From 49d0d5430267838befd4fe563afd171e566867c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 18 Apr 2023 21:10:27 +0200 Subject: [PATCH] Don't decrypt images by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A non-nil but empty decryption configuration seems to be valid enough to trigger decryption in some configurations, per https://github.com/containers/podman/issues/18196 . Like in Skopeo and Podman, only decrypt when the user explicitly instructs us to (e.g. not triggering decryption based on environment variables). Signed-off-by: Miloslav Trmač --- internal/util/util.go | 2 +- internal/util/util_test.go | 14 ++++++++++++++ tests/from.bats | 1 + 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/internal/util/util.go b/internal/util/util.go index c945ca85b8b..e2c1cfb566a 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -109,7 +109,7 @@ func ExportFromReader(input io.Reader, opts define.BuildOutputOption) error { // DecryptConfig translates decryptionKeys into a DescriptionConfig structure func DecryptConfig(decryptionKeys []string) (*encconfig.DecryptConfig, error) { - decryptConfig := &encconfig.DecryptConfig{} + var decryptConfig *encconfig.DecryptConfig if len(decryptionKeys) > 0 { // decryption dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys) diff --git a/internal/util/util_test.go b/internal/util/util_test.go index c7109eb610e..62c40a3993c 100644 --- a/internal/util/util_test.go +++ b/internal/util/util_test.go @@ -7,6 +7,20 @@ import ( "github.com/stretchr/testify/assert" ) +func TestDecryptConfig(t *testing.T) { + // Just a smoke test for the default path. + res, err := DecryptConfig(nil) + assert.NoError(t, err) + assert.Nil(t, res) +} + +func TestEncryptConfig(t *testing.T) { + // Just a smoke test for the default path. + cfg, layers, err := EncryptConfig(nil, nil) + assert.NoError(t, err) + assert.Nil(t, cfg) + assert.Nil(t, layers) +} func TestGetFormat(t *testing.T) { _, err := GetFormat("bogus") assert.NotNil(t, err) diff --git a/tests/from.bats b/tests/from.bats index 118868cbed6..8e6a8bb4c7c 100644 --- a/tests/from.bats +++ b/tests/from.bats @@ -427,6 +427,7 @@ load helpers run_buildah push $WITH_POLICY_JSON --tls-verify=false --creds testuser:testpassword --encryption-key jwe:${TEST_SCRATCH_DIR}/tmp/mykey.pub busybox oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc # Try encrypted image without key should fail + # FIXME should be a different error. run_buildah 125 from oci:${TEST_SCRATCH_DIR}/tmp/busybox_enc expect_output --substring "decrypting layer .* missing private key needed for decryption"