Add option to disable signatures

Add option for specifying trust key for signing schema1 manifests. Since schema1 signature key identifiers are not verified anywhere and deprecated, storing signatures is no longer a requirement. Furthermore in schema2 there is no signature, requiring the registry to already add signatures to generated schema1 manifests. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-02-10 15:20:39 -08:00 · 2016-02-10 15:20:39 -08:00 · 956ece5c70
commit 956ece5c70
parent c4b79bda8a
4 changed files with 115 additions and 33 deletions
--- a/docs/storage/signedmanifesthandler.go
+++ b/docs/storage/signedmanifesthandler.go
@ -25,10 +25,17 @@ var _ ManifestHandler = &signedManifestHandler{}

 func (ms *signedManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {
 	context.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Unmarshal")
-	// Fetch the signatures for the manifest
-	signatures, err := ms.signatures.Get(dgst)
-	if err != nil {
-		return nil, err
+
+	var (
+		signatures [][]byte
+		err        error
+	)
+	if ms.repository.schema1SignaturesEnabled {
+		// Fetch the signatures for the manifest
+		signatures, err = ms.signatures.Get(dgst)
+		if err != nil {
+			return nil, err
+		}
 	}

 	jsig, err := libtrust.NewJSONSignature(content, signatures...)
@ -36,6 +43,14 @@ func (ms *signedManifestHandler) Unmarshal(ctx context.Context, dgst digest.Dige
 		return nil, err
 	}

+	if ms.repository.schema1SigningKey != nil {
+		if err := jsig.Sign(ms.repository.schema1SigningKey); err != nil {
+			return nil, err
+		}
+	} else if !ms.repository.schema1SignaturesEnabled {
+		return nil, fmt.Errorf("missing signing key with signature store disabled")
+	}
+
 	// Extract the pretty JWS
 	raw, err := jsig.PrettySignature("signatures")
 	if err != nil {
@ -75,14 +90,16 @@ func (ms *signedManifestHandler) Put(ctx context.Context, manifest distribution.
 		return "", err
 	}

-	// Grab each json signature and store them.
-	signatures, err := sm.Signatures()
-	if err != nil {
-		return "", err
-	}
+	if ms.repository.schema1SignaturesEnabled {
+		// Grab each json signature and store them.
+		signatures, err := sm.Signatures()
+		if err != nil {
+			return "", err
+		}

-	if err := ms.signatures.Put(revision.Digest, signatures...); err != nil {
-		return "", err
+		if err := ms.signatures.Put(revision.Digest, signatures...); err != nil {
+			return "", err
+		}
 	}

 	return revision.Digest, nil