Don't decrypt images by default

A non-nil but empty decryption configuration
seems to be valid enough to trigger decryption in some
configurations, per
containers/podman#18196 .

Like in Skopeo and Podman, only decrypt when the user explicitly
instructs us to (e.g. not triggering decryption based on environment
variables).

Signed-off-by: Miloslav Trmač <[email protected]>

internal/util/util.go

@@ -109,7 +109,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error {
 
 // DecryptConfig translates decryptionKeys into a DescriptionConfig structure
 func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) {
-	decryptConfig := &encconfig.DecryptConfig{}
+	var decryptConfig *encconfig.DecryptConfig
 	if len(decryptionKeys) > 0 {
 		// decryption
 		dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)

internal/util/util_test.go

@@ -7,6 +7,20 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestDecryptConfig(t *testing.T) {
+	// Just a smoke test for the default path.
+	res, err := DecryptConfig(nil)
+	assert.NoError(t, err)
+	assert.Nil(t, res)
+}
+
+func TestEncryptConfig(t *testing.T) {
+	// Just a smoke test for the default path.
+	cfg, layers, err := EncryptConfig(nil, nil)
+	assert.NoError(t, err)
+	assert.Nil(t, cfg)
+	assert.Nil(t, layers)
+}
 func TestGetFormat(t *testing.T) {
 	_, err := GetFormat("bogus")
 	assert.NotNil(t, err)

tests/from.bats

@@ -427,6 +427,7 @@ load helpers
   run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
 
   # Try encrypted image without key should fail
+  # FIXME should be a different error.
   run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc
   expect_output --substring "decrypting layer .* missing private key needed for decryption"