From bd2211b645c98b32a26b5c4d63068ff8de9111fd Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Sat, 8 Apr 2017 17:25:18 -0700
Subject: [PATCH] trust: clean up logic for digests and orgs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 src/cmd/moby/build.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/cmd/moby/build.go b/src/cmd/moby/build.go
index ed3d887f7..de6f49bf3 100644
--- a/src/cmd/moby/build.go
+++ b/src/cmd/moby/build.go
@@ -52,20 +52,25 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) {
 
 func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 	for _, img := range config.Image {
-		// First check for an exact tag match
+		// First check for an exact name match
 		if img == fullImageName {
 			return true
 		}
-		// Also check for an image name only match:
+		// Also check for an image name only match
+		// by removing a possible tag (with possibly added digest):
 		if img == strings.TrimSuffix(fullImageName, ":") {
 			return true
 		}
+		// and by removing a possible digest:
+		if img == strings.TrimSuffix(fullImageName, "@sha256:") {
+			return true
+		}
 	}
 
 	for _, org := range config.Org {
 		if strings.HasPrefix(fullImageName, org+"/") {
+			return true
 		}
-		return true
 	}
 	return false
 }