at-container-registry/examples/verification/verify-and-pull.sh

#!/bin/bash
# Verify and Pull Script
#
# This script verifies ATProto signatures before pulling images with Docker.
# It acts as a wrapper around `docker pull` to enforce signature verification.
#
# Usage: ./verify-and-pull.sh IMAGE [DOCKER_PULL_OPTIONS]
# Example: ./verify-and-pull.sh atcr.io/alice/myapp:latest
# Example: ./verify-and-pull.sh atcr.io/alice/myapp:latest --platform linux/amd64
#
# To use this as a replacement for docker pull, create an alias:
#   alias docker-pull-secure='/path/to/verify-and-pull.sh'

set -e

# Configuration
VERIFY_SCRIPT="${VERIFY_SCRIPT:-$(dirname $0)/atcr-verify.sh}"
TRUST_POLICY="${TRUST_POLICY:-$(dirname $0)/trust-policy.yaml}"
REQUIRE_VERIFICATION="${REQUIRE_VERIFICATION:-true}"
SKIP_ATCR_IMAGES="${SKIP_ATCR_IMAGES:-false}"  # Skip verification for non-ATCR images

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

print_header() {
    echo ""
    echo -e "${BLUE}═══════════════════════════════════════════════════${NC}"
    echo -e "${BLUE} Secure Image Pull with Signature Verification${NC}"
    echo -e "${BLUE}═══════════════════════════════════════════════════${NC}"
    echo ""
}

print_success() {
    echo -e "${GREEN}✓${NC} $1"
}

print_error() {
    echo -e "${RED}✗${NC} $1"
}

print_warning() {
    echo -e "${YELLOW}⚠${NC} $1"
}

# Check if image is from ATCR
is_atcr_image() {
    local image="$1"
    if [[ "$image" =~ ^atcr\.io/ ]]; then
        return 0
    else
        return 1
    fi
}

# Main function
main() {
    if [ $# -eq 0 ]; then
        echo "Usage: $0 IMAGE [DOCKER_PULL_OPTIONS]"
        echo ""
        echo "Examples:"
        echo "  $0 atcr.io/alice/myapp:latest"
        echo "  $0 atcr.io/alice/myapp:latest --platform linux/amd64"
        echo ""
        echo "Environment variables:"
        echo "  VERIFY_SCRIPT      - Path to verification script (default: ./atcr-verify.sh)"
        echo "  TRUST_POLICY       - Path to trust policy (default: ./trust-policy.yaml)"
        echo "  REQUIRE_VERIFICATION - Require verification for ATCR images (default: true)"
        echo "  SKIP_ATCR_IMAGES   - Skip verification for non-ATCR images (default: false)"
        exit 1
    fi

    local image="$1"
    shift
    local docker_args="$@"

    print_header

    echo -e "${BLUE}Image:${NC} $image"
    if [ -n "$docker_args" ]; then
        echo -e "${BLUE}Docker options:${NC} $docker_args"
    fi
    echo ""

    # Check if this is an ATCR image
    if ! is_atcr_image "$image"; then
        if [ "$SKIP_ATCR_IMAGES" = "true" ]; then
            print_warning "Not an ATCR image - skipping signature verification"
            echo ""
            docker pull $docker_args "$image"
            exit $?
        else
            print_warning "Not an ATCR image"
            if [ "$REQUIRE_VERIFICATION" = "true" ]; then
                print_error "Verification required but image is not from ATCR"
                exit 1
            else
                print_warning "Proceeding without verification"
                echo ""
                docker pull $docker_args "$image"
                exit $?
            fi
        fi
    fi

    # Step 1: Verify signature
    echo -e "${BLUE}Step 1: Verifying ATProto signature${NC}"
    echo ""

    if [ ! -f "$VERIFY_SCRIPT" ]; then
        print_error "Verification script not found: $VERIFY_SCRIPT"
        exit 1
    fi

    # Run verification
    if bash "$VERIFY_SCRIPT" "$image"; then
        print_success "Signature verification passed"
        echo ""
    else
        print_error "Signature verification failed"
        echo ""

        if [ "$REQUIRE_VERIFICATION" = "true" ]; then
            echo -e "${RED}Image pull blocked due to failed signature verification${NC}"
            echo ""
            echo "To proceed anyway (NOT RECOMMENDED), run:"
            echo "  REQUIRE_VERIFICATION=false $0 $image $docker_args"
            exit 1
        else
            print_warning "Verification failed but REQUIRE_VERIFICATION=false"
            print_warning "Proceeding with pull (NOT RECOMMENDED)"
            echo ""
        fi
    fi

    # Step 2: Pull image
    echo -e "${BLUE}Step 2: Pulling image${NC}"
    echo ""

    if docker pull $docker_args "$image"; then
        print_success "Image pulled successfully"
    else
        print_error "Failed to pull image"
        exit 1
    fi

    # Summary
    echo ""
    echo -e "${GREEN}═══════════════════════════════════════════════════${NC}"
    echo -e "${GREEN} ✓ Secure pull completed successfully${NC}"
    echo -e "${GREEN}═══════════════════════════════════════════════════${NC}"
    echo ""
    echo -e "${BLUE}Image:${NC} $image"
    echo -e "${BLUE}Status:${NC} Verified and pulled"
    echo ""
}

# Run main function
main "$@"