From 2f7c8c2abd81febcae7e3ff9155a97febfec3f19 Mon Sep 17 00:00:00 2001
From: Daniel Jiang <jiangd@vmware.com>
Date: Thu, 3 Sep 2020 16:07:36 +0800
Subject: [PATCH] Check the tag in isArtifactSigned func

This commit ensures that when CLI is pulling a tag, the content trust middleware check the data in notary to ensure the particular tag is signed, not only the digest.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
---
 src/server/middleware/contenttrust/contenttrust.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/server/middleware/contenttrust/contenttrust.go b/src/server/middleware/contenttrust/contenttrust.go
index 70792e844..152a89728 100644
--- a/src/server/middleware/contenttrust/contenttrust.go
+++ b/src/server/middleware/contenttrust/contenttrust.go
@@ -21,6 +21,9 @@ var (
 		if err != nil {
 			return false, err
 		}
+		if len(art.Tag) > 0 {
+			return checker.IsTagSigned(art.Tag, art.Digest), nil
+		}
 		return checker.IsArtifactSigned(art.Digest), nil
 	}
 )