two part...

Current version reports:
1.5.0-beta.1+unknown

• there have been changes to the ctr command that need to be synched up... and we should rebase this repo on the 1.5.0 GA to pick that up.. we are going to do a service refresh and imgcrypt binaries are included now so... we should vendor to pick up the new ctr changes, make a release, and set the new release over in containerd/containerd/script/setup/imgcrypt-version

• longer term.. now that we are building this into the release, need a better way to do this and to get the version tag right :-)

cc @dmcgowan

Hi,

Just found this from article published on medium at https://medium.com/@lumjjb/encrypting-container-images-with-containerd-imgcrypt-3c07f8e8e8d4

Thanks for sharing detail on how to use this.

Does this also protect docker container during run-time such that no one can see inside?

hello, im reffering to this closed issue: #69
the problem is pretty much the same for me with version 1.1.7.
my working environment is this:
imgcrypt 1.1.7
k3s v1.22
contrainerd v1.6.12
ubuntu 20.04.5 x86_64(same for image architecture)

containerd config.toml

[plugins."io.containerd.grpc.v1.cri".image_decryption]
key_model = "node"

[stream_processors]
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
returns = "application/vnd.oci.image.layer.v1.tar+gzip"
path = "ctd-decoder"
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env= ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
returns = "application/vnd.oci.image.layer.v1.tar"
path = "ctd-decoder"
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env= ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]

to explain the issue, im spinning up an encrypted image while providing the key in the written dir(/etc/containerd/ocicrypt/keys), container spins up successfully but when i remove the key from the directory and try to deploy again, i get no error regarding missing key.

ill be happy to provide any more needed information.

Hi,

I'll try to run enc img under k8s, use kubeasz deploy a one manager & two worker node Kubernetes with Containerd runtime. When run a Deployment, ctd-decoder print a error.

Question

running enc image but give this error: failed to create containerd container: error unpacking image: failed to extract layer sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f: read payload: read configFd: bad file descriptor\n: unknown
seem like ctd-decoder can't find the pipe stream, and I don't know how to debug this...

Error log:

10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.331751257+08:00" level=debug msg="Container \"f179555a4c12b46bf5a5611d1c62be9f37543c66fc1a6267ca91acfc909081c5\" spec: (*specs.Spec)(0xc0000e8100){Version:(string)1.0.1-dev Process:(*specs.Process)(0xc00055c540){Terminal:(bool)false ConsoleSize:(*specs.Box)<nil> User:(specs.User){UID:(uint32)0 GID:(uint32)0 AdditionalGids:([]uint32)<nil> Username:(string)} Args:([]string)[nginx -g daemon off;] CommandLine:(string) Env:([]string)[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=enc-nginx-deployment-6757f774f9-2nhsd NGINX_VERSION=1.17.6 NJS_VERSION=0.3.7 PKG_RELEASE=1~buster KUBERNETES_PORT_443_TCP=tcp://10.68.0.1:443 KUBERNETES_PORT_443_TCP_PROTO=tcp KUBERNETES_PORT_443_TCP_PORT=443 KUBERNETES_PORT_443_TCP_ADDR=10.68.0.1 KUBERNETES_SERVICE_HOST=10.68.0.1 KUBERNETES_SERVICE_PORT=443 KUBERNETES_SERVICE_PORT_HTTPS=443 KUBERNETES_PORT=tcp://10.68.0.1:443] Cwd:(string)/ Capabilities:(*specs.LinuxCapabilities)(0xc0000e8300){Bounding:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Effective:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Inheritable:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Permitted:([]string)[CAP_CHOWN CAP_DAC_OVERRIDE CAP_FSETID CAP_FOWNER CAP_MKNOD CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETFCAP CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_SYS_CHROOT CAP_KILL CAP_AUDIT_WRITE] Ambient:([]string)<nil>} Rlimits:([]specs.POSIXRlimit)<nil> NoNewPrivileges:(bool)false ApparmorProfile:(string) OOMScoreAdj:(*int)(0xc0004b8858)1000 SelinuxLabel:(string)} Root:(*specs.Root)(0xc0002ec760){Path:(string)rootfs Readonly:(bool)false} Hostname:(string) Mounts:([]specs.Mount)[{Destination:(string)/proc Type:(string)proc Source:(string)proc Options:([]string)[nosuid noexec nodev]} {Destination:(string)/dev Type:(string)tmpfs Source:(string)tmpfs Options:([]string)[nosuid strictatime mode=755 size=65536k]} {Destination:(string)/dev/pts Type:(string)devpts Source:(string)devpts Options:([]string)[nosuid noexec newinstance ptmxmode=0666 mode=0620 gid=5]} {Destination:(string)/dev/mqueue Type:(string)mqueue Source:(string)mqueue Options:([]string)[nosuid noexec nodev]} {Destination:(string)/sys Type:(string)sysfs Source:(string)sysfs Options:([]string)[nosuid noexec nodev ro]} {Destination:(string)/sys/fs/cgroup Type:(string)cgroup Source:(string)cgroup Options:([]string)[nosuid noexec nodev relatime ro]} {Destination:(string)/etc/hosts Type:(string)bind Source:(string)/var/lib/kubelet/pods/1c097d52-ebd5-4252-850b-01c1ba27058f/etc-hosts Options:([]string)[rbind rprivate rw]} {Destination:(string)/dev/termination-log Type:(string)bind Source:(string)/var/lib/kubelet/pods/1c097d52-ebd5-4252-850b-01c1ba27058f/containers/nginx/6b59b622 Options:([]string)[rbind rprivate rw]} {Destination:(string)/etc/hostname Type:(string)bind Source:(string)/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes/2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a/hostname Options:([]string)[rbind rprivate rw]} {Destination:(string)/etc/resolv.conf Type:(string)bind Source:(string)/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes/2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a/resolv.conf Options:([]string)[rbind rprivate rw]} {Destination:(string)/dev/shm Type:(string)bind Source:(string)/run/containerd/io.containerd.grpc.v1.cri/sandboxes/2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a/shm Options:([]string)[rbind rprivate rw]} {Destination:(string)/var/run/secrets/kubernetes.io/serviceaccount Type:(string)bind Source:(string)/var/lib/kubelet/pods/1c097d52-ebd5-4252-850b-01c1ba27058f/volumes/kubernetes.io~secret/default-token-dq6wl Options:([]string)[rbind rprivate ro]}] Hooks:(*specs.Hooks)<nil> Annotations:(map[string]string)map[io.kubernetes.cri.container-type:container io.kubernetes.cri.sandbox-id:2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a] Linux:(*specs.Linux)(0xc00055c620){UIDMappings:([]specs.LinuxIDMapping)<nil> GIDMappings:([]specs.LinuxIDMapping)<nil> Sysctl:(map[string]string)<nil> Resources:(*specs.LinuxResources)(0xc000a0e120){Devices:([]specs.LinuxDeviceCgroup)[{Allow:(bool)false Type:(string) Major:(*int64)<nil> Minor:(*int64)<nil> Access:(string)rwm}] Memory:(*specs.LinuxMemory)(0xc000838780){Limit:(*int64)<nil> Reservation:(*int64)<nil> Swap:(*int64)<nil> Kernel:(*int64)<nil> KernelTCP:(*int64)<nil> Swappiness:(*uint64)<nil> DisableOOMKiller:(*bool)<nil>} CPU:(*specs.LinuxCPU)(0xc000728690){Shares:(*uint64)(0xc0004b8848)2 Quota:(*int64)<nil> Period:(*uint64)(0xc0004b8828)100000 RealtimeRuntime:(*int64)<nil> RealtimePeriod:(*uint64)<nil> Cpus:(string) Mems:(string)} Pids:(*specs.LinuxPids)<nil> BlockIO:(*specs.LinuxBlockIO)<nil> HugepageLimits:([]specs.LinuxHugepageLimit)<nil> Network:(*specs.LinuxNetwork)<nil> Rdma:(map[string]specs.LinuxRdma)<nil>} CgroupsPath:(string)/kubepods/besteffort/pod1c097d52-ebd5-4252-850b-01c1ba27058f/f179555a4c12b46bf5a5611d1c62be9f37543c66fc1a6267ca91acfc909081c5 Namespaces:([]specs.LinuxNamespace)[{Type:(specs.LinuxNamespaceType)pid Path:(string)} {Type:(specs.LinuxNamespaceType)ipc Path:(string)/proc/21576/ns/ipc} {Type:(specs.LinuxNamespaceType)uts Path:(string)/proc/21576/ns/uts} {Type:(specs.LinuxNamespaceType)mount Path:(string)} {Type:(specs.LinuxNamespaceType)network Path:(string)/proc/21576/ns/net}] Devices:([]specs.LinuxDevice)<nil> Seccomp:(*specs.LinuxSeccomp)<nil> RootfsPropagation:(string) MaskedPaths:([]string)[/proc/acpi /proc/kcore /proc/keys /proc/latency_stats /proc/timer_list /proc/timer_stats /proc/sched_debug /proc/scsi /sys/firmware] ReadonlyPaths:([]string)[/proc/asound /proc/bus /proc/fs /proc/irq /proc/sys /proc/sysrq-trigger] MountLabel:(string) IntelRdt:(*specs.LinuxIntelRdt)<nil>} Solaris:(*specs.Solaris)<nil> Windows:(*specs.Windows)<nil> VM:(*specs.VM)<nil>}"
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.332058695+08:00" level=debug msg="Composed container full log path \"/var/log/pods/default_enc-nginx-deployment-6757f774f9-2nhsd_1c097d52-ebd5-4252-850b-01c1ba27058f/nginx/0.log\" using sandbox log dir \"/var/log/pods/default_enc-nginx-deployment-6757f774f9-2nhsd_1c097d52-ebd5-4252-850b-01c1ba27058f\" and container log path \"nginx/0.log\""
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.340989635+08:00" level=debug msg="event published" ns=k8s.io topic=/snapshot/prepare type=containerd.events.SnapshotPrepare
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.349801745+08:00" level=debug msg="received signal" signal="broken pipe"
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.354487067+08:00" level=info msg="apply failure, attempting cleanup" error="failed to extract layer sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f: read payload: read configFd: bad file descriptor\n: unknown" key="extract-336515533-Ry_C sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.360466528+08:00" level=debug msg="event published" ns=k8s.io topic=/snapshot/remove type=containerd.events.SnapshotRemove
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.363388989+08:00" level=error msg="CreateContainer within sandbox \"2c8aa2bca860dfb3df936f4ed128f880aa0831f0900a5fe97e2bd9a2ef435f4a\" for &ContainerMetadata{Name:nginx,Attempt:0,} failed" error="failed to create containerd container: error unpacking image: failed to extract layer sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f: read payload: read configFd: bad file descriptor\n: unknown"
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.753668091+08:00" level=debug msg="schedule snapshotter cleanup" snapshotter=overlayfs
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.756036172+08:00" level=debug msg="removed snapshot" key="k8s.io/345/extract-336515533-Ry_C sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f" snapshotter=overlayfs
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.756432457+08:00" level=debug msg="snapshot garbage collected" d=2.681766ms snapshotter=overlayfs
10 09 16:58:47 install-02 containerd[21281]: time="2020-10-09T16:58:47.756470327+08:00" level=debug msg="garbage collected" d=2.216775ms

Version

Kubernetes:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:52:00Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

Containerd:

containerd github.com/containerd/containerd v1.3.4 814b7956fafc7a0980ea07e950f983d0837e5578

Refrence

Refer to decryption.md
use How Encrypted Images brings about compliance in Kubernetes (via CRI-O) demo img and key

Hi!
I alread successfully export a images file with command:
sudo ctr-enc images export --platform linux/arm64 --skip-manifest-json --skip-non-distributable image.tar russian_lpr.enc:latest
But when i import this tar file by command:
sudo ctr-enc images import --platform linux/arm64 --skip-decrypt-auth --digests image.tar has erros like below

unpacking russian_lpr.enc:latest (sha256:7b9e5f040ab776c4ad8bd0838ebb6a4f82b730c524835156f7119cd11275da81)...INFO[0048] apply failure, attempting cleanup error="failed to extract layer sha256:e996f7b5c172e7efdf80c4315098351ede3c56e08566a20be161ff253df969cc: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount654180591: archive/tar: invalid tar header: unknown" key="extract-630916527-yqAD sha256:e996f7b5c172e7efdf80c4315098351ede3c56e08566a20be161ff253df969cc"
ctr: failed to extract layer sha256:e996f7b5c172e7efdf80c4315098351ede3c56e08566a20be161ff253df969cc: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount654180591: archive/tar: invalid tar header: unknown

Do u have any ideal for this issue?

it's not issue. it is just a typo

The imgcrypt library provides API exensions (typo here) for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. An extended version of containerd's ctr tool (ctr-enc) with support for encrypting and decrypting container images is also provided.

I have cloned containerd/imgcrypt but it is having difficulty with 'ctd-decoder' when I use the 'make' command

github.com/containerd/containerd/cio

github.com/containerd/containerd/content

github.com/containerd/containerd/content

vendor/github.com/containerd/containerd/content/helpers.go:236:27: undefined: io.Discard

github.com/containerd/containerd/mount

github.com/containerd/containerd/cio

vendor/github.com/containerd/containerd/cio/io_unix.go:41:14: undefined: os.MkdirTemp

github.com/containerd/containerd/remotes/errors

github.com/containerd/containerd/remotes/errors

vendor/github.com/containerd/containerd/remotes/errors/errors.go:43:10: undefined: io.ReadAll

github.com/containerd/containerd/services/introspection

github.com/containerd/containerd/mount

vendor/github.com/containerd/containerd/mount/temp.go:33:16: undefined: os.MkdirTemp

github.com/containerd/containerd/services/introspection

vendor/github.com/containerd/containerd/services/introspection/local.go:117:15: undefined: os.ReadFile

vendor/github.com/containerd/containerd/services/introspection/local.go:141:12: undefined: os.WriteFile

make: *** [Makefile:37: bin/ctd-decoder] Error 2

can we have an example to auto decrypt image in k8s?

Add shfmt and other file language formatting checkers to travis checks.

Was the indentation used before for testing? maybe we can compress it to save a little bit size 🤔

When trying to run the following from the README
$CTR images layerinfo --platform linux/amd64 docker.io/library/bash:latest
I always get the following error:
ctr: unhandled media type application/vnd.in-toto+json: invalid argument

I cannot view the encryption info on the image, and I get the same error when trying to run the encrypt command as well. Would this have something to do with the config.toml file, or how containerd is set up?

Edit: I had previously pulled another image with --all-platforms label, which caused the error. Removing that image fixed it.

Unless someone sees an issue with it, I'll create a 1.1 release on March 5th 2021.

I was at some point needing to use nerdctl as a library in which they use imgcrypt and i needed a way to pass the keys created in memory directly instead of reading them from the filesystem, so i had to copy your functions processRecipientKeys which takes a string of recipients, and in the case of decryption its processPrivateKeyFiles and added an extra argument which are the keys and removed the parts of reading from the FS, so i was wondering if it would be possible to create public functions that also support passing a array of byte arrays (the keys) instead? it would make the library more accessible.

Given differences in build and dependencies between the various platforms we should add additional platform build and integration testing to CI/CD.

• windows
• ____

Most of containerd projects are now using main instead of master.

Issue Description:

It seems that working with an image that have a layer with media type application/vnd.oci.image.layer.v1.tar+zstd is not possible. When I try to encrypt or even use layerinfo I see that the following error is returned:

ctr: unhandled media type application/vnd.oci.image.layer.v1.tar+zstd: invalid argument

Also $ ctr-enc containers create repo:port/zstd-image:latest some-id fails with:

ctr: you are not authorized to use this image: bad/unhandled MediaType application/vnd.oci.image.layer.v1.tar+zstd in encryptChildren

The zstd compression format is supported by containerd and for example $ ctr containers create repo:port/zstd-image:latest hello-world-zstd is working as expected and the desired container is created successfully.

Steps to reproduce:

To reproduce the issue one can use skopeo to change the compression of a simple hello-world image and then push it to a private/local registry, e.g.:

1. Use skopeo copy to create a zstd-compressed image and push it locally:

$ skopeo copy --dest-compress-format=zstd docker://hello-world docker://<some-plain-http-local-ip:port>/hello-world-zstd:latest --dest-tls-verify=false

2. Use skopeo inspect to check the result pushed image compression:

$ skopeo inspect --raw docker://<some-plain-http-local-ip:port>/hello-world-zstd:latest --tls-verify=false | jq -r '.layers[].mediaType'

3. Pull the image:

$ ctr-enc image pull --plain-http <some-plain-http-local-ip:port>/hello-world-zstd:latest

4. Try any of the following commands:

$ ctr-enc image encrypt <some-plain-http-local-ip:port>/hello-world-zstd:latest --recipient=pgp:[email protected]

$ ctr-enc containers create <some-plain-http-local-ip:port>/zstd-image:latest some-id

Proposal:

In my opinion the compression part of the media type should not be taken into account as (please correct me if I am wrong) it is not relevant to the encryption process. So, the checks that are done here, here and probably in some other parts of the code that I haven't explore, could be refactored in a way that disregards the compression type, whether it is zstd or something else.
As a proof of my thoughts I have done locally the most simple test, which is just adding application/vnd.oci.image.layer.v1.tar+zstd and application/vnd.oci.image.layer.v1.tar+zstd+encrypted to the switch/case blocks in the functions linked above and as expected the encryption and creation of the container was successful. So, I think that it would be nice to have more flexibility regarding the verification of media types that are supported by the library.

I run the script below on Jetson AGX jetpack 4.4.1 (R32 (release), REVISION: 4.4, GCID: 23942405, BOARD: t186ref, EABI: aarch64, DATE: Fri Oct 16 19:37:08 UTC 2020)

#!/usr/bin/env bash

ALPINE=quay.io/jitesoft/alpine:latest
ALPINE_ENC=quay.io/jitesoft/alpine:enc
ALPINE_ENC_IMPORT_BASE=quay.io/jitesoft/alpine-import
PLATFORM="--all-platforms"

sudo ctr-enc images rm --sync ${ALPINE_ENC}

sudo ctr-enc images pull ${PLATFORM} ${ALPINE}
sudo ctr-enc images layerinfo ${ALPINE}

sudo ctr-enc images encrypt --platform linux/arm64 --recipient jwe:mypubkey.pem ${ALPINE} ${ALPINE_ENC}
sudo ctr-enc images layerinfo ${ALPINE_ENC}
rm -f image.tar

sudo ctr-enc images export ${PLATFORM} image.tar ${ALPINE_ENC}
sudo ctr-enc images rm --sync ${ALPINE_ENC} ${ALPINE}

sudo ctr-enc images import ${PLATFORM} --base-name ${ALPINE_ENC_IMPORT_BASE} --skip-decrypt-auth --key mykey.pem image.tar

Then error happends

When i use platforms amd64, ppc64le everthings is fine.

When a multi-arch index descriptor is provided to the imgcrypt's CheckAuthorization func (e.g. via image.Target()), the library iterates over the manifests it refers to with the cryptoOpUnwrapOnly option set to true to perform a check only. That causes the cycle to stop on the first manifest in the collection as the condition here will always be evaluated to true error-regardless. Additionally, if reading any of the referred manifest's children returns an errdefs.IsNotFound(err), the cycle will exit with a nil error, thus, the authorization check passes incorrectly.
Let's take for example the case where the cycle checks the first manifest in the collection (e.g. for amd64) on an arm/arm64 machine, the children of this manifest are not found since this is not the target platform and they are not pulled -> the authorization check passes incorrectly. This issue is rarely reproducible on an amd64 machine as usually, this is the first manifest in the index descriptor.

I can see a draft of v1.1.8 in https://github.com/containerd/imgcrypt/releases but it seems unreleased

cc @stefanberger

in readme, I see create an RSA key pair . So I would like to ask if it supports other algorithms

arsh@meAI:~$ go version
go version go1.21.9 linux/amd64

arsh@meAI:~$ cd imgcrypt/

arsh@meAI:~/imgcrypt$ make
cd cmd && go build -o ../bin/ctd-decoder -v ./ctd-decoder/
go: updates to go.mod needed; to update it:
go mod tidy
make: *** [Makefile:37: bin/ctd-decoder] Error 1

I am facing the above error whiile running make command. would appreciate if someone knows how can i resolve this?

Hi everyone,
I'm trying to use this useful library but can't figure out how to run an encrypted image with port mapping.
What is the equivalent of docker run -p <host_port>: <container_port> ...?
Also, I can't figure out how to specify volumes when starting the encrypted container.

thanks for your help.

The checksum for github.com/containerd/[email protected]/go.mod does not match usage in importing modules (like nerdctl) when skipping the Go module proxy:

verifying github.com/containerd/[email protected]/go.mod: checksum mismatch
	downloaded: h1:/zRIwdIOlnS1oJhKdq4/9LB9pFv+U1ziMvIBkCRoQuE=
	go.sum:     h1:maqDE8PxC8IpBdEIXVe5Y0nghLVMv6wkAbcFRyvO+1M=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

This suggests that the v1.1.2 tag may have been changed after an initial tag was cached by the module proxy.

Would it be possible to either (a) restore the old tag or (b) release a new version of the module so that new version can be cached in the Go module proxy?

$ docker run -it --rm public.ecr.aws/docker/library/golang:latest
root@e150dc989932:/go# go env -w GOPROXY=direct
root@e150dc989932:/go# mkdir -p src/github.com/containerd/nerdctl
root@e150dc989932:/go# git clone https://github.com/containerd/nerdctl src/github.com/containerd/nerdctl 
Cloning into 'src/github.com/containerd/nerdctl'...
remote: Enumerating objects: 5146, done.
remote: Counting objects: 100% (227/227), done.
remote: Compressing objects: 100% (131/131), done.
remote: Total 5146 (delta 114), reused 165 (delta 77), pack-reused 4919
Receiving objects: 100% (5146/5146), 2.08 MiB | 4.59 MiB/s, done.
Resolving deltas: 100% (3159/3159), done.
root@e150dc989932:/go# cd src/github.com/containerd/nerdctl/
root@e150dc989932:/go/src/github.com/containerd/nerdctl# make
GO111MODULE=on CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w -X github.com/containerd/nerdctl/pkg/version.Version=v0.14.0-79-ge671087 -X github.com/containerd/nerdctl/pkg/version.Revision=e671087161ed3e22cf9c9d67b9606bd69e53fbbe"  -o /go/src/github.com/containerd/nerdctl/_output/nerdctl github.com/containerd/nerdctl/cmd/nerdctl
verifying github.com/containerd/[email protected]/go.mod: checksum mismatch
	downloaded: h1:/zRIwdIOlnS1oJhKdq4/9LB9pFv+U1ziMvIBkCRoQuE=
	go.sum:     h1:maqDE8PxC8IpBdEIXVe5Y0nghLVMv6wkAbcFRyvO+1M=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:50: nerdctl] Error 1

When I encrypt an image or decrypt it,I get this error: copy failed:unable to resume to resume to blob-xxxxxxxxx :unable to discard to offset.
I have checkd the code and find the reason maybe offset is not none.So how to sove it.I have uploaded many images and no one can run.Why?

I tried to encrypt the local images, but it alway check the image from docker.io.
Is it possible to encrypt local image? As in some network configuration, it is not convenient to visit docker.io.
Thank you.