trust: clean up logic for digests and orgs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2025-10-31 01:37:42 +00:00 · 2017-04-08 17:25:18 -07:00
parent f9c4c30142
commit 7f79de1b6f
1 changed files with 8 additions and 3 deletions
--- a/src/cmd/moby/build.go
+++ b/src/cmd/moby/build.go
@@ -52,20 +52,25 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) {

 func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 	for _, img := range config.Image {
-		// First check for an exact tag match
+		// First check for an exact name match
 		if img == fullImageName {
 			return true
 		}
-		// Also check for an image name only match:
+		// Also check for an image name only match
+		// by removing a possible tag (with possibly added digest):
 		if img == strings.TrimSuffix(fullImageName, ":") {
 			return true
 		}
+		// and by removing a possible digest:
+		if img == strings.TrimSuffix(fullImageName, "@sha256:") {
+			return true
+		}
 	}

 	for _, org := range config.Org {
 		if strings.HasPrefix(fullImageName, org+"/") {
+			return true
 		}
-		return true
 	}
 	return false
 }