Update verification message logic
Only show the verification message if all the tarsum checks pass and the image manifest is verified. No longer return an error when a tarsum verification fails, just reset the verification flag. Tarsum verification is less meaningful without a verified manifest and therefore it should not cause an error. Updated the verified image test to pull an image which expected to have a verified manifest and contents. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This commit is contained in:
parent
a271eaeba2
commit
6088df20c3
3 changed files with 27 additions and 28 deletions
|
@ -431,9 +431,8 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri
|
|||
|
||||
if verified {
|
||||
log.Printf("Image manifest for %s:%s has been verified", repoInfo.CanonicalName, tag)
|
||||
} else {
|
||||
out.Write(sf.FormatStatus(tag, "Pulling from %s", repoInfo.CanonicalName))
|
||||
}
|
||||
out.Write(sf.FormatStatus(tag, "Pulling from %s", repoInfo.CanonicalName))
|
||||
|
||||
downloads := make([]downloadInfo, len(manifest.FSLayers))
|
||||
|
||||
|
@ -497,7 +496,8 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri
|
|||
out.Write(sf.FormatProgress(utils.TruncateID(img.ID), "Verifying Checksum", nil))
|
||||
|
||||
if finalChecksum := tarSumReader.Sum(nil); !strings.EqualFold(finalChecksum, sumStr) {
|
||||
return fmt.Errorf("image verification failed: checksum mismatch - expected %q but got %q", sumStr, finalChecksum)
|
||||
log.Infof("Image verification failed: checksum mismatch - expected %q but got %q", sumStr, finalChecksum)
|
||||
verified = false
|
||||
}
|
||||
|
||||
out.Write(sf.FormatProgress(utils.TruncateID(img.ID), "Download complete", nil))
|
||||
|
@ -556,7 +556,9 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri
|
|||
|
||||
}
|
||||
|
||||
if verified && layersDownloaded {
|
||||
out.Write(sf.FormatStatus(repoInfo.CanonicalName+":"+tag, "The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security."))
|
||||
}
|
||||
|
||||
if err = s.Set(repoInfo.LocalName, tag, downloads[0].img.ID, true); err != nil {
|
||||
return false, err
|
||||
|
|
|
@ -180,6 +180,9 @@ func TestEventsImageUntagDelete(t *testing.T) {
|
|||
|
||||
func TestEventsImagePull(t *testing.T) {
|
||||
since := time.Now().Unix()
|
||||
|
||||
defer deleteImages("hello-world")
|
||||
|
||||
pullCmd := exec.Command(dockerBinary, "pull", "hello-world")
|
||||
if out, _, err := runCommandWithOutput(pullCmd); err != nil {
|
||||
t.Fatalf("pulling the hello-world image from has failed: %s, %v", out, err)
|
||||
|
|
|
@ -53,39 +53,31 @@ func TestPullImageWithAliases(t *testing.T) {
|
|||
logDone("pull - image with aliases")
|
||||
}
|
||||
|
||||
// pulling busybox should show verified message
|
||||
// pulling library/hello-world should show verified message
|
||||
func TestPullVerified(t *testing.T) {
|
||||
defer setupRegistry(t)()
|
||||
// Image must be pulled from central repository to get verified message
|
||||
// unless keychain is manually updated to contain the daemon's sign key.
|
||||
|
||||
repo := fmt.Sprintf("%v/dockercli/busybox:verified", privateRegistryURL)
|
||||
defer deleteImages(repo)
|
||||
|
||||
// tag the image
|
||||
if out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "tag", "busybox", repo)); err != nil {
|
||||
t.Fatalf("Failed to tag image verifiedTest: error %v, output %q", err, out)
|
||||
}
|
||||
|
||||
// push it
|
||||
if out, err := exec.Command(dockerBinary, "push", repo).CombinedOutput(); err != nil {
|
||||
t.Fatalf("Failed to push image %v: error %v, output %q", repo, err, string(out))
|
||||
}
|
||||
|
||||
// remove it locally
|
||||
if out, err := exec.Command(dockerBinary, "rmi", repo).CombinedOutput(); err != nil {
|
||||
t.Fatalf("Failed to clean images: error %v, output %q", err, string(out))
|
||||
}
|
||||
verifiedName := "hello-world"
|
||||
defer deleteImages(verifiedName)
|
||||
|
||||
// pull it
|
||||
expected := "The image you are pulling has been verified"
|
||||
pullCmd := exec.Command(dockerBinary, "pull", repo)
|
||||
if out, _, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) {
|
||||
pullCmd := exec.Command(dockerBinary, "pull", verifiedName)
|
||||
if out, exitCode, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) {
|
||||
if err != nil || exitCode != 0 {
|
||||
t.Skipf("pulling the '%s' image from the registry has failed: %s", verifiedName, err)
|
||||
}
|
||||
t.Fatalf("pulling a verified image failed. expected: %s\ngot: %s, %v", expected, out, err)
|
||||
}
|
||||
|
||||
// pull it again
|
||||
pullCmd = exec.Command(dockerBinary, "pull", repo)
|
||||
if out, _, err := runCommandWithOutput(pullCmd); err != nil || !strings.Contains(out, expected) {
|
||||
t.Fatalf("pulling a verified image failed. expected: %s\ngot: %s, %v", expected, out, err)
|
||||
pullCmd = exec.Command(dockerBinary, "pull", verifiedName)
|
||||
if out, exitCode, err := runCommandWithOutput(pullCmd); err != nil || strings.Contains(out, expected) {
|
||||
if err != nil || exitCode != 0 {
|
||||
t.Skipf("pulling the '%s' image from the registry has failed: %s", verifiedName, err)
|
||||
}
|
||||
t.Fatalf("pulling a verified image failed. unexpected verify message\ngot: %s, %v", out, err)
|
||||
}
|
||||
|
||||
logDone("pull - pull verified")
|
||||
|
@ -93,6 +85,8 @@ func TestPullVerified(t *testing.T) {
|
|||
|
||||
// pulling an image from the central registry should work
|
||||
func TestPullImageFromCentralRegistry(t *testing.T) {
|
||||
defer deleteImages("hello-world")
|
||||
|
||||
pullCmd := exec.Command(dockerBinary, "pull", "hello-world")
|
||||
if out, _, err := runCommandWithOutput(pullCmd); err != nil {
|
||||
t.Fatalf("pulling the hello-world image from the registry has failed: %s, %v", out, err)
|
||||
|
|
Loading…
Reference in a new issue