verify the critical.image.identity against image stream tag

mfojtik · mfojtik · commit b73ce5602b39 · 2017-01-25T15:16:21.000+01:00
diff --git a/pkg/cmd/admin/image/verify-signature.go b/pkg/cmd/admin/image/verify-signature.go
@@ -128,25 +128,50 @@ func (o *VerifyImageSignatureOptions) verifySignature(signature []byte) (string,
 
 // verifySignatureContent verifies that the signature content matches the given image.
 // TODO: This should be done by calling the 'containers/image' library in future.
-func (o *VerifyImageSignatureOptions) verifySignatureContent(content []byte) error {
+func (o *VerifyImageSignatureOptions) verifySignatureContent(content []byte) (string, string, error) {
 	// TODO: The types here are just to decompose the JSON. The fields should not change but
 	// we need to use containers/image library here to guarantee compatibility in future.
 	type criticalImage struct {
 		Digest string `json:"docker-manifest-digest"`
 	}
+	type criticalIdentity struct {
+		DockerReference string `json:"docker-reference"`
+	}
 	type critical struct {
-		Image criticalImage `json:"image"`
+		Image    criticalImage    `json:"image"`
+		Identity criticalIdentity `json:"identity"`
 	}
 	type message struct {
 		Critical critical `json:"critical"`
 	}
 	m := message{}
 	if err := json.Unmarshal(content, &m); err != nil {
-		return err
+		return "", "", err
 	}
 	if o.InputImage != m.Critical.Image.Digest {
-		return fmt.Errorf("signature is valid for digest %q not for %q", m.Critical.Image.Digest, o.InputImage)
+		return "", "", fmt.Errorf("signature is valid for digest %q not for %q", m.Critical.Image.Digest, o.InputImage)
+	}
+	fmt.Printf("critical=%#+v\n", m.Critical)
+	return m.Critical.Image.Digest, m.Critical.Identity.DockerReference, nil
+}
+
+// verifyImageIdentity verifies the source of the image specified in the signature is
+// valid.
+func (o *VerifyImageSignatureOptions) verifyImageIdentity(reference, digest string) error {
+	ref, err := imageapi.ParseDockerImageReference(reference)
+	if err != nil {
+		return err
 	}
+	// Verify the tag exists
+	tag, err := o.Client.ImageStreamTags(ref.Namespace).Get(ref.Name, ref.Tag)
+	if err != nil {
+		return err
+	}
+
+	if tag.Image.Name != digest {
+		return fmt.Errorf("signature identity %q does not match image %q", reference, tag.Image.Name)
+	}
+
 	return nil
 }
 
@@ -183,14 +208,19 @@ func (o *VerifyImageSignatureOptions) Run() error {
 		}
 
 		// Verify the signed message content matches with the provided image id
-		var signatureContentErr error
-		if signatureContentErr = o.verifySignatureContent(content); signatureContentErr != nil {
+		digest, identity, signatureContentErr := o.verifySignatureContent(content)
+		if signatureContentErr != nil {
 			fmt.Fprintf(o.ErrOut, "%s signature content cannot be verified: %v\n", o.InputImage, signatureContentErr)
 		}
 
+		identityError := o.verifyImageIdentity(identity, digest)
+		if identityError != nil {
+			fmt.Fprintf(o.ErrOut, "%s identity cannot be verified: %v\n", o.InputImage, identityError)
+		}
+
 		// If we have error and --confirm then remove the signature from the image which
 		// changes the image to "unverified" state.
-		if signatureErr != nil || signatureContentErr != nil {
+		if signatureErr != nil || signatureContentErr != nil || identityError != nil {
 			o.removeImageSignature(&img.Signatures[i])
 			continue
 		}
