mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
7c88e8f13d
Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
74 lines
1.7 KiB
Go
74 lines
1.7 KiB
Go
package trust
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/docker/docker/engine"
|
|
"github.com/docker/docker/pkg/log"
|
|
"github.com/docker/libtrust"
|
|
)
|
|
|
|
func (t *TrustStore) Install(eng *engine.Engine) error {
|
|
for name, handler := range map[string]engine.Handler{
|
|
"trust_key_check": t.CmdCheckKey,
|
|
"trust_update_base": t.CmdUpdateBase,
|
|
} {
|
|
if err := eng.Register(name, handler); err != nil {
|
|
return fmt.Errorf("Could not register %q: %v", name, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (t *TrustStore) CmdCheckKey(job *engine.Job) engine.Status {
|
|
if n := len(job.Args); n != 1 {
|
|
return job.Errorf("Usage: %s NAMESPACE", job.Name)
|
|
}
|
|
var (
|
|
namespace = job.Args[0]
|
|
keyBytes = job.Getenv("PublicKey")
|
|
)
|
|
|
|
if keyBytes == "" {
|
|
return job.Errorf("Missing PublicKey")
|
|
}
|
|
pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))
|
|
if err != nil {
|
|
return job.Errorf("Error unmarshalling public key: %s", err)
|
|
}
|
|
|
|
permission := uint16(job.GetenvInt("Permission"))
|
|
if permission == 0 {
|
|
permission = 0x03
|
|
}
|
|
|
|
t.RLock()
|
|
defer t.RUnlock()
|
|
if t.graph == nil {
|
|
job.Stdout.Write([]byte("no graph"))
|
|
return engine.StatusOK
|
|
}
|
|
|
|
// Check if any expired grants
|
|
verified, err := t.graph.Verify(pk, namespace, permission)
|
|
if err != nil {
|
|
return job.Errorf("Error verifying key to namespace: %s", namespace)
|
|
}
|
|
if !verified {
|
|
log.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())
|
|
job.Stdout.Write([]byte("not verified"))
|
|
} else if t.expiration.Before(time.Now()) {
|
|
job.Stdout.Write([]byte("expired"))
|
|
} else {
|
|
job.Stdout.Write([]byte("verified"))
|
|
}
|
|
|
|
return engine.StatusOK
|
|
}
|
|
|
|
func (t *TrustStore) CmdUpdateBase(job *engine.Job) engine.Status {
|
|
t.fetch()
|
|
|
|
return engine.StatusOK
|
|
}
|