From 38ad84bfbd97bbf8afb05a546df606ba8d4d1f48 Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Wed, 26 Apr 2017 14:06:25 -0700
Subject: [PATCH] pull base images with content trust for binfmt, rngd, tini,
 toybox-media

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 Makefile                    | 4 +++-
 pkg/binfmt/Makefile         | 4 +++-
 pkg/init/Makefile           | 1 +
 pkg/rngd/Makefile           | 5 ++++-
 tools/tini/Makefile         | 2 ++
 tools/toybox-media/Makefile | 2 ++
 6 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index aff90238d..fcdc6005a 100644
--- a/Makefile
+++ b/Makefile
@@ -18,6 +18,7 @@ endif
 PREFIX?=/usr/local/
 
 bin/moby: | bin
+	DOCKER_CONTENT_TRUST=1 docker pull $(GO_COMPILE)
 	DOCKER_CONTENT_TRUST=1 docker run --rm --log-driver=none $(CROSS) $(GO_COMPILE) --clone-path github.com/moby/tool --clone https://github.com/moby/tool.git --package github.com/moby/tool/cmd/moby --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_moby_bin.tar
 	tar xf tmp_moby_bin.tar > $@
 	rm tmp_moby_bin.tar
@@ -25,7 +26,8 @@ bin/moby: | bin
 
 LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) Makefile vendor.conf
 bin/linuxkit: $(LINUXKIT_DEPS) | bin
-	tar cf - vendor -C src/cmd/linuxkit . | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar
+	DOCKER_CONTENT_TRUST=1 docker pull $(GO_COMPILE)
+	tar cf - vendor -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit --ldflags "-X main.GitCommit=$(GIT_COMMIT) -X main.Version=$(VERSION)" -o $@ > tmp_linuxkit_bin.tar
 	tar xf tmp_linuxkit_bin.tar > $@
 	rm tmp_linuxkit_bin.tar
 	touch $@
diff --git a/pkg/binfmt/Makefile b/pkg/binfmt/Makefile
index c9ce6d9ab..4d40a4371 100644
--- a/pkg/binfmt/Makefile
+++ b/pkg/binfmt/Makefile
@@ -2,6 +2,7 @@
 default: push
 
 IMAGE=binfmt
+BASE=alpine:edge
 SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile main.go $(wildcard etc/binmft.d/*)
 
@@ -14,7 +15,8 @@ hash: $(DEPS)
 
 tag: hash
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker build --no-cache -t $(IMAGE):build . && \
+		(DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \
+		 docker build --no-cache -t $(IMAGE):build . && \
 		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
 
 push: tag
diff --git a/pkg/init/Makefile b/pkg/init/Makefile
index a57dde9bf..912ae1817 100644
--- a/pkg/init/Makefile
+++ b/pkg/init/Makefile
@@ -5,6 +5,7 @@ default: push
 
 $(START_STOP_DAEMON): start-stop-daemon.c
 	mkdir -p $(dir $@)
+	DOCKER_CONTENT_TRUST=1 docker pull $(C_COMPILE)
 	tar cf - $^ | DOCKER_CONTENT_TRUST=1 docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf -
 
 .PHONY: tag push
diff --git a/pkg/rngd/Makefile b/pkg/rngd/Makefile
index 9f703133b..b5f47d6d3 100644
--- a/pkg/rngd/Makefile
+++ b/pkg/rngd/Makefile
@@ -2,6 +2,7 @@
 default: push
 
 IMAGE=rngd
+BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d
 SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile
 
@@ -9,8 +10,10 @@ hash: $(DEPS)
 	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
 
 tag: hash
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	docker pull linuxkit/$(IMAGE):$(shell cat hash) || \
-		(docker build --no-cache -t $(IMAGE):build . && \
+		(DOCKER_CONTENT_TRUST=1 docker pull $(BASE) && \
+		 docker build --no-cache -t $(IMAGE):build . && \
 		 docker tag $(IMAGE):build linuxkit/$(IMAGE):$(shell cat hash))
 
 push: tag
diff --git a/tools/tini/Makefile b/tools/tini/Makefile
index ea5059185..fbf91530e 100644
--- a/tools/tini/Makefile
+++ b/tools/tini/Makefile
@@ -2,10 +2,12 @@
 default: push
 
 IMAGE=tini
+BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d
 SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile
 
 hash: $(DEPS)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
 
 tag: hash
diff --git a/tools/toybox-media/Makefile b/tools/toybox-media/Makefile
index d79af0ac8..07f8bfa7c 100644
--- a/tools/toybox-media/Makefile
+++ b/tools/toybox-media/Makefile
@@ -2,10 +2,12 @@
 default: push
 
 IMAGE=toybox-media
+BASE=linuxkit/c-compile:f52f485825c890d581e82a62af6906c1d33d8e5d
 SHA_IMAGE=alpine:3.5@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
 DEPS=Dockerfile Makefile
 
 hash: $(DEPS)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	find $^ -type f | xargs cat | docker run --rm -i $(SHA_IMAGE) sha1sum - | sed 's/ .*//' > hash
 
 tag: hash