mirror of
https://github.com/docker/cli.git
synced 2026-01-13 18:22:35 +03:00
d54e9ca21b
The trust code used to parse the console output of `docker push` to extract the digest, tag, and size information and determine what to sign. This is fragile and might give an attacker control over what gets signed if the attacker can find a way to influence what gets printed as part of the push output. This commit sends the push metadata out-of-band. It introduces an `Aux` field in JSONMessage that can carry application-specific data alongside progress updates. Instead of parsing formatted output, the client looks in this field to get the digest, size, and tag from the push. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> Upstream-commit: 65370be888d940899593a001024f53d6b83b4bb0 Component: engine