From 35a41c39a4bed2ad4379cfcd49587a7f79e8f8b4 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 24 Aug 2025 13:52:33 +0200 Subject: [PATCH 1/2] cli/trust: check for Digested, Tagged reference instead of Canonical The [Canonical] interface defines images that are both [Named] and [Digested], but in all places where it was used, we were only interested whether the reference contained a digest. Similarly [NamedTagged] is a superset of [Tagged], so checking for [Tagged] is sufficient if we're already dealing with a [Named] reference. This patch changes those checks to check for [Digested] and [Tagged] references, as that's what's relevant for these checks. [Named]: https://pkg.go.dev/github.com/distribution/reference#Named [NamedTagged]: https://pkg.go.dev/github.com/distribution/reference#NamedTagged [Canonical]: https://pkg.go.dev/github.com/distribution/reference#Canonical [Digested]: https://pkg.go.dev/github.com/distribution/reference#Digested Signed-off-by: Sebastiaan van Stijn --- cli/trust/trust.go | 10 ++++------ cli/trust/trust_push.go | 4 ++-- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/cli/trust/trust.go b/cli/trust/trust.go index 7af2a27350..a70a496669 100644 --- a/cli/trust/trust.go +++ b/cli/trust/trust.go @@ -346,9 +346,9 @@ func GetImageReferencesAndAuth(ctx context.Context, func getTag(ref reference.Named) string { switch x := ref.(type) { - case reference.Canonical, reference.Digested: - return "" - case reference.NamedTagged: + case reference.Digested: + return "" // TODO(thaJeztah): is it intentional to discard the tag when "Tagged+Digested"? + case reference.Tagged: return x.Tag() default: return "" @@ -357,12 +357,10 @@ func getTag(ref reference.Named) string { func getDigest(ref reference.Named) digest.Digest { switch x := ref.(type) { - case reference.Canonical: - return x.Digest() case reference.Digested: return x.Digest() default: - return digest.Digest("") + return "" } } diff --git a/cli/trust/trust_push.go b/cli/trust/trust_push.go index 47057b3f48..ef7f19f1af 100644 --- a/cli/trust/trust_push.go +++ b/cli/trust/trust_push.go @@ -63,9 +63,9 @@ func PushTrustedReference(ctx context.Context, ioStreams Streams, repoInfo *Repo var tag string switch x := ref.(type) { - case reference.Canonical: + case reference.Digested: return errors.New("cannot push a digest reference") - case reference.NamedTagged: + case reference.Tagged: tag = x.Tag() default: // We want trust signatures to always take an explicit tag, From 7cb8147e7716ed2d9e4c626710704a249f2ae0c3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 24 Aug 2025 15:54:19 +0200 Subject: [PATCH 2/2] cli/trust: GetNotaryRepository: inline variables Signed-off-by: Sebastiaan van Stijn --- cli/trust/trust.go | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/cli/trust/trust.go b/cli/trust/trust.go index a70a496669..06fb2c0710 100644 --- a/cli/trust/trust.go +++ b/cli/trust/trust.go @@ -156,26 +156,23 @@ func GetNotaryRepository(in io.Reader, out io.Writer, userAgent string, repoInfo } } - scope := auth.RepositoryScope{ - Repository: repoInfo.Name.Name(), - Actions: actions, - } - creds := simpleCredentialStore{auth: *authConfig} tokenHandler := auth.NewTokenHandlerWithOptions(auth.TokenHandlerOptions{ Transport: authTransport, - Credentials: creds, - Scopes: []auth.Scope{scope}, - ClientID: registry.AuthClientID, + Credentials: simpleCredentialStore{auth: *authConfig}, + Scopes: []auth.Scope{auth.RepositoryScope{ + Repository: repoInfo.Name.Name(), + Actions: actions, + }}, + ClientID: registry.AuthClientID, }) - basicHandler := auth.NewBasicHandler(creds) + basicHandler := auth.NewBasicHandler(simpleCredentialStore{auth: *authConfig}) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) - tr := transport.NewTransport(base, modifiers...) return client.NewFileCachedRepository( GetTrustDirectory(), data.GUN(repoInfo.Name.Name()), server, - tr, + transport.NewTransport(base, modifiers...), GetPassphraseRetriever(in, out), trustpinning.TrustPinConfig{}) } @@ -234,9 +231,9 @@ func NotaryError(repoName string, err error) error { return fmt.Errorf("error: remote trust data does not exist for %s: %v", repoName, err) case signed.ErrInsufficientSignatures: return fmt.Errorf("error: could not produce valid signature for %s. If Yubikey was used, was touch input provided?: %v", repoName, err) + default: + return err } - - return err } // AddToAllSignableRoles attempts to add the image target to all the top level