notary-official-images/Dockerfile.template

FROM golang:1.19-alpine{{ .alpine }} AS build

RUN apk add --no-cache git make

ENV NOTARYPKG github.com/theupdateframework/notary
ENV TAG v{{ .version }}

ENV GOFLAGS -mod=vendor

WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
# In case the version in file doens't match the tag (like in 0.7.0)
	echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
	git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
	git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
	go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
	go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
# Make the version detectable by scanners
	sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
	make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
	cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
	/notary-server --version; \
	/notary-signer --version;

FROM alpine:{{ .alpine }}

RUN adduser -D -H -g "" notary
{{ if env.variant == "server" then ( -}}
EXPOSE 4443
{{ ) else ( -}}
EXPOSE 4444
EXPOSE 7899
{{ ) end -}}

ENV INSTALLDIR /notary/{{ env.variant }}
ENV PATH=$PATH:${INSTALLDIR}
WORKDIR ${INSTALLDIR}

COPY --from=build /notary-{{ env.variant }} ./
RUN ./notary-{{ env.variant }} --version

COPY ./{{ env.variant }}-config.json .
COPY ./entrypoint.sh .

USER notary

ENTRYPOINT [ "entrypoint.sh" ]
CMD [ "notary-{{ env.variant }}", "--version" ]