Support content trust images and pull with authentication

Contact the notary server if ```--verify``` is specified (or `verify: true` is enabled on the repo config) and verify if the image is signed, use the returned value to pull the verified image.
2025-09-16 07:10:29 +00:00 · 2021-03-11 17:04:26 +01:00
parent caa1cfad5c
commit 0028dd3a92
12 changed files with 237 additions and 23 deletions
--- a/pkg/installer/client/docker.go
+++ b/pkg/installer/client/docker.go
@@ -16,11 +16,13 @@
 package client

 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"path"
 	"path/filepath"

+	"github.com/docker/docker/api/types"
 	"github.com/docker/go-units"
 	"github.com/pkg/errors"

@@ -32,10 +34,17 @@ import (

 type DockerClient struct {
 	RepoData RepoData
+	auth     *types.AuthConfig
+	verify   bool
 }

 func NewDockerClient(r RepoData) *DockerClient {
-	return &DockerClient{RepoData: r}
+	auth := &types.AuthConfig{}
+
+	dat, _ := json.Marshal(r.Authentication)
+	json.Unmarshal(dat, auth)
+
+	return &DockerClient{RepoData: r, auth: auth}
 }

 func (c *DockerClient) DownloadArtifact(artifact compiler.Artifact) (compiler.Artifact, error) {
@@ -88,7 +97,7 @@ func (c *DockerClient) DownloadArtifact(artifact compiler.Artifact) (compiler.Ar
 			}

 			// imageName := fmt.Sprintf("%s/%s", uri, artifact.GetCompileSpec().GetPackage().GetPackageImageName())
-			info, err := helpers.DownloadAndExtractDockerImage(contentstore, imageName, temp)
+			info, err := helpers.DownloadAndExtractDockerImage(contentstore, imageName, temp, c.auth, c.RepoData.Verify)
 			if err != nil {
 				Debug("Failed download of image", imageName)
 				continue
@@ -151,7 +160,7 @@ func (c *DockerClient) DownloadFile(name string) (string, error) {
 		imageName := fmt.Sprintf("%s:%s", uri, name)
 		Info("Downloading", imageName)

-		info, err := helpers.DownloadAndExtractDockerImage(contentstore, imageName, temp)
+		info, err := helpers.DownloadAndExtractDockerImage(contentstore, imageName, temp, c.auth, c.RepoData.Verify)
 		if err != nil {
 			Debug("Failed download of image", imageName)
 			continue
--- a/pkg/installer/client/interface.go
+++ b/pkg/installer/client/interface.go
@@ -18,4 +18,5 @@ package client
 type RepoData struct {
 	Urls           []string
 	Authentication map[string]string
+	Verify         bool
 }
--- a/pkg/installer/repository.go
+++ b/pkg/installer/repository.go
@@ -81,6 +81,7 @@ type LuetSystemRepositorySerialized struct {
 	TreePath        string                        `json:"treepath"`
 	MetaPath        string                        `json:"metapath"`
 	RepositoryFiles map[string]LuetRepositoryFile `json:"repo_files"`
+	Verify          bool                          `json:"verify"`
 }

 type LuetSystemRepositoryMetadata struct {
@@ -274,19 +275,22 @@ func NewLuetSystemRepositoryFromYaml(data []byte, db pkg.PackageDatabase) (Repos
 	if err != nil {
 		return nil, err
 	}
+	repo := config.NewLuetRepository(
+		p.Name,
+		p.Type,
+		p.Description,
+		p.Urls,
+		p.Priority,
+		true,
+		false,
+	)
+	repo.Verify = p.Verify

 	r := &LuetSystemRepository{
-		LuetRepository: config.NewLuetRepository(
-			p.Name,
-			p.Type,
-			p.Description,
-			p.Urls,
-			p.Priority,
-			true,
-			false,
-		),
+		LuetRepository:  repo,
 		RepositoryFiles: p.RepositoryFiles,
 	}
+
 	if p.Revision > 0 {
 		r.Revision = p.Revision
 	}
@@ -896,6 +900,7 @@ func (r *LuetSystemRepository) Client() Client {
 			client.RepoData{
 				Urls:           r.GetUrls(),
 				Authentication: r.GetAuthentication(),
+				Verify:         r.Verify,
 			})
 	}
 	return nil