[WIP] verify signature for untagged references

docs/policy.json.md

@@ -146,13 +146,25 @@ This requirement requires an image to be signed with an expected identity, or ac
     "keyType": "GPGKeys", /* The only currently supported value */
     "keyPath": "/path/to/local/keyring/file",
     "keyData": "base64-encoded-keyring-data",
-    "signedIdentity": identity_requirement
+    "signedIdentity": identity_requirement,
+    "referencesByDigest": refs_by_digest_requirement
 }
 ```
 <!-- Later: other keyType values -->
 
 Exactly one of `keyPath` and `keyData` must be present, containing a GPG keyring of one or more public keys.  Only signatures made by these keys are accepted.
 
+The `referencesByDigest` field controls whether an reference with a digest should be taken into consideration when checking signatures or be rejected altogheter.
+One of the following alternatives are supported:
+
+- References by digest are allowed (default). In this case, the digest should match the one from the signature for the verification to be successful.
+  ```json
+  {"referencesByDigest: allow"}
+  ```
+- References by digest are rejected and no signature verification is performed.
+  ```json
+  {"referencesByDigest: reject"}
+  ```
 The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
 One of the following alternatives are supported:
 
@@ -257,27 +269,3 @@ selectively allow individual transports and scopes as desired.
     "default": [{"type": "insecureAcceptAnything"}]
 }
 ```
-
-### A _temporary_ work-around to allow accessing any image by digest
-
-Usually, identities in signatures use the _repository_`:`_tag_ format,
-which is not matched when pulling a specific image using a digest.
-To allow such operations, a policy may set `signedIdentity` to `matchRepository`, similar
-to the following fragment:
-
-```json
-            "hostname:5000/allow/pull/by/tag": [
-                {
-                    "type": "signedBy",
-                    "keyType": "GPGKeys",
-                    "keyPath": "/path/to/some.gpg"
-                    "signedIdentity": {
-                        "type": "matchRepository"
-                    }
-                }
-            ]
-```
-
-*Warning*: This completely turns off tag matching for the signature check in question,
-allowing also pulls by tag to accept signatures for any other tag.
-A more granular solution for this situation will be provided in the future ( https://github.com/containers/image/issues/99 ).

signature/docker.go

@@ -35,7 +35,7 @@ func VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest []byt
 			}
 			return nil
 		},
-		validateSignedDockerReference: func(signedDockerReference string) error {
+		validateSignedDockerReference: func(signedDockerReference, digest string) error {
 			if signedDockerReference != expectedDockerReference {
 				return InvalidSignatureError{msg: fmt.Sprintf("Docker reference %s does not match %s",
 					signedDockerReference, expectedDockerReference)}

signature/policy_config.go

@@ -313,7 +313,7 @@ func (pr *prReject) UnmarshalJSON(data []byte) error {
 }
 
 // newPRSignedBy returns a new prSignedBy if parameters are valid.
-func newPRSignedBy(keyType sbKeyType, keyPath string, keyData []byte, signedIdentity PolicyReferenceMatch) (*prSignedBy, error) {
+func newPRSignedBy(keyType sbKeyType, keyPath string, keyData []byte, signedIdentity PolicyReferenceMatch, referencesByDigest sbUntaggedReferenceMatch) (*prSignedBy, error) {
 	if !keyType.IsValid() {
 		return nil, InvalidPolicyFormatError(fmt.Sprintf("invalid keyType \"%s\"", keyType))
 	}
@@ -323,33 +323,37 @@ func newPRSignedBy(keyType sbKeyType, keyPath string, keyData []byte, signedIden
 	if signedIdentity == nil {
 		return nil, InvalidPolicyFormatError("signedIdentity not specified")
 	}
+	if referencesByDigest != SBKeyTypeUntaggedReferenceAllow && referencesByDigest != SBKeyTypeUntaggedReferenceReject {
+		return nil, InvalidPolicyFormatError("referencesByDigest accepts either allow or reject")
+	}
 	return &prSignedBy{
-		prCommon:       prCommon{Type: prTypeSignedBy},
-		KeyType:        keyType,
-		KeyPath:        keyPath,
-		KeyData:        keyData,
-		SignedIdentity: signedIdentity,
+		prCommon:           prCommon{Type: prTypeSignedBy},
+		KeyType:            keyType,
+		KeyPath:            keyPath,
+		KeyData:            keyData,
+		SignedIdentity:     signedIdentity,
+		ReferencesByDigest: referencesByDigest,
 	}, nil
 }
 
 // newPRSignedByKeyPath is NewPRSignedByKeyPath, except it returns the private type.
-func newPRSignedByKeyPath(keyType sbKeyType, keyPath string, signedIdentity PolicyReferenceMatch) (*prSignedBy, error) {
-	return newPRSignedBy(keyType, keyPath, nil, signedIdentity)
+func newPRSignedByKeyPath(keyType sbKeyType, keyPath string, signedIdentity PolicyReferenceMatch, referencesByDigest sbUntaggedReferenceMatch) (*prSignedBy, error) {
+	return newPRSignedBy(keyType, keyPath, nil, signedIdentity, referencesByDigest)
 }
 
 // NewPRSignedByKeyPath returns a new "signedBy" PolicyRequirement using a KeyPath
-func NewPRSignedByKeyPath(keyType sbKeyType, keyPath string, signedIdentity PolicyReferenceMatch) (PolicyRequirement, error) {
-	return newPRSignedByKeyPath(keyType, keyPath, signedIdentity)
+func NewPRSignedByKeyPath(keyType sbKeyType, keyPath string, signedIdentity PolicyReferenceMatch, referencesByDigest sbUntaggedReferenceMatch) (PolicyRequirement, error) {
+	return newPRSignedByKeyPath(keyType, keyPath, signedIdentity, referencesByDigest)
 }
 
 // newPRSignedByKeyData is NewPRSignedByKeyData, except it returns the private type.
-func newPRSignedByKeyData(keyType sbKeyType, keyData []byte, signedIdentity PolicyReferenceMatch) (*prSignedBy, error) {
-	return newPRSignedBy(keyType, "", keyData, signedIdentity)
+func newPRSignedByKeyData(keyType sbKeyType, keyData []byte, signedIdentity PolicyReferenceMatch, referencesByDigest sbUntaggedReferenceMatch) (*prSignedBy, error) {
+	return newPRSignedBy(keyType, "", keyData, signedIdentity, referencesByDigest)
 }
 
 // NewPRSignedByKeyData returns a new "signedBy" PolicyRequirement using a KeyData
-func NewPRSignedByKeyData(keyType sbKeyType, keyData []byte, signedIdentity PolicyReferenceMatch) (PolicyRequirement, error) {
-	return newPRSignedByKeyData(keyType, keyData, signedIdentity)
+func NewPRSignedByKeyData(keyType sbKeyType, keyData []byte, signedIdentity PolicyReferenceMatch, referencesByDigest sbUntaggedReferenceMatch) (PolicyRequirement, error) {
+	return newPRSignedByKeyData(keyType, keyData, signedIdentity, referencesByDigest)
 }
 
 // Compile-time check that prSignedBy implements json.Unmarshaler.
@@ -375,6 +379,8 @@ func (pr *prSignedBy) UnmarshalJSON(data []byte) error {
 			return &tmp.KeyData
 		case "signedIdentity":
 			return &signedIdentity
+		case "referencesByDigest":
+			return &tmp.ReferencesByDigest
 		default:
 			return nil
 		}
@@ -395,15 +401,19 @@ func (pr *prSignedBy) UnmarshalJSON(data []byte) error {
 		tmp.SignedIdentity = si
 	}
 
+	if tmp.ReferencesByDigest == "" {
+		tmp.ReferencesByDigest = SBKeyTypeUntaggedReferenceAllow
+	}
+
 	var res *prSignedBy
 	var err error
 	switch {
 	case gotKeyPath && gotKeyData:
 		return InvalidPolicyFormatError("keyPath and keyData cannot be used simultaneously")
 	case gotKeyPath && !gotKeyData:
-		res, err = newPRSignedByKeyPath(tmp.KeyType, tmp.KeyPath, tmp.SignedIdentity)
+		res, err = newPRSignedByKeyPath(tmp.KeyType, tmp.KeyPath, tmp.SignedIdentity, tmp.ReferencesByDigest)
 	case !gotKeyPath && gotKeyData:
-		res, err = newPRSignedByKeyData(tmp.KeyType, tmp.KeyData, tmp.SignedIdentity)
+		res, err = newPRSignedByKeyData(tmp.KeyType, tmp.KeyData, tmp.SignedIdentity, tmp.ReferencesByDigest)
 	case !gotKeyPath && !gotKeyData:
 		return InvalidPolicyFormatError("At least one of keyPath and keyData mus be specified")
 	default: // Coverage: This should never happen
@@ -501,7 +511,7 @@ func (pr *prSignedBaseLayer) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// newPolicyRequirementFromJSON parses JSON data into a PolicyReferenceMatch implementation.
+// newPolicyReferenceFromJSON parses JSON data into a PolicyReferenceMatch implementation.
 func newPolicyReferenceMatchFromJSON(data []byte) (PolicyReferenceMatch, error) {
 	var typeField prmCommon
 	if err := json.Unmarshal(data, &typeField); err != nil {

signature/policy_config_test.go

@@ -204,7 +204,7 @@ func tryUnmarshalModifiedPolicy(t *testing.T, p *Policy, validJSON []byte, modif
 
 // xNewPRSignedByKeyPath is like NewPRSignedByKeyPath, except it must not fail.
 func xNewPRSignedByKeyPath(keyType sbKeyType, keyPath string, signedIdentity PolicyReferenceMatch) PolicyRequirement {
-	pr, err := NewPRSignedByKeyPath(keyType, keyPath, signedIdentity)
+	pr, err := NewPRSignedByKeyPath(keyType, keyPath, signedIdentity, SBKeyTypeUntaggedReferenceAllow)
 	if err != nil {
 		panic("xNewPRSignedByKeyPath failed")
 	}
@@ -213,7 +213,7 @@ func xNewPRSignedByKeyPath(keyType sbKeyType, keyPath string, signedIdentity Pol
 
 // xNewPRSignedByKeyData is like NewPRSignedByKeyData, except it must not fail.
 func xNewPRSignedByKeyData(keyType sbKeyType, keyData []byte, signedIdentity PolicyReferenceMatch) PolicyRequirement {
-	pr, err := NewPRSignedByKeyData(keyType, keyData, signedIdentity)
+	pr, err := NewPRSignedByKeyData(keyType, keyData, signedIdentity, SBKeyTypeUntaggedReferenceAllow)
 	if err != nil {
 		panic("xNewPRSignedByKeyData failed")
 	}
@@ -635,7 +635,7 @@ func TestNewPRSignedBy(t *testing.T) {
 	testIdentity := NewPRMMatchExact()
 
 	// Success
-	pr, err := newPRSignedBy(SBKeyTypeGPGKeys, testPath, nil, testIdentity)
+	pr, err := newPRSignedBy(SBKeyTypeGPGKeys, testPath, nil, testIdentity, SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	assert.Equal(t, &prSignedBy{
 		prCommon:       prCommon{prTypeSignedBy},
@@ -644,7 +644,7 @@ func TestNewPRSignedBy(t *testing.T) {
 		KeyData:        nil,
 		SignedIdentity: testIdentity,
 	}, pr)
-	pr, err = newPRSignedBy(SBKeyTypeGPGKeys, "", testData, testIdentity)
+	pr, err = newPRSignedBy(SBKeyTypeGPGKeys, "", testData, testIdentity, SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	assert.Equal(t, &prSignedBy{
 		prCommon:       prCommon{prTypeSignedBy},
@@ -655,23 +655,23 @@ func TestNewPRSignedBy(t *testing.T) {
 	}, pr)
 
 	// Invalid keyType
-	pr, err = newPRSignedBy(sbKeyType(""), testPath, nil, testIdentity)
+	pr, err = newPRSignedBy(sbKeyType(""), testPath, nil, testIdentity, SBKeyTypeUntaggedReferenceAllow)
 	assert.Error(t, err)
-	pr, err = newPRSignedBy(sbKeyType("this is invalid"), testPath, nil, testIdentity)
+	pr, err = newPRSignedBy(sbKeyType("this is invalid"), testPath, nil, testIdentity, SBKeyTypeUntaggedReferenceAllow)
 	assert.Error(t, err)
 
 	// Both keyPath and keyData specified
-	pr, err = newPRSignedBy(SBKeyTypeGPGKeys, testPath, testData, testIdentity)
+	pr, err = newPRSignedBy(SBKeyTypeGPGKeys, testPath, testData, testIdentity, SBKeyTypeUntaggedReferenceAllow)
 	assert.Error(t, err)
 
 	// Invalid signedIdentity
-	pr, err = newPRSignedBy(SBKeyTypeGPGKeys, testPath, nil, nil)
+	pr, err = newPRSignedBy(SBKeyTypeGPGKeys, testPath, nil, nil, SBKeyTypeUntaggedReferenceAllow)
 	assert.Error(t, err)
 }
 
 func TestNewPRSignedByKeyPath(t *testing.T) {
 	const testPath = "/foo/bar"
-	_pr, err := NewPRSignedByKeyPath(SBKeyTypeGPGKeys, testPath, NewPRMMatchExact())
+	_pr, err := NewPRSignedByKeyPath(SBKeyTypeGPGKeys, testPath, NewPRMMatchExact(), SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	pr, ok := _pr.(*prSignedBy)
 	require.True(t, ok)
@@ -681,7 +681,7 @@ func TestNewPRSignedByKeyPath(t *testing.T) {
 
 func TestNewPRSignedByKeyData(t *testing.T) {
 	testData := []byte("abc")
-	_pr, err := NewPRSignedByKeyData(SBKeyTypeGPGKeys, testData, NewPRMMatchExact())
+	_pr, err := NewPRSignedByKeyData(SBKeyTypeGPGKeys, testData, NewPRMMatchExact(), SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	pr, ok := _pr.(*prSignedBy)
 	require.True(t, ok)
@@ -710,7 +710,7 @@ func TestPRSignedByUnmarshalJSON(t *testing.T) {
 	testInvalidJSONInput(t, &pr)
 
 	// Start with a valid JSON.
-	validPR, err := NewPRSignedByKeyData(SBKeyTypeGPGKeys, []byte("abc"), NewPRMMatchExact())
+	validPR, err := NewPRSignedByKeyData(SBKeyTypeGPGKeys, []byte("abc"), NewPRMMatchExact(), SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	validJSON, err := json.Marshal(validPR)
 	require.NoError(t, err)
@@ -722,7 +722,7 @@ func TestPRSignedByUnmarshalJSON(t *testing.T) {
 	assert.Equal(t, validPR, &pr)
 
 	// Success with KeyPath
-	kpPR, err := NewPRSignedByKeyPath(SBKeyTypeGPGKeys, "/foo/bar", NewPRMMatchExact())
+	kpPR, err := NewPRSignedByKeyPath(SBKeyTypeGPGKeys, "/foo/bar", NewPRMMatchExact(), SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	testJSON, err := json.Marshal(kpPR)
 	require.NoError(t, err)
@@ -782,7 +782,7 @@ func TestPRSignedByUnmarshalJSON(t *testing.T) {
 		assert.Error(t, err)
 	}
 	// Handle "keyPath", which is not in validJSON, specially
-	pathPR, err := NewPRSignedByKeyPath(SBKeyTypeGPGKeys, "/foo/bar", NewPRMMatchExact())
+	pathPR, err := NewPRSignedByKeyPath(SBKeyTypeGPGKeys, "/foo/bar", NewPRMMatchExact(), SBKeyTypeUntaggedReferenceAllow)
 	require.NoError(t, err)
 	testJSON, err = json.Marshal(pathPR)
 	require.NoError(t, err)

signature/policy_eval.go

@@ -70,7 +70,10 @@ type PolicyReferenceMatch interface {
 	// matchesDockerReference decides whether a specific image identity is accepted for an image
 	// (or, usually, for the image's Reference().DockerReference()).  Note that
 	// image.Reference().DockerReference() may be nil.
-	matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool
+	//
+	// TODO(runcom): document byDigest
+	// TODO(runcom): document digest
+	matchesDockerReference(image types.UnparsedImage, signatureDockerReference, signatureManifstDigest string, byDigest bool) bool
 }
 
 // PolicyContext encapsulates a policy and possible cached state

signature/policy_eval_signedby.go

@@ -69,8 +69,8 @@ func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig [
 			// not be reachable.
 			return PolicyRequirementError(fmt.Sprintf("Signature by key %s is not accepted", keyIdentity))
 		},
-		validateSignedDockerReference: func(ref string) error {
-			if !pr.SignedIdentity.matchesDockerReference(image, ref) {
+		validateSignedDockerReference: func(ref, digest string) error {
+			if !pr.SignedIdentity.matchesDockerReference(image, ref, digest, pr.ReferencesByDigest == SBKeyTypeUntaggedReferenceAllow) {
 				return PolicyRequirementError(fmt.Sprintf("Signature for identity %s is not accepted", ref))
 			}
 			return nil