Check the tag in isArtifactSigned func

This commit ensures that when CLI is pulling a tag, the content trust middleware check the data in notary to ensure the particular tag is signed, not only the digest. Signed-off-by: Daniel Jiang <jiangd@vmware.com>

Check the tag in isArtifactSigned func
This commit ensures that when CLI is pulling a tag, the content trust middleware check the data in notary to ensure the particular tag is signed, not only the digest. Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2f7c8c2a · Daniel Jiang · 316f0349 · 2f7c8c2a
Commit 2f7c8c2a authored Sep 03, 2020 by Daniel Jiang
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

src/server/middleware/contenttrust/contenttrust.go src/server/middleware/contenttrust/contenttrust.go +3 -0

No files found.
--- a/src/server/middleware/contenttrust/contenttrust.go
+++ b/src/server/middleware/contenttrust/contenttrust.go
@@ -21,6 +21,9 @@ var (
 		if err != nil {
 			return false, err
 		}
+		if len(art.Tag) > 0 {
+			return checker.IsTagSigned(art.Tag, art.Digest), nil
+		}
 		return checker.IsArtifactSigned(art.Digest), nil
 	}
 )