diff --git a/command/container/create.go b/command/container/create.go index 13890d9ef5..787d09b3f6 100644 --- a/command/container/create.go +++ b/command/container/create.go @@ -52,7 +52,7 @@ func NewCreateCommand(dockerCli *command.DockerCli) *cobra.Command { // with hostname flags.Bool("help", false, "Print usage") - command.AddTrustedFlags(flags, true) + command.AddTrustVerificationFlags(flags) copts = addFlags(flags) return cmd } diff --git a/command/container/run.go b/command/container/run.go index cbe64548ea..e805ca1a57 100644 --- a/command/container/run.go +++ b/command/container/run.go @@ -61,7 +61,7 @@ func NewRunCommand(dockerCli *command.DockerCli) *cobra.Command { // with hostname flags.Bool("help", false, "Print usage") - command.AddTrustedFlags(flags, true) + command.AddTrustVerificationFlags(flags) copts = addFlags(flags) return cmd } diff --git a/command/image/build.go b/command/image/build.go index 5d6e611406..3c92ba20b9 100644 --- a/command/image/build.go +++ b/command/image/build.go @@ -108,7 +108,7 @@ func NewBuildCommand(dockerCli *command.DockerCli) *cobra.Command { flags.StringSliceVar(&options.securityOpt, "security-opt", []string{}, "Security options") flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build") - command.AddTrustedFlags(flags, true) + command.AddTrustVerificationFlags(flags) flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer") flags.SetAnnotation("squash", "experimental", nil) diff --git a/command/image/pull.go b/command/image/pull.go index 24933fe846..e840671c62 100644 --- a/command/image/pull.go +++ b/command/image/pull.go @@ -36,7 +36,7 @@ func NewPullCommand(dockerCli *command.DockerCli) *cobra.Command { flags := cmd.Flags() flags.BoolVarP(&opts.all, "all-tags", "a", false, "Download all tagged images in the repository") - command.AddTrustedFlags(flags, true) + command.AddTrustVerificationFlags(flags) return cmd } diff --git a/command/image/push.go b/command/image/push.go index a8ce4945ec..a5ba7d794e 100644 --- a/command/image/push.go +++ b/command/image/push.go @@ -24,7 +24,7 @@ func NewPushCommand(dockerCli *command.DockerCli) *cobra.Command { flags := cmd.Flags() - command.AddTrustedFlags(flags, true) + command.AddTrustSigningFlags(flags) return cmd } diff --git a/command/plugin/install.go b/command/plugin/install.go index a64dc2525a..fd30600370 100644 --- a/command/plugin/install.go +++ b/command/plugin/install.go @@ -47,7 +47,7 @@ func newInstallCommand(dockerCli *command.DockerCli) *cobra.Command { flags.BoolVar(&options.disable, "disable", false, "Do not enable the plugin on install") flags.StringVar(&options.alias, "alias", "", "Local name for plugin") - command.AddTrustedFlags(flags, true) + command.AddTrustVerificationFlags(flags) return cmd } diff --git a/command/plugin/push.go b/command/plugin/push.go index b0766307f3..1a9c592a93 100644 --- a/command/plugin/push.go +++ b/command/plugin/push.go @@ -26,7 +26,7 @@ func newPushCommand(dockerCli *command.DockerCli) *cobra.Command { flags := cmd.Flags() - command.AddTrustedFlags(flags, true) + command.AddTrustSigningFlags(flags) return cmd } diff --git a/command/trust.go b/command/trust.go index b4c8a84ee5..c0742bc5b2 100644 --- a/command/trust.go +++ b/command/trust.go @@ -12,13 +12,20 @@ var ( untrusted bool ) -// AddTrustedFlags adds content trust flags to the current command flagset -func AddTrustedFlags(fs *pflag.FlagSet, verify bool) { - trusted, message := setupTrustedFlag(verify) - fs.BoolVar(&untrusted, "disable-content-trust", !trusted, message) +// AddTrustVerificationFlags adds content trust flags to the provided flagset +func AddTrustVerificationFlags(fs *pflag.FlagSet) { + trusted := getDefaultTrustState() + fs.BoolVar(&untrusted, "disable-content-trust", !trusted, "Skip image verification") } -func setupTrustedFlag(verify bool) (bool, string) { +// AddTrustSigningFlags adds "signing" flags to the provided flagset +func AddTrustSigningFlags(fs *pflag.FlagSet) { + trusted := getDefaultTrustState() + fs.BoolVar(&untrusted, "disable-content-trust", !trusted, "Skip image signing") +} + +// getDefaultTrustState returns true if content trust is enabled through the $DOCKER_CONTENT_TRUST environment variable. +func getDefaultTrustState() bool { var trusted bool if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" { if t, err := strconv.ParseBool(e); t || err != nil { @@ -26,14 +33,11 @@ func setupTrustedFlag(verify bool) (bool, string) { trusted = true } } - message := "Skip image signing" - if verify { - message = "Skip image verification" - } - return trusted, message + return trusted } -// IsTrusted returns true if content trust is enabled +// IsTrusted returns true if content trust is enabled, either through the $DOCKER_CONTENT_TRUST environment variable, +// or through `--disabled-content-trust=false` on a command. func IsTrusted() bool { return !untrusted }