Skip to content

Releases: estesp/manifest-tool

manifest-tool 2.1.8

11 Oct 17:52
v2.1.8
4487583
Compare
Choose a tag to compare

Welcome to the v2.1.8 release of manifest-tool!

This is a small release that captures vendor updates and Go toolchain updates that fix various CVEs. This release also
includes a new capability to inspect via sha256 hash instead of tag, implemented in #266.

The alpine-based images are refreshed to the latest release of Alpine Linux, 3.20.3. The Google Container Registry helper
in the alpine-based images has also been updated to v2 from v1.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.7

02 Jul 20:35
v2.1.7
51f8b03
Compare
Choose a tag to compare

Welcome to the v2.1.7 release of manifest-tool!

This is a small release that captures vendor updates and Go toolchain updates that fix various CVEs. The alpine images are also refreshed to the latest release of Alpine Linux 3.19.2.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.6

14 Mar 14:47
v2.1.6
d96ae95
Compare
Choose a tag to compare

Welcome to the v2.1.6 release of manifest-tool!

This is a small release that captures vendor updates and Go toolchain updates that fix various CVEs. The alpine images are also refreshed to the latest release of Alpine Linux 3.19.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.5

13 Dec 18:33
v2.1.5
29c4cb6
Compare
Choose a tag to compare

Welcome to the v2.1.5 release of manifest-tool!

The v2.1.5 release adds a fix to bring the build-time version
changes from v2.1.4 into the cross-built binaries that are used
for the release tarball.

Also, the Go version used for CI and release builds was
updated to v1.21.5 and the vendoring of containerd was updated
to the latest version in the v1.7 line, v1.7.11.

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.4

05 Dec 20:10
v2.1.4
1713717
Compare
Choose a tag to compare

Welcome to the v2.1.4 release of manifest-tool!

The v2.1.4 release includes a fix that should allow it to be
vendored by other projects with a more recent Docker version
and work properly.

This is also the first release where the version hardcoding is
removed and the release scripts/Makefile will properly set the
version based on the git tag information.

Thanks to @tricktron for a contribution to make versioning
not dependent on my potentially weak memory of what to do
during the release process!

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.3

02 Nov 19:23
v2.1.3
d6688c1
Compare
Choose a tag to compare

Welcome to the v2.1.3 release of manifest-tool!

NOTE: v2.1.3 is a quick re-spin of v2.1.x to handle
a timeout during the GH Actions release script run

The v2.1.3 release includes several new features and is now
dependent on the containerd 1.7.x resolver library and ORAS v2 Go
library, with updated vendoring of the OCI 1.1.0-rc specs. This
enables manifest-tool to include better support for artifacts and
upcoming features in the image and distribution specifications.

The following list highlights some new capabilities:

  • Merging two or more index/image lists into a final target image
  • Related to the above: preserving attestations/artifacts stored
    alongside images in the registry
  • Properly outputting JSON with the use of --raw on inspect
  • Displaying config JSON with an --expand-config option with --raw

Also, the Alpine variant of the manifest-tool image on DockerHub
has been improved with the addition of credential helpers for
GCR, ECR, and ACR.

Thanks to @keg for a contribution that improved the Alpine image
with credential helpers!

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.2

02 Nov 19:11
v2.1.2
dccc1e8
Compare
Choose a tag to compare

Welcome to the v2.1.2 release of manifest-tool!

NOTE: v2.1.2 is a quick re-spin of v2.1.x with fixes for the cross-compilation
of credential helpers in the Alpine variant image on DockerHub

The v2.1.2 release includes several new features and is now
dependent on the containerd 1.7.x resolver library and ORAS v2 Go
library, with updated vendoring of the OCI 1.1.0-rc specs. This
enables manifest-tool to include better support for artifacts and
upcoming features in the image and distribution specifications.

The following list highlights some new capabilities:

  • Merging two or more index/image lists into a final target image
  • Related to the above: preserving attestations/artifacts stored
    alongside images in the registry
  • Properly outputting JSON with the use of --raw on inspect
  • Displaying config JSON with an --expand-config option with --raw

Also, the Alpine variant of the manifest-tool image on DockerHub
has been improved with the addition of credential helpers for
GCR, ECR, and ACR.

Thanks to @keg for a contribution that improved the Alpine image
with credential helpers!

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.1

02 Nov 18:28
v2.1.1
56b94e8
Compare
Choose a tag to compare

Welcome to the v2.1.1 release of manifest-tool!

NOTE: v2.1.1 is a quick re-spin of v2.1.0 with fixes for the cross-compilation
of credential helpers in the Alpine variant image on DockerHub

The v2.1.1 release includes several new features and is now
dependent on the containerd 1.7.x resolver library and ORAS v2 Go
library, with updated vendoring of the OCI 1.1.0-rc specs. This
enables manifest-tool to include better support for artifacts and
upcoming features in the image and distribution specifications.

The following list highlights some new capabilities:

  • Merging two or more index/image lists into a final target image
  • Related to the above: preserving attestations/artifacts stored
    alongside images in the registry
  • Properly outputting JSON with the use of --raw on inspect
  • Displaying config JSON with an --expand-config option with --raw

Also, the Alpine variant of the manifest-tool image on DockerHub
has been improved with the addition of credential helpers for
GCR, ECR, and ACR.

Thanks to @keg for a contribution that improved the Alpine image
with credential helpers!

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.1.0

02 Nov 15:34
v2.1.0
47a9dea
Compare
Choose a tag to compare

Welcome to the v2.1.0 release of manifest-tool!

The v2.1.0 release includes several new features and is now
dependent on the containerd 1.7.x resolver library and ORAS v2 Go
library, with updated vendoring of the OCI 1.1.0-rc specs. This
enables manifest-tool to include better support for artifacts and
upcoming features in the image and distribution specifications.

The following list highlights some new capabilities:

  • Merging two or more index/image lists into a final target image
  • Related to the above: preserving attestations/artifacts stored
    alongside images in the registry
  • Properly outputting JSON with the use of --raw on inspect
  • Displaying config JSON with an --expand-config option with --raw

Also, the Alpine variant of the manifest-tool image on DockerHub
has been improved with the addition of credential helpers for
GCR, ECR, and ACR.

Thanks to @keg for a contribution that improved the Alpine image
with credential helpers!

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.

manifest-tool 2.0.8

03 Mar 21:23
v2.0.8
ec40963
Compare
Choose a tag to compare

Welcome to the v2.0.8 release of manifest-tool!

v2.0.8 Fix release

The v2.0.8 release has many vendoring updates which mitigate various
CVEs in Go, containerd, and other related dependencies. This release
also moves from the v1 oras library to the v2 oras-go, causing minor
changes to the manifest-tool use of ORAS data structures. With the
removal of the auth package in oras, the auth behavior is migrated to
a simpler implementation in the util package here in manifest-tool.
Docker auth configs and credential helpers are still supported and
have been verified to work properly in this release.

A few minor feature additions to v2.0.8:

  • Attestations created by BuildKit are now visible in the inspect
    command, unique from layers/blobs. A future release will add the
    ability to properly consume BuildKit index manifests as inputs to
    a multi-platform image. Currently the check to not have an index
    as an input prevents this from working properly.
  • You can now add additional tags from the command line. Previously
    this was only possible when using the input YAML format.

Thanks to @neanton and @deitch for their contributions to this
release!

If you do find bugs, please report them to the GitHub issue tracker
for manifest-tool.

v2.0.7 Fix release (BROKEN)

The v2.0.7 release had a significant bug (my fault!) and the actual
changes and additions are reflected above in the v2.0.8 release
notes.

v2.0.6 Fix release

The v2.0.6 release of manifest-tool fixes an early mistake in
the v2 codebase that removed the "type" flag support for handling
push of both OCI and Docker v2 manifests.

In addition to this one bug fix, the Go version has been updated
to 1.19.2, key imports to their latest releases, and the GitHub
Actions worker Linux version moves off the soon-deprecated Ubuntu
18.04 LTS release to 20.04 LTS. This means the Linux release
binaries will be built against an Ubuntu 20.04 base image. This
should not cause issues for downstream users but please open an
issue if you find a runtime error.

v2.0.5 Fix release

The v2.0.5 release of manifest-tool upgrades several go module
imports to versions that allow for the removal of all the replace
clauses in the v2 go.mod. This allows for cleaner import and
use of manifest-tool from the Go ecosystem.

v2.0.4 Fix release

The v2.0.4 release of manifest-tool includes a new image variant
which is valuable for those who need to use the published images
with other platforms that require a shell inside the image. This
new variant is based on Alpine, and prepends the tag name with
alpine; so mplatform/manifest-tool:alpine will be the latest
release, and mplatform/manifest-tool:alpine-v2.0.4 will retrieve
this specific released version, on top of an Alpine Linux base.

Thanks to Brandon Butler for
contributing the release packaging changes to add this
feature.

This release also moves up dependencies for various CVEs (aside
from the fact that manifest-tool was unaffected), as well as
building with Go 1.18.

A single bug fix for a reported segfault in using --docker-cfg
with a file instead of the expected directory is also fixed via
PR #169. Thanks
to Jian Zhang for the bug
report.

v2.0.3 Fix release

The v2.0.3 release of manifest-tool includes a single bug fix
for an issue that most regularly occurred when assembling manifest
lists/indexes in a public repository in gcr.io or Quay. Due to
the authentication flow for these registries and an existing bug
in the containerd resolver, a push would fail with "cannot reuse
body" errors. Until containerd has a complete fix for this issue,
v2.0.3 will appropriately push to these registries by retrying
after the authentication challenge (401 Unauthorized) is handled.

v2.0.2 Fix release (FAILED)

Includes the fix mentioned in v2.0.3 but due to a release script
bug did not appropriately publish the release on GitHub.

v2.0.1 Fix release (FAILED)

Includes the fix mentioned in v2.0.3 but due to a release script
bug did not appropriately publish the release on GitHub.

v2.0.0 Release overview

The v2.0.0 release of manifest-tool represents a significant
change to the architecture and implementation of manifest-tool.
Instead of continuing to use the original implementation
for registry interaction (a similar heritage to what became skopeo) this
v2 re-worked codebase of manifest-tool uses the resolver/fetcher/pusher
implementation from containerd as a library. It uses the same model (and
some of the code) from ORAS to use
these distribution API capabilities within containerd as a
library without the need to run or even have containerd installed.

This greatly simplified the codebase of manifest-tool and allowed for
restructuring the code to itself be usable as a library. For example,
the query tool for manifest-lists (estesp/mquery) can now use
these functions directly without running a copy of manifest-tool
separately and parsing the raw output.

In addition to this major rework of the codebase, new features have
been added. The most significant are:

  • OCIv1 image/index support! (see the --type flag)
  • Color output from inspect
  • On average 75% faster inspect performance
  • credential helper support built-in

A number of small issues have been resolved and the v2 code has been
tested against most public container registries. However, software
being software, I'm sure there are bugs that have not been discovered
in the testing to date.

v1 -> v2 Update

To handle how Go module version support (e.g. go get) works,
since v2.0.0 the code is now located in a /v2 subdirectory.
Because of this, if you are importing manifest-tool you will
need to add /v2 to your go.mod import of manifest-tool
or when using go get to utilize the v2.x codebase.

Reporting Issues

Please report bugs to the issue tracker at https://github.com/estesp/manifest-tool/issues.