Skip to content

Commit

Permalink
fix: added digest check on verify (#313)
Browse files Browse the repository at this point in the history
This PR adds digest check on verify.

Signed-off-by: patrick <zongjunzheng@hotmail.com>
  • Loading branch information
Two-Hearts authored May 23, 2023
1 parent 7de640b commit 39c8ed0
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 0 deletions.
10 changes: 10 additions & 0 deletions internal/mock/mocks.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ var MockCaCompatiblePluginVerSigEnv_1_0_0 []byte
var (
SampleArtifactUri = "registry.acme-rockets.io/software/net-monitor@sha256:60043cf45eaebc4c0867fea485a039b598f52fd09fd5b07b0b2d2f88fad9d74e"
SampleDigest = digest.Digest("sha256:60043cf45eaebc4c0867fea485a039b598f52fd09fd5b07b0b2d2f88fad9d74e")
ZeroDigest = digest.Digest("sha256:0000000000000000000000000000000000000000000000000000000000000000")
Annotations = map[string]string{"key": "value"}
ImageDescriptor = ocispec.Descriptor{
MediaType: "application/vnd.docker.distribution.manifest.v2+json",
Expand Down Expand Up @@ -110,6 +111,7 @@ type Repository struct {
ListSignaturesError error
FetchSignatureBlobResponse []byte
FetchSignatureBlobError error
MissMatchDigest bool
}

func NewRepository() Repository {
Expand All @@ -121,6 +123,14 @@ func NewRepository() Repository {
}

func (t Repository) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) {
if t.MissMatchDigest {
return ocispec.Descriptor{
MediaType: "application/vnd.docker.distribution.manifest.v2+json",
Digest: ZeroDigest,
Size: 528,
Annotations: Annotations,
}, nil
}
return t.ResolveResponse, t.ResolveError
}

Expand Down
2 changes: 2 additions & 0 deletions notation.go
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,8 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
// artifactRef is not a digest reference
logger.Infof("Resolved artifact tag `%s` to digest `%s` before verification", ref.Reference, artifactDescriptor.Digest.String())
logger.Warn("The resolved digest may not point to the same signed artifact, since tags are mutable")
} else if ref.Reference != artifactDescriptor.Digest.String() {
return ocispec.Descriptor{}, nil, ErrorSignatureRetrievalFailed{Msg: fmt.Sprintf("user input digest %s does not match the resolved digest %s", ref.Reference, artifactDescriptor.Digest.String())}
}

var verificationOutcomes []*VerificationOutcome
Expand Down
17 changes: 17 additions & 0 deletions notation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,23 @@ func TestVerifyTagReferenceFailed(t *testing.T) {
}
}

func TestVerifyDigestNotMatchResolve(t *testing.T) {
policyDocument := dummyPolicyDocument()
repo := mock.NewRepository()
repo.MissMatchDigest = true
verifier := dummyVerifier{&policyDocument, mock.PluginManager{}, false, *trustpolicy.LevelStrict}

errorMessage := fmt.Sprintf("user input digest %s does not match the resolved digest %s", mock.SampleDigest, mock.ZeroDigest)
expectedErr := ErrorSignatureRetrievalFailed{Msg: errorMessage}

// mock the repository
opts := VerifyOptions{ArtifactReference: mock.SampleArtifactUri, MaxSignatureAttempts: 50}
_, _, err := Verify(context.Background(), &verifier, repo, opts)
if err == nil || err.Error() != errorMessage {
t.Fatalf("VerifyTagReference expected: %v got: %v", expectedErr, err)
}
}

func TestSkippedSignatureVerification(t *testing.T) {
policyDocument := dummyPolicyDocument()
repo := mock.NewRepository()
Expand Down

0 comments on commit 39c8ed0

Please sign in to comment.