diff --git a/graph/pull.go b/graph/pull.go index 6129ea39a1..d8d045e7a8 100644 --- a/graph/pull.go +++ b/graph/pull.go @@ -428,10 +428,11 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri } if verified { - out.Write(sf.FormatStatus(repoInfo.CanonicalName+":"+tag, "The image you are pulling has been verified")) + log.Printf("Image manifest for %s:%s has been verified", repoInfo.CanonicalName, tag) } else { out.Write(sf.FormatStatus(tag, "Pulling from %s", repoInfo.CanonicalName)) } + downloads := make([]downloadInfo, len(manifest.FSLayers)) for i := len(manifest.FSLayers) - 1; i >= 0; i-- { @@ -553,6 +554,8 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri } + out.Write(sf.FormatStatus(repoInfo.CanonicalName+":"+tag, "The image you are pulling has been verified - This is a tech preview, don't rely on it for security yet.")) + if err = s.Set(repoInfo.LocalName, tag, downloads[0].img.ID, true); err != nil { return false, err } diff --git a/integration-cli/docker_cli_pull_test.go b/integration-cli/docker_cli_pull_test.go index 7649688583..29471954ac 100644 --- a/integration-cli/docker_cli_pull_test.go +++ b/integration-cli/docker_cli_pull_test.go @@ -53,6 +53,44 @@ func TestPullImageWithAliases(t *testing.T) { logDone("pull - image with aliases") } +// pulling busybox should show verified message +func TestPullVerified(t *testing.T) { + defer setupRegistry(t)() + + repo := fmt.Sprintf("%v/dockercli/busybox:verified", privateRegistryURL) + defer deleteImages(repo) + + // tag the image + if out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "tag", "busybox", repo)); err != nil { + t.Fatalf("Failed to tag image verifiedTest: error %v, output %q", err, out) + } + + // push it + if out, err := exec.Command(dockerBinary, "push", repo).CombinedOutput(); err != nil { + t.Fatalf("Failed to push image %v: error %v, output %q", err, string(out)) + } + + // remove it locally + if out, err := exec.Command(dockerBinary, "rmi", repo).CombinedOutput(); err != nil { + t.Fatalf("Failed to clean images: error %v, output %q", err, string(out)) + } + + // pull it + expected := "The image you are pulling has been verified" + pullCmd := exec.Command(dockerBinary, "pull", repo) + if out, _, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) { + t.Fatalf("pulling a verified image failed. expected: %s\ngot: %s, %v", expected, out, err) + } + + // pull it again + pullCmd = exec.Command(dockerBinary, "pull", repo) + if out, _, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) { + t.Fatalf("pulling a verified image failed. expected: %s\ngot: %s, %v", expected, out, err) + } + + logDone("pull - pull verified") +} + // pulling an image from the central registry should work func TestPullImageFromCentralRegistry(t *testing.T) { pullCmd := exec.Command(dockerBinary, "pull", "hello-world")