From ae885bd714ff3e9d91b72328a9d9865b65a68f01 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Wed, 30 Nov 2016 09:14:09 +0000
Subject: [PATCH] Use DOCKER_CONTENT_TRUST=1 when pulling library images

When building the base images always test signatures.

This will be the default at some point.

Add a test that content trust is working.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 alpine/base/alpine-aws/Makefile       | 2 +-
 alpine/base/alpine-base/Makefile      | 2 +-
 alpine/base/alpine-bios/Makefile      | 2 +-
 alpine/base/alpine-build-c/Makefile   | 2 +-
 alpine/base/alpine-build-go/Makefile  | 2 +-
 alpine/base/alpine-efi/Makefile       | 2 +-
 alpine/base/alpine-qemu/Makefile      | 2 +-
 alpine/base/check-config/Makefile     | 2 +-
 alpine/base/qemu-user-static/Makefile | 2 +-
 alpine/packages/test/usr/bin/mobytest | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/alpine/base/alpine-aws/Makefile b/alpine/base/alpine-aws/Makefile
index 973cbc0bf..024287297 100644
--- a/alpine/base/alpine-aws/Makefile
+++ b/alpine/base/alpine-aws/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-aws
 default: push
 
 hash: Dockerfile
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sh -c '(pip list && cat /lib/apk/db/installed) | sha1sum' | sed 's/ .*//' > hash
 
diff --git a/alpine/base/alpine-base/Makefile b/alpine/base/alpine-base/Makefile
index 316b04821..0506c4336 100644
--- a/alpine/base/alpine-base/Makefile
+++ b/alpine/base/alpine-base/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-base
 default: push
 
 hash: Dockerfile repositories
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sha1sum /lib/apk/db/installed | sed 's/ .*//' > hash
 
diff --git a/alpine/base/alpine-bios/Makefile b/alpine/base/alpine-bios/Makefile
index 1eefe51a2..935a26fc8 100644
--- a/alpine/base/alpine-bios/Makefile
+++ b/alpine/base/alpine-bios/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-bios
 default: push
 
 hash:
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - Dockerfile make-iso isolinux.cfg | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sha1sum /lib/apk/db/installed | sed 's/ .*//' > hash
 
diff --git a/alpine/base/alpine-build-c/Makefile b/alpine/base/alpine-build-c/Makefile
index aec15ca21..aea78a152 100644
--- a/alpine/base/alpine-build-c/Makefile
+++ b/alpine/base/alpine-build-c/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-build-c
 default: push
 
 hash:
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - Dockerfile | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sha1sum /lib/apk/db/installed | sed 's/ .*//' > hash
 
diff --git a/alpine/base/alpine-build-go/Makefile b/alpine/base/alpine-build-go/Makefile
index b2d7495cb..68a3fc878 100644
--- a/alpine/base/alpine-build-go/Makefile
+++ b/alpine/base/alpine-build-go/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-build-go
 default: push
 
 hash:
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - Dockerfile | docker build --no-cache -t $(IMAGE):build -
 	docker run $(IMAGE):build sh -c 'cat /usr/local/go/bin/go /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
 
diff --git a/alpine/base/alpine-efi/Makefile b/alpine/base/alpine-efi/Makefile
index 6e2d06fd0..d67f14e79 100644
--- a/alpine/base/alpine-efi/Makefile
+++ b/alpine/base/alpine-efi/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-efi
 default: push
 
 hash:
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - Dockerfile | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sha1sum /lib/apk/db/installed | sed 's/ .*//' > hash
 
diff --git a/alpine/base/alpine-qemu/Makefile b/alpine/base/alpine-qemu/Makefile
index b1e58c318..28fb1ac34 100644
--- a/alpine/base/alpine-qemu/Makefile
+++ b/alpine/base/alpine-qemu/Makefile
@@ -6,7 +6,7 @@ IMAGE=alpine-qemu
 default: push
 
 hash: Dockerfile repositories
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sha1sum /lib/apk/db/installed | sed 's/ .*//' > hash
 
diff --git a/alpine/base/check-config/Makefile b/alpine/base/check-config/Makefile
index 90bd789ef..d7ffd9c3c 100644
--- a/alpine/base/check-config/Makefile
+++ b/alpine/base/check-config/Makefile
@@ -6,7 +6,7 @@ IMAGE=check-config
 default: push
 
 hash:
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - Dockerfile | docker build --no-cache -t $(IMAGE):build -
 	docker run --entrypoint=/bin/sh $(IMAGE):build -c 'cat /usr/bin/check-config.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
 
diff --git a/alpine/base/qemu-user-static/Makefile b/alpine/base/qemu-user-static/Makefile
index 17043b7d5..3af40352e 100644
--- a/alpine/base/qemu-user-static/Makefile
+++ b/alpine/base/qemu-user-static/Makefile
@@ -6,7 +6,7 @@ IMAGE=qemu-user-static
 default: push
 
 hash: Dockerfile
-	docker pull $(BASE)
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
 	docker run --rm $(IMAGE):build sh -c 'apt list --installed 2>/dev/null | sha1sum' | sed 's/ .*//' > hash
 
diff --git a/alpine/packages/test/usr/bin/mobytest b/alpine/packages/test/usr/bin/mobytest
index db0ace2fb..792ef0069 100755
--- a/alpine/packages/test/usr/bin/mobytest
+++ b/alpine/packages/test/usr/bin/mobytest
@@ -7,7 +7,7 @@ diagnostics
 docker version
 docker info
 docker ps
-docker pull alpine
+DOCKER_CONTENT_TRUST=-1 docker pull alpine
 docker run alpine true
 docker pull armhf/alpine
 docker run armhf/alpine uname -a