// VerifyDockerManifestSignature checks that unverifiedSignature uses expectedKeyIdentity to sign unverifiedManifest as expectedDockerReference, // using mech. func VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest []byte, expectedDockerReference string, mech SigningMechanism, expectedKeyIdentity string) (*Signature, error) { sig, err := verifyAndExtractSignature(mech, unverifiedSignature, signatureAcceptanceRules{ validateKeyIdentity: func(keyIdentity string) error { if keyIdentity != expectedKeyIdentity { return InvalidSignatureError{msg: fmt.Sprintf("Signature by %s does not match expected fingerprint %s", keyIdentity, expectedKeyIdentity)} } return nil }, validateSignedDockerReference: func(signedDockerReference string) error { if signedDockerReference != expectedDockerReference { return InvalidSignatureError{msg: fmt.Sprintf("Docker reference %s does not match %s", signedDockerReference, expectedDockerReference)} } return nil }, validateSignedDockerManifestDigest: func(signedDockerManifestDigest string) error { matches, err := manifest.MatchesDigest(unverifiedManifest, signedDockerManifestDigest) if err != nil { return err } if !matches { return InvalidSignatureError{msg: fmt.Sprintf("Signature for docker digest %q does not match", signedDockerManifestDigest)} } return nil }, }) if err != nil { return nil, err } return sig, nil }
func (pr *prSignedBy) isSignatureAuthorAccepted(image types.Image, sig []byte) (signatureAcceptanceResult, *Signature, error) { switch pr.KeyType { case SBKeyTypeGPGKeys: case SBKeyTypeSignedByGPGKeys, SBKeyTypeX509Certificates, SBKeyTypeSignedByX509CAs: // FIXME? Reject this at policy parsing time already? return sarRejected, nil, fmt.Errorf(`"Unimplemented "keyType" value "%s"`, string(pr.KeyType)) default: // This should never happen, newPRSignedBy ensures KeyType.IsValid() return sarRejected, nil, fmt.Errorf(`"Unknown "keyType" value "%s"`, string(pr.KeyType)) } if pr.KeyPath != "" && pr.KeyData != nil { return sarRejected, nil, errors.New(`Internal inconsistency: both "keyPath" and "keyData" specified`) } // FIXME: move this to per-context initialization var data []byte if pr.KeyData != nil { data = pr.KeyData } else { d, err := ioutil.ReadFile(pr.KeyPath) if err != nil { return sarRejected, nil, err } data = d } // FIXME: move this to per-context initialization dir, err := ioutil.TempDir("", "skopeo-signedBy-") if err != nil { return sarRejected, nil, err } defer os.RemoveAll(dir) mech, err := newGPGSigningMechanismInDirectory(dir) if err != nil { return sarRejected, nil, err } trustedIdentities, err := mech.ImportKeysFromBytes(data) if err != nil { return sarRejected, nil, err } if len(trustedIdentities) == 0 { return sarRejected, nil, PolicyRequirementError("No public keys imported") } signature, err := verifyAndExtractSignature(mech, sig, signatureAcceptanceRules{ validateKeyIdentity: func(keyIdentity string) error { for _, trustedIdentity := range trustedIdentities { if keyIdentity == trustedIdentity { return nil } } // Coverage: We use a private GPG home directory and only import trusted keys, so this should // not be reachable. return PolicyRequirementError(fmt.Sprintf("Signature by key %s is not accepted", keyIdentity)) }, validateSignedDockerReference: func(ref string) error { if !pr.SignedIdentity.matchesDockerReference(image, ref) { return PolicyRequirementError(fmt.Sprintf("Signature for identity %s is not accepted", ref)) } return nil }, validateSignedDockerManifestDigest: func(digest string) error { m, _, err := image.Manifest() if err != nil { return err } digestMatches, err := manifest.MatchesDigest(m, digest) if err != nil { return err } if !digestMatches { return PolicyRequirementError(fmt.Sprintf("Signature for digest %s does not match", digest)) } return nil }, }) if err != nil { return sarRejected, nil, err } return sarAccepted, signature, nil }