released, and update your local installation with it, you can use the following commands: To check if a new container image has been released, and update your local installation with it, you can use the following commands:
@ -45,9 +60,15 @@ You can verify that the image you have locally matches the stored signatures, an
dangerzone-image verify-local ghcr.io/almet/dangerzone/dangerzone dangerzone-image verify-local ghcr.io/almet/dangerzone/dangerzone
``` ```
## Air-gapped environments ## Installing image updates to air-gapped environments
In order to make updates on an air-gapped environment, you will need to prepare an archive for the air-gapped environment. This archive will contain all the needed material to validate that the new container image has been signed and is valid. Three steps are required:
1. Prepare the archive
2. Transfer the archive to the air-gapped system
3. Install the archive on the air-gapped system
This archive will contain all the needed material to validate that the new container image has been signed and is valid.
On the machine on which you prepare the packages: On the machine on which you prepare the packages: