Don't decrypt images by default

A non-nil but empty decryption configuration seems to be valid enough to trigger decryption in some configurations, per containers/podman#18196 . Like in Skopeo and Podman, only decrypt when the user explicitly instructs us to (e.g. not triggering decryption based on environment variables). Signed-off-by: Miloslav Trmač <[email protected]>
mtrmac · Apr 19, 2023 · 2e92317 · 2e92317
1 parent 216d6be
commit 2e92317
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 7 deletions.
diff --git a/internal/util/util.go b/internal/util/util.go
@@ -109,7 +109,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error {
 
 // DecryptConfig translates decryptionKeys into a DescriptionConfig structure
 func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) {
-	decryptConfig := &encconfig.DecryptConfig{}
+	var decryptConfig *encconfig.DecryptConfig
 	if len(decryptionKeys) > 0 {
 		// decryption
 		dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)

diff --git a/internal/util/util_test.go b/internal/util/util_test.go
@@ -7,6 +7,20 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestDecryptConfig(t *testing.T) {
+	// Just a smoke test for the default path.
+	res, err := DecryptConfig(nil)
+	assert.NoError(t, err)
+	assert.Nil(t, res)
+}
+
+func TestEncryptConfig(t *testing.T) {
+	// Just a smoke test for the default path.
+	cfg, layers, err := EncryptConfig(nil, nil)
+	assert.NoError(t, err)
+	assert.Nil(t, cfg)
+	assert.Nil(t, layers)
+}
 func TestGetFormat(t *testing.T) {
 	_, err := GetFormat("bogus")
 	assert.NotNil(t, err)

diff --git a/tests/bud.bats b/tests/bud.bats
@@ -3998,7 +3998,7 @@ EOM
 
   # Try to build from encrypted image without key
   run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false  --creds testuser:testpassword -t ${target} -f $contextdir/Dockerfile
-  assert "$output" =~ "missing private key needed for decryption"
+  assert "$output" =~ "archive/tar: invalid tar header"
 
   # Try to build from encrypted image with wrong key
   run_buildah 125 build $WITH_POLICY_JSON --tls-verify=false  --creds testuser:testpassword --decryption-key $contextdir/mykey2.pem -t ${target} -f $contextdir/Dockerfile

diff --git a/tests/from.bats b/tests/from.bats
@@ -428,7 +428,7 @@ load helpers
 
   # Try encrypted image without key should fail
   run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
-  expect_output --substring "decrypting layer .* missing private key needed for decryption"
+  expect_output --substring "archive/tar: invalid tar header"
 
   # Try encrypted image with wrong key should fail
   run_buildah 125 from --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
@@ -451,7 +451,7 @@ load helpers
 
   # Try encrypted image without key should fail
   run_buildah 125 from --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest
-  expect_output --substring "decrypting layer .* missing private key needed for decryption"
+  expect_output --substring "archive/tar: invalid tar header"
 
   # Try encrypted image with wrong key should fail
   run_buildah 125 from --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest

diff --git a/tests/pull.bats b/tests/pull.bats
@@ -191,7 +191,7 @@ load helpers
 
   # Try to pull encrypted image without key should fail
   run_buildah 125 pull $WITH_POLICY_JSON oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
-  expect_output --substring "decrypting layer .* missing private key needed for decryption"
+  expect_output --substring "archive/tar: invalid tar header"
 
   # Try to pull encrypted image with wrong key should fail
   run_buildah 125 pull $WITH_POLICY_JSON --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
@@ -214,7 +214,7 @@ load helpers
 
   # Try to pull encrypted image without key should fail
   run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest
-  expect_output --substring "decrypting layer .* missing private key needed for decryption"
+  expect_output --substring "archive/tar: invalid tar header"
 
   # Try to pull encrypted image with wrong key should fail, with diff. msg
   run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest
@@ -241,7 +241,7 @@ load helpers
 
   # Try to pull encrypted image without key should fail
   run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest
-  expect_output --substring "decrypting layer .* missing private key needed for decryption"
+  expect_output --substring "archive/tar: invalid tar header"
 
   # Try to pull encrypted image with wrong key should fail
   run_buildah 125 pull $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --decryption-key ${TEST_SCRATCH_DIR}/tmp/mykey2.pem docker://localhost:${REGISTRY_PORT}/buildah/busybox_encrypted:latest