Store signatures in c/i/docker/daemon/signatures

Whether or not we are verifying signatures, download them and store them
in docker/daemon/signatures.

Note that this means that containers/image/docker is now involved on
_every_ pull; failures of the c/i/docker client, or inability to
download (possibly incorrectly configured but unused) signatures are now
fatal.

Alternatively, we could make the storing of signatures to c/i/d/d/s silently
fail in such cases.

WARNING: This DOES NOT BUILD because it references sirupsen/logrus, not
Sirupsen/logrus.

Author: mtrmac

distribution/pull_v2.go

@@ -14,6 +14,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	cimagedocker "github.com/containers/image/docker"
 	"github.com/containers/image/signature"
+	"github.com/containers/image/types"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/digest"
 	"github.com/docker/distribution/manifest/manifestlist"
@@ -99,8 +100,12 @@ func (p *v2Puller) pullV2Repository(ctx context.Context, ref reference.Named) (e
 	var layersDownloaded bool
 	if !reference.IsNameOnly(ref) {
 		var err error
+		ciImage, err := p.ciImage(ctx, ref)
+		if err != nil {
+			return err
+		}
 		if p.config.SignatureCheck {
-			ref, err = p.checkTrusted(ctx, ref)
+			ref, err = p.checkTrusted(ref, ciImage)
 			if err != nil {
 				if err == cimagedocker.ErrV1NotSupported {
 					return fmt.Errorf("unable to pull from V1 Docker registries with image signature verification enabled. If you need to accept this risk and disable signature verification (for ALL images), run the docker daemon with --signature-enabled=false")
@@ -109,7 +114,7 @@ func (p *v2Puller) pullV2Repository(ctx context.Context, ref reference.Named) (e
 				return err
 			}
 		}
-		layersDownloaded, err = p.pullV2Tag(ctx, ref)
+		layersDownloaded, err = p.pullV2Tag(ctx, ref, ciImage)
 		if err != nil {
 			return err
 		}
@@ -135,8 +140,12 @@ func (p *v2Puller) pullV2Repository(ctx context.Context, ref reference.Named) (e
 			}
 			var ref reference.Named
 			ref = tagRef
+			ciImage, err := p.ciImage(ctx, ref)
+			if err != nil {
+				return err
+			}
 			if p.config.SignatureCheck {
-				trustedRef, err := p.checkTrusted(ctx, tagRef)
+				trustedRef, err := p.checkTrusted(tagRef, ciImage)
 				if err != nil {
 					p.originalRef = nil
 					if err == cimagedocker.ErrV1NotSupported {
@@ -146,7 +155,7 @@ func (p *v2Puller) pullV2Repository(ctx context.Context, ref reference.Named) (e
 				}
 				ref = trustedRef
 			}
-			pulledNew, err := p.pullV2Tag(ctx, ref)
+			pulledNew, err := p.pullV2Tag(ctx, ref, ciImage)
 			if err != nil {
 				// Since this is the pull-all-tags case, don't
 				// allow an error pulling a particular tag to
@@ -366,7 +375,7 @@ func (ld *v2LayerDescriptor) Registered(diffID layer.DiffID) {
 	ld.V2MetadataService.Add(diffID, metadata.V2Metadata{Digest: ld.digest, SourceRepository: ld.repoInfo.FullName()})
 }
 
-func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named) (tagUpdated bool, err error) {
+func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, ciImage types.Image) (tagUpdated bool, err error) {
 	manSvc, err := p.repo.Manifests(ctx)
 	if err != nil {
 		return false, err
@@ -443,6 +452,10 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named) (tagUpdat
 
 	progress.Message(p.config.ProgressOutput, "", "Digest: "+manifestDigest.String())
 
+	if err = p.storeSignatures(ctx, ciImage); err != nil {
+		return false, err
+	}
+
 	oldTagImageID, err := p.config.ReferenceStore.Get(ref)
 	if err == nil {
 		if oldTagImageID == imageID {

distribution/pull_v2_unix.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	"github.com/containers/image/docker"
+	"github.com/containers/image/docker/daemon/signatures"
 	containersImageRef "github.com/containers/image/docker/reference"
 	"github.com/containers/image/manifest"
 	"github.com/containers/image/signature"
@@ -43,8 +44,8 @@ func configurePolicyContext() (*signature.PolicyContext, error) {
 	return pc, nil
 }
 
-func (p *v2Puller) checkTrusted(c gctx.Context, ref reference.Named) (reference.Named, error) {
-	p.originalRef = ref
+// ciImage returns a containers/image/types.Image for ref.
+func (p *v2Puller) ciImage(c gctx.Context, ref reference.Named) (types.Image, error) {
 	// we can't use upstream docker/docker/reference since in projectatomic/docker
 	// we modified docker/docker/reference and it's not doing any normalization.
 	// we instead forked docker/docker/reference in containers/image and we need
@@ -76,7 +77,12 @@ func (p *v2Puller) checkTrusted(c gctx.Context, ref reference.Named) (reference.
 	if err != nil {
 		return nil, err
 	}
-	allowed, err := p.policyContext.IsRunningImageAllowed(img)
+	return img, nil
+}
+
+func (p *v2Puller) checkTrusted(ref reference.Named, ciImage types.Image) (reference.Named, error) {
+	p.originalRef = ref
+	allowed, err := p.policyContext.IsRunningImageAllowed(ciImage)
 	if !allowed {
 		if err != nil {
 			return nil, fmt.Errorf("%s isn't allowed: %v", ref.String(), err)
@@ -86,7 +92,7 @@ func (p *v2Puller) checkTrusted(c gctx.Context, ref reference.Named) (reference.
 	if err != nil {
 		return nil, err
 	}
-	mfst, _, err := img.Manifest()
+	mfst, _, err := ciImage.Manifest()
 	if err != nil {
 		return nil, err
 	}
@@ -100,3 +106,9 @@ func (p *v2Puller) checkTrusted(c gctx.Context, ref reference.Named) (reference.
 	}
 	return ref, nil
 }
+
+// storeSignature stores the signatures of ciImage and updates the tag in ciImage.Reference() if necessary.
+func (p *v2Puller) storeSignatures(c gctx.Context, ciImage types.Image) error {
+	store := signatures.NewStore(nil)
+	return store.RecordImage(c, ciImage)
+}

distribution/pull_v2_windows.go

@@ -9,6 +9,7 @@ import (
 	"os"
 
 	"github.com/containers/image/signature"
+	"github.com/containers/image/types"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/manifest/schema1"
@@ -75,6 +76,14 @@ func configurePolicyContext() (*signature.PolicyContext, error) {
 	return nil, nil
 }
 
-func (p *v2Puller) checkTrusted(c gctx.Context, ref reference.Named) (reference.Named, error) {
+func (p *v2Puller) ciImage(c gctx.Context, ref reference.Named) (types.Image, error) {
+	return nil, nil
+}
+
+func (p *v2Puller) checkTrusted(ref reference.Named, ciImage types.Image) (reference.Named, error) {
 	return ref, nil
 }
+
+func (p *v2Puller) storeSignatures(c gctx.Context, ciImage types.Image) error {
+	return nil
+}

vendor/src/github.com/containers/image/docker/daemon/signatures/data.go

@@ -0,0 +1,128 @@
+package signatures
+
+// dataBucket stores the original manifests and signatures for an image.
+
+// dataBucket keys are (config digest, manifest digest), and contains a sub-bucket for each key.
+// This sub-bucket stores a manifest in manifestKey, and individual signatures in
+// (signatureKeyPrefix + zero-based index.)
+
+// Safety WRT concurrent access to data in a dataBucket sub-bucket:
+// The bucket is identified by the manifest digest, so no substantial updates to the
+// manifest are ever expected.
+// Readers expect signatures stored within a sub-bucket to be replaced/updated atomically
+// to ensure the bucket contents are consistent.
+
+import (
+	"bytes"
+	"fmt"
+	"strconv"
+
+	"github.com/boltdb/bolt"
+	digest "github.com/opencontainers/go-digest"
+)
+
+var (
+	dataBucket         = []byte("config+manifest->bucket")
+	manifestKey        = []byte("manifest")
+	signatureKeyPrefix = []byte("sig")
+)
+
+// dataBucketKey returns a key for use in dataBucket.
+func dataBucketKey(configDigest, manifestDigest digest.Digest) ([]byte, error) {
+	configBytes, err := stringToNonNULBytes(configDigest.String())
+	if err != nil {
+		return nil, err
+	}
+	manifestBytes, err := stringToNonNULBytes(manifestDigest.String())
+	if err != nil {
+		return nil, err
+	}
+	return bytes.Join([][]byte{configBytes, manifestBytes}, []byte{0}), nil
+}
+
+// copyBytes returns a freshly allocated clone of input.
+// This is needed because the data pointers returned by boltdb are invalid after the end of the transaction.
+func copyBytes(input []byte) []byte {
+	res := make([]byte, len(input))
+	copy(res, input)
+	return res
+}
+
+// readManifest returns the original manifest stored in b, or nil if not available.
+func readManifest(b *bolt.Bucket) []byte {
+	m := b.Get(manifestKey)
+	if m == nil {
+		return nil
+	}
+	return copyBytes(m)
+}
+
+// writeManifest stores the original manifest to b.
+func writeManifest(b *bolt.Bucket, manifest []byte) error {
+	return b.Put(manifestKey, manifest)
+}
+
+// readSignatures returns the original signatures stored in bucket, which is dataKey.
+func readSignatures(bucket *bolt.Bucket, dataKey []byte) ([][]byte, error) {
+	// Iterate through all keys in the sub-bucket; we need all of the except for manifestKey, so it seems fastest to read them in the database order and then reorder in memory.
+	signatureMap := map[int][]byte{}
+	if err := bucket.ForEach(func(k, v []byte) error {
+		if !bytes.HasPrefix(k, signatureKeyPrefix) {
+			return nil
+		}
+		i, err := strconv.Atoi(string(bytes.TrimPrefix(k, signatureKeyPrefix)))
+		if err != nil {
+			return err
+		}
+		if _, ok := signatureMap[i]; ok {
+			return fmt.Errorf("Internal error: Duplicate key %q in dataBucket key %q", k, dataKey)
+		}
+		signatureMap[i] = copyBytes(v)
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	signatures := [][]byte{}
+	for i := 0; ; i++ {
+		signature, ok := signatureMap[i]
+		if !ok {
+			break
+		}
+		signatures = append(signatures, signature)
+	}
+	if len(signatures) != len(signatureMap) {
+		// The use of transactions to update signatures should prevent this from happening
+		return nil, fmt.Errorf("Internal error: Non-consecutive signatures in dataBucket key %q", dataKey)
+	}
+	return signatures, nil
+}
+
+// writeSignatures stores the original signatures to b, which is dataKey.
+func writeSignatures(b *bolt.Bucket, dataKey []byte, signatures [][]byte) error {
+	if len(signatures) == 0 {
+		return nil // Don't bother reading the old ones.
+	}
+
+	existingSigs, err := readSignatures(b, dataKey)
+	if err != nil {
+		return err
+	}
+
+	nextIndex := len(existingSigs)
+sigExists:
+	for _, sig := range signatures {
+		for _, existingSig := range existingSigs {
+			if bytes.Equal(sig, existingSig) {
+				continue sigExists
+			}
+		}
+
+		key := bytes.Join([][]byte{signatureKeyPrefix, []byte(strconv.Itoa(nextIndex))}, []byte{})
+		if err := b.Put(key, sig); err != nil {
+			return err
+		}
+		nextIndex++
+	}
+	return nil
+}