Merge branch 'distribution:main' into main

Author: Queenbih87

.github/workflows/build.yml

@@ -33,8 +33,8 @@ jobs:
       fail-fast: false
       matrix:
         go:
-          - 1.22.8
-          - 1.23.4
+          - 1.22.12
+          - 1.23.6
         target:
           - test-coverage
           - test-cloud-storage

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.23.6
 ARG ALPINE_VERSION=3.21
 ARG XX_VERSION=1.6.1
 

dockerfiles/docs.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.23.6
 ARG ALPINE_VERSION=3.21
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base

dockerfiles/git.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.23.6
 ARG ALPINE_VERSION=3.21
 
 FROM alpine:${ALPINE_VERSION} AS base

dockerfiles/lint.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.23.6
 ARG ALPINE_VERSION=3.21
 ARG GOLANGCI_LINT_VERSION=v1.61.0
 ARG BUILDTAGS=""

dockerfiles/vendor.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.23.6
 ARG ALPINE_VERSION=3.21
 ARG MODOUTDATED_VERSION=v0.8.0
 

docs/content/about/garbage-collection.md

@@ -90,7 +90,7 @@ This type of garbage collection is known as stop-the-world garbage collection.
 
 Garbage collection can be run as follows
 
-`bin/registry garbage-collect [--dry-run] /path/to/config.yml`
+`bin/registry garbage-collect [--dry-run] [--delete-untagged] [--quiet] /path/to/config.yml`
 
 The garbage-collect command accepts a `--dry-run` parameter, which prints the progress
 of the mark and sweep phases without removing any data. Running with a log level of `info`
@@ -122,3 +122,8 @@ blob eligible for deletion: sha256:87192bdbe00f8f2a62527f36bb4c7c7f4eaf9307e4b87
 blob eligible for deletion: sha256:b549a9959a664038fc35c155a95742cf12297672ca0ae35735ec027d55bf4e97
 blob eligible for deletion: sha256:f251d679a7c61455f06d793e43c06786d7766c88b8c24edf242b2c08e3c3f599
 ```
+
+The `--delete-untagged` option can be used to delete manifests that are not currently referenced by a tag.
+
+The `--quiet` option suppresses any output from being printed.
+

registry/auth/token/token.go

@@ -212,18 +212,18 @@ func verifyCertChain(header jose.Header, roots *x509.CertPool) (signingKey crypt
 	return
 }
 
-func verifyJWK(header jose.Header, verifyOpts VerifyOptions) (signingKey crypto.PublicKey, err error) {
+func verifyJWK(header jose.Header, verifyOpts VerifyOptions) (crypto.PublicKey, error) {
 	jwk := header.JSONWebKey
-	signingKey = jwk.Key
 
 	// Check to see if the key includes a certificate chain.
 	if len(jwk.Certificates) == 0 {
 		// The JWK should be one of the trusted root keys.
-		if _, trusted := verifyOpts.TrustedKeys[jwk.KeyID]; !trusted {
+		key, trusted := verifyOpts.TrustedKeys[jwk.KeyID]
+		if !trusted {
 			return nil, errors.New("untrusted JWK with no certificate chain")
 		}
 		// The JWK is one of the trusted keys.
-		return
+		return key, nil
 	}
 
 	opts := x509.VerifyOptions{
@@ -245,9 +245,8 @@ func verifyJWK(header jose.Header, verifyOpts VerifyOptions) (signingKey crypto.
 	if err != nil {
 		return nil, err
 	}
-	signingKey = getCertPubKey(chains)
 
-	return
+	return getCertPubKey(chains), nil
 }
 
 func getCertPubKey(chains [][]*x509.Certificate) crypto.PublicKey {

registry/auth/token/token_test.go

@@ -646,3 +646,57 @@ func TestNewAccessControllerPemBlock(t *testing.T) {
 		t.Fatal("accessController has the wrong number of certificates")
 	}
 }
+
+// This test makes sure the untrusted key can not be used in token verification.
+func TestVerifyJWKWithTrustedKey(t *testing.T) {
+	// Generate a test key pair
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pubKey := privKey.Public()
+
+	// Create a JWK with no certificates
+	jwk := &jose.JSONWebKey{
+		Key:       privKey,
+		KeyID:     "test-key-id",
+		Use:       "sig",
+		Algorithm: string(jose.ES256),
+	}
+
+	// Create verify options with our public key as trusted
+	verifyOpts := VerifyOptions{
+		TrustedKeys: map[string]crypto.PublicKey{
+			"test-key-id": pubKey,
+		},
+	}
+
+	// Create test header
+	header := jose.Header{
+		JSONWebKey: jwk,
+	}
+
+	// Test the verifyJWK function
+	returnedKey, err := verifyJWK(header, verifyOpts)
+	if err != nil {
+		t.Fatalf("Expected no error, got: %v", err)
+	}
+
+	// Verify the returned key matches our trusted key
+	if returnedKey != pubKey {
+		t.Error("Returned key does not match the trusted key")
+	}
+
+	// Test with untrusted key
+	verifyOpts.TrustedKeys = map[string]crypto.PublicKey{
+		"different-key-id": pubKey,
+	}
+
+	_, err = verifyJWK(header, verifyOpts)
+	if err == nil {
+		t.Error("Expected error for untrusted key, got none")
+	}
+	if err.Error() != "untrusted JWK with no certificate chain" {
+		t.Errorf("Expected 'untrusted JWK with no certificate chain' error, got: %v", err)
+	}
+}

registry/root.go

@@ -18,6 +18,7 @@ func init() {
 	RootCmd.AddCommand(GCCmd)
 	GCCmd.Flags().BoolVarP(&dryRun, "dry-run", "d", false, "do everything except remove the blobs")
 	GCCmd.Flags().BoolVarP(&removeUntagged, "delete-untagged", "m", false, "delete manifests that are not currently referenced via tag")
+	GCCmd.Flags().BoolVarP(&quiet, "quiet", "q", false, "silence output")
 	RootCmd.Flags().BoolVarP(&showVersion, "version", "v", false, "show the version and exit")
 }
 
@@ -39,6 +40,7 @@ var RootCmd = &cobra.Command{
 var (
 	dryRun         bool
 	removeUntagged bool
+	quiet          bool
 )
 
 // GCCmd is the cobra command that corresponds to the garbage-collect subcommand
@@ -77,6 +79,7 @@ var GCCmd = &cobra.Command{
 		err = storage.MarkAndSweep(ctx, driver, registry, storage.GCOpts{
 			DryRun:         dryRun,
 			RemoveUntagged: removeUntagged,
+			Quiet:          quiet,
 		})
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed to garbage collect: %v", err)