Merge pull request #1552 from riyazdf/trust-yaml-docs

Content Trust yaml docs and code improvements
2025-07-21 01:59:07 +00:00 · 2017-04-09 09:53:55 +01:00 · 2017-04-09 09:53:55 +01:00 · f45e7c898f
commit f45e7c898f
parent df22e868c3 b1475d33bc
2 changed files with 20 additions and 3 deletions
--- a/docs/yaml.md
+++ b/docs/yaml.md
@ -35,6 +35,18 @@ These containers are started with `containerd` and are expected to remain runnin
 is not guaranteed, so containers should wait on any resources, such as networking, that they need.
 For details of the config for each container, see below.

+## `trust`
+
+This section specifies which build components are to be cryptographically verified with
+[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling.
+Trust is a central concern in any build system, and Moby's is no exception: Docker Content Trust provides authenticity,
+integrity, and freshness guarantees for the components it verifies.  The Moby maintainers are responsible for signing
+`mobylinux` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary).
+
+- `image` lists which individual images to enforce pulling with Docker Content Trust.
+The image name may include tag or digest, but the matching also succeeds if the base image name is the same.
+- `org` lists which organizations for which Docker Content Trust is to be enforced across all images (ex: `mobylinux` is the org for `mobylinux/kernel`)
+
 ## `output`

 This section specifies the output formats that are created. Files are created with the base name of
--- a/src/cmd/moby/build.go
+++ b/src/cmd/moby/build.go
@ -52,20 +52,25 @@ func initrdAppend(iw *initrd.Writer, r io.Reader) {

 func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 	for _, img := range config.Image {
-		// First check for an exact tag match
+		// First check for an exact name match
 		if img == fullImageName {
 			return true
 		}
-		// Also check for an image name only match:
+		// Also check for an image name only match
+		// by removing a possible tag (with possibly added digest):
 		if img == strings.TrimSuffix(fullImageName, ":") {
 			return true
 		}
+		// and by removing a possible digest:
+		if img == strings.TrimSuffix(fullImageName, "@sha256:") {
+			return true
+		}
 	}

 	for _, org := range config.Org {
 		if strings.HasPrefix(fullImageName, org+"/") {
+			return true
 		}
-		return true
 	}
 	return false
 }