Verify signatures on pull

Makefile

@@ -5,6 +5,7 @@ export GO15VENDOREXPERIMENT=1
 PREFIX ?= ${DESTDIR}/usr
 INSTALLDIR=${PREFIX}/bin
 MANINSTALLDIR=${PREFIX}/share/man
+CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
 BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
 GO_MD2MAN ?= /usr/bin/go-md2man
 
@@ -60,14 +61,13 @@ clean:
 	rm -f skopeo docs/*.1
 
 install: install-binary install-docs install-completions
+	install -D -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
 
 install-binary: ./skopeo
-	install -d -m 0755 ${INSTALLDIR}
-	install -m 755 skopeo ${INSTALLDIR}
+	install -D -m 755 skopeo ${INSTALLDIR}/skopeo
 
 install-docs: docs/skopeo.1
-	install -d -m 0755 ${MANINSTALLDIR}/man1
-	install -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/
+	install -D -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1
 
 install-completions:
 	install -m 644 -T hack/make/bash_autocomplete ${BASHINSTALLDIR}/skopeo

cmd/skopeo/copy.go

@@ -80,6 +80,12 @@ func copyHandler(context *cli.Context) error {
 		return errors.New("Usage: copy source destination")
 	}
 
+	policyContext, err := getPolicyContext(context)
+	if err != nil {
+		return fmt.Errorf("Error loading verification policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
 	dest, err := parseImageDestination(context, context.Args()[1])
 	if err != nil {
 		return fmt.Errorf("Error initializing %s: %v", context.Args()[1], err)
@@ -93,11 +99,21 @@ func copyHandler(context *cli.Context) error {
 
 	signBy := context.String("sign-by")
 
+	// Please keep this policy check BEFORE reading any other information about the image.
+	if allowed, err := policyContext.IsRunningImageAllowed(src); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
+		return fmt.Errorf("Source image rejected: %v", err)
+	}
+
 	manifest, _, err := src.Manifest()
 	if err != nil {
 		return fmt.Errorf("Error reading manifest: %v", err)
 	}
 
+	sigs, err := src.Signatures()
+	if err != nil {
+		return fmt.Errorf("Error reading signatures: %v", err)
+	}
+
 	blobDigests, err := src.BlobDigests()
 	if err != nil {
 		return fmt.Errorf("Error parsing manifest: %v", err)
@@ -128,11 +144,6 @@ func copyHandler(context *cli.Context) error {
 		}
 	}
 
-	sigs, err := src.Signatures()
-	if err != nil {
-		return fmt.Errorf("Error reading signatures: %v", err)
-	}
-
 	if signBy != "" {
 		mech, err := signature.NewGPGSigningMechanism()
 		if err != nil {

cmd/skopeo/main.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/signature"
 	"github.com/projectatomic/skopeo/version"
 	"github.com/urfave/cli"
 )
@@ -50,6 +51,11 @@ func createApp() *cli.App {
 			Name:  "tls-verify",
 			Usage: "verify certificates",
 		},
+		cli.StringFlag{
+			Name:  "policy",
+			Value: "",
+			Usage: "Path to a signature verification policy file",
+		},
 	}
 	app.Before = func(c *cli.Context) error {
 		if c.GlobalBool("debug") {
@@ -75,3 +81,19 @@ func main() {
 		logrus.Fatal(err)
 	}
 }
+
+// getPolicyContext handles the global "policy" flag.
+func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) {
+	policyPath := c.GlobalString("policy")
+	var policy *signature.Policy // This could be cached across calls, if we had an application context.
+	var err error
+	if policyPath == "" {
+		policy, err = signature.DefaultPolicy(nil)
+	} else {
+		policy, err = signature.NewPolicyFromFile(policyPath)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return signature.NewPolicyContext(policy)
+}

default-policy.json

@@ -0,0 +1,7 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ]
+}

docs/skopeo.1.md

@@ -43,6 +43,9 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
 
   **--cert-path** _path_ Use certificates at _path_ (cert.pem, key.pem) to connect to the registry
 
+  **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and
+  deciding whether an image is accepted, instead of the default policy.
+
   **--tls-verify** _bool-value_ Verify certificates
 
   **--help**|**-h** Show help
@@ -56,6 +59,8 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
 
 Copy an image (manifest, filesystem layers, signatures) from one location to another.
 
+Uses the system's signature verification policy to validate images, refuses to copy images rejected by the policy.
+
   _source-image_ use the "image name" format described above
 
   _destination-image_ use the "image name" format described above
@@ -128,6 +133,11 @@ Verify a signature using local files, digest will be printed on success.
 ## skopeo help
 show help for `skopeo`
 
+# FILES
+  **/etc/containers/policy.json**
+  Default signature verification policy file, if **--policy** is not specified.
+  The policy format is documented in https://github.com/containers/image/blob/master/docs/policy.json.md .
+
 # EXAMPLES
 
 ## skopeo copy

hack/make/test-integration

@@ -9,7 +9,7 @@ bundle_test_integration() {
 # subshell so that we can export PATH without breaking other things
 (
 	make binary-local
-	make install-binary
+	make install
 	export GO15VENDOREXPERIMENT=1
 	bundle_test_integration
 ) 2>&1