From 6088df20c33afafa523b9dd9b0acdd3b987c4534 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Thu, 5 Feb 2015 17:46:55 -0800 Subject: [PATCH] Update verification message logic Only show the verification message if all the tarsum checks pass and the image manifest is verified. No longer return an error when a tarsum verification fails, just reset the verification flag. Tarsum verification is less meaningful without a verified manifest and therefore it should not cause an error. Updated the verified image test to pull an image which expected to have a verified manifest and contents. Signed-off-by: Derek McGowan (github: dmcgowan) --- graph/pull.go | 10 +++--- integration-cli/docker_cli_events_test.go | 3 ++ integration-cli/docker_cli_pull_test.go | 42 ++++++++++------------- 3 files changed, 27 insertions(+), 28 deletions(-) diff --git a/graph/pull.go b/graph/pull.go index fd6170b571..e80f116f1d 100644 --- a/graph/pull.go +++ b/graph/pull.go @@ -431,9 +431,8 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri if verified { log.Printf("Image manifest for %s:%s has been verified", repoInfo.CanonicalName, tag) - } else { - out.Write(sf.FormatStatus(tag, "Pulling from %s", repoInfo.CanonicalName)) } + out.Write(sf.FormatStatus(tag, "Pulling from %s", repoInfo.CanonicalName)) downloads := make([]downloadInfo, len(manifest.FSLayers)) @@ -497,7 +496,8 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri out.Write(sf.FormatProgress(utils.TruncateID(img.ID), "Verifying Checksum", nil)) if finalChecksum := tarSumReader.Sum(nil); !strings.EqualFold(finalChecksum, sumStr) { - return fmt.Errorf("image verification failed: checksum mismatch - expected %q but got %q", sumStr, finalChecksum) + log.Infof("Image verification failed: checksum mismatch - expected %q but got %q", sumStr, finalChecksum) + verified = false } out.Write(sf.FormatProgress(utils.TruncateID(img.ID), "Download complete", nil)) @@ -556,7 +556,9 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri } - out.Write(sf.FormatStatus(repoInfo.CanonicalName+":"+tag, "The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.")) + if verified && layersDownloaded { + out.Write(sf.FormatStatus(repoInfo.CanonicalName+":"+tag, "The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.")) + } if err = s.Set(repoInfo.LocalName, tag, downloads[0].img.ID, true); err != nil { return false, err diff --git a/integration-cli/docker_cli_events_test.go b/integration-cli/docker_cli_events_test.go index 322d622b55..ce824a600e 100644 --- a/integration-cli/docker_cli_events_test.go +++ b/integration-cli/docker_cli_events_test.go @@ -180,6 +180,9 @@ func TestEventsImageUntagDelete(t *testing.T) { func TestEventsImagePull(t *testing.T) { since := time.Now().Unix() + + defer deleteImages("hello-world") + pullCmd := exec.Command(dockerBinary, "pull", "hello-world") if out, _, err := runCommandWithOutput(pullCmd); err != nil { t.Fatalf("pulling the hello-world image from has failed: %s, %v", out, err) diff --git a/integration-cli/docker_cli_pull_test.go b/integration-cli/docker_cli_pull_test.go index 041a914d9e..926e763434 100644 --- a/integration-cli/docker_cli_pull_test.go +++ b/integration-cli/docker_cli_pull_test.go @@ -53,39 +53,31 @@ func TestPullImageWithAliases(t *testing.T) { logDone("pull - image with aliases") } -// pulling busybox should show verified message +// pulling library/hello-world should show verified message func TestPullVerified(t *testing.T) { - defer setupRegistry(t)() + // Image must be pulled from central repository to get verified message + // unless keychain is manually updated to contain the daemon's sign key. - repo := fmt.Sprintf("%v/dockercli/busybox:verified", privateRegistryURL) - defer deleteImages(repo) - - // tag the image - if out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "tag", "busybox", repo)); err != nil { - t.Fatalf("Failed to tag image verifiedTest: error %v, output %q", err, out) - } - - // push it - if out, err := exec.Command(dockerBinary, "push", repo).CombinedOutput(); err != nil { - t.Fatalf("Failed to push image %v: error %v, output %q", repo, err, string(out)) - } - - // remove it locally - if out, err := exec.Command(dockerBinary, "rmi", repo).CombinedOutput(); err != nil { - t.Fatalf("Failed to clean images: error %v, output %q", err, string(out)) - } + verifiedName := "hello-world" + defer deleteImages(verifiedName) // pull it expected := "The image you are pulling has been verified" - pullCmd := exec.Command(dockerBinary, "pull", repo) - if out, _, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) { + pullCmd := exec.Command(dockerBinary, "pull", verifiedName) + if out, exitCode, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) { + if err != nil || exitCode != 0 { + t.Skipf("pulling the '%s' image from the registry has failed: %s", verifiedName, err) + } t.Fatalf("pulling a verified image failed. expected: %s\ngot: %s, %v", expected, out, err) } // pull it again - pullCmd = exec.Command(dockerBinary, "pull", repo) - if out, _, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) { - t.Fatalf("pulling a verified image failed. expected: %s\ngot: %s, %v", expected, out, err) + pullCmd = exec.Command(dockerBinary, "pull", verifiedName) + if out, exitCode, err := runCommandWithOutput(pullCmd); err != nil || strings.Contains(out, expected) { + if err != nil || exitCode != 0 { + t.Skipf("pulling the '%s' image from the registry has failed: %s", verifiedName, err) + } + t.Fatalf("pulling a verified image failed. unexpected verify message\ngot: %s, %v", out, err) } logDone("pull - pull verified") @@ -93,6 +85,8 @@ func TestPullVerified(t *testing.T) { // pulling an image from the central registry should work func TestPullImageFromCentralRegistry(t *testing.T) { + defer deleteImages("hello-world") + pullCmd := exec.Command(dockerBinary, "pull", "hello-world") if out, _, err := runCommandWithOutput(pullCmd); err != nil { t.Fatalf("pulling the hello-world image from the registry has failed: %s, %v", out, err)