examples/verification/verify-and-pull.sh at refactor · evan.jarrett.net/at-container-registry

evan.jarrett.net / at-container-registry
fork atom
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage. atcr.io
docker container atproto go
fork atom
at-container-registry / examples / verification / verify-and-pull.sh
at refactor 162 lines 5.2 kB view raw
wrap content
evan.jarrett.net try and offline holds 4mo ago
e6b12642
  1#!/bin/bash
  2# Verify and Pull Script
  3#
  4# This script verifies ATProto signatures before pulling images with Docker.
  5# It acts as a wrapper around `docker pull` to enforce signature verification.
  6#
  7# Usage: ./verify-and-pull.sh IMAGE [DOCKER_PULL_OPTIONS]
  8# Example: ./verify-and-pull.sh atcr.io/alice/myapp:latest
  9# Example: ./verify-and-pull.sh atcr.io/alice/myapp:latest --platform linux/amd64
 10#
 11# To use this as a replacement for docker pull, create an alias:
 12#   alias docker-pull-secure='/path/to/verify-and-pull.sh'
 13
 14set -e
 15
 16# Configuration
 17VERIFY_SCRIPT="${VERIFY_SCRIPT:-$(dirname $0)/atcr-verify.sh}"
 18TRUST_POLICY="${TRUST_POLICY:-$(dirname $0)/trust-policy.yaml}"
 19REQUIRE_VERIFICATION="${REQUIRE_VERIFICATION:-true}"
 20SKIP_ATCR_IMAGES="${SKIP_ATCR_IMAGES:-false}"  # Skip verification for non-ATCR images
 21
 22# Colors
 23RED='\033[0;31m'
 24GREEN='\033[0;32m'
 25YELLOW='\033[1;33m'
 26BLUE='\033[0;34m'
 27NC='\033[0m'
 28
 29print_header() {
 30    echo ""
 31    echo -e "${BLUE}═══════════════════════════════════════════════════${NC}"
 32    echo -e "${BLUE} Secure Image Pull with Signature Verification${NC}"
 33    echo -e "${BLUE}═══════════════════════════════════════════════════${NC}"
 34    echo ""
 35}
 36
 37print_success() {
 38    echo -e "${GREEN}✓${NC} $1"
 39}
 40
 41print_error() {
 42    echo -e "${RED}✗${NC} $1"
 43}
 44
 45print_warning() {
 46    echo -e "${YELLOW}⚠${NC} $1"
 47}
 48
 49# Check if image is from ATCR
 50is_atcr_image() {
 51    local image="$1"
 52    if [[ "$image" =~ ^atcr\.io/ ]]; then
 53        return 0
 54    else
 55        return 1
 56    fi
 57}
 58
 59# Main function
 60main() {
 61    if [ $# -eq 0 ]; then
 62        echo "Usage: $0 IMAGE [DOCKER_PULL_OPTIONS]"
 63        echo ""
 64        echo "Examples:"
 65        echo "  $0 atcr.io/alice/myapp:latest"
 66        echo "  $0 atcr.io/alice/myapp:latest --platform linux/amd64"
 67        echo ""
 68        echo "Environment variables:"
 69        echo "  VERIFY_SCRIPT      - Path to verification script (default: ./atcr-verify.sh)"
 70        echo "  TRUST_POLICY       - Path to trust policy (default: ./trust-policy.yaml)"
 71        echo "  REQUIRE_VERIFICATION - Require verification for ATCR images (default: true)"
 72        echo "  SKIP_ATCR_IMAGES   - Skip verification for non-ATCR images (default: false)"
 73        exit 1
 74    fi
 75
 76    local image="$1"
 77    shift
 78    local docker_args="$@"
 79
 80    print_header
 81
 82    echo -e "${BLUE}Image:${NC} $image"
 83    if [ -n "$docker_args" ]; then
 84        echo -e "${BLUE}Docker options:${NC} $docker_args"
 85    fi
 86    echo ""
 87
 88    # Check if this is an ATCR image
 89    if ! is_atcr_image "$image"; then
 90        if [ "$SKIP_ATCR_IMAGES" = "true" ]; then
 91            print_warning "Not an ATCR image - skipping signature verification"
 92            echo ""
 93            docker pull $docker_args "$image"
 94            exit $?
 95        else
 96            print_warning "Not an ATCR image"
 97            if [ "$REQUIRE_VERIFICATION" = "true" ]; then
 98                print_error "Verification required but image is not from ATCR"
 99                exit 1
100            else
101                print_warning "Proceeding without verification"
102                echo ""
103                docker pull $docker_args "$image"
104                exit $?
105            fi
106        fi
107    fi
108
109    # Step 1: Verify signature
110    echo -e "${BLUE}Step 1: Verifying ATProto signature${NC}"
111    echo ""
112
113    if [ ! -f "$VERIFY_SCRIPT" ]; then
114        print_error "Verification script not found: $VERIFY_SCRIPT"
115        exit 1
116    fi
117
118    # Run verification
119    if bash "$VERIFY_SCRIPT" "$image"; then
120        print_success "Signature verification passed"
121        echo ""
122    else
123        print_error "Signature verification failed"
124        echo ""
125
126        if [ "$REQUIRE_VERIFICATION" = "true" ]; then
127            echo -e "${RED}Image pull blocked due to failed signature verification${NC}"
128            echo ""
129            echo "To proceed anyway (NOT RECOMMENDED), run:"
130            echo "  REQUIRE_VERIFICATION=false $0 $image $docker_args"
131            exit 1
132        else
133            print_warning "Verification failed but REQUIRE_VERIFICATION=false"
134            print_warning "Proceeding with pull (NOT RECOMMENDED)"
135            echo ""
136        fi
137    fi
138
139    # Step 2: Pull image
140    echo -e "${BLUE}Step 2: Pulling image${NC}"
141    echo ""
142
143    if docker pull $docker_args "$image"; then
144        print_success "Image pulled successfully"
145    else
146        print_error "Failed to pull image"
147        exit 1
148    fi
149
150    # Summary
151    echo ""
152    echo -e "${GREEN}═══════════════════════════════════════════════════${NC}"
153    echo -e "${GREEN} ✓ Secure pull completed successfully${NC}"
154    echo -e "${GREEN}═══════════════════════════════════════════════════${NC}"
155    echo ""
156    echo -e "${BLUE}Image:${NC} $image"
157    echo -e "${BLUE}Status:${NC} Verified and pulled"
158    echo ""
159}
160
161# Run main function
162main "$@"