diff --git a/site/src/content/docs/commands/zarf_package_pull.md b/site/src/content/docs/commands/zarf_package_pull.md index 44830762b5..eda39e7ec7 100644 --- a/site/src/content/docs/commands/zarf_package_pull.md +++ b/site/src/content/docs/commands/zarf_package_pull.md @@ -31,9 +31,10 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk ### Options ``` - -h, --help help for pull - -o, --output-directory string Specify the output directory for the pulled Zarf package - --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' + -h, --help help for pull + -o, --output-directory string Specify the output directory for the pulled Zarf package + --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands diff --git a/src/cmd/package.go b/src/cmd/package.go index 3d7728a4d0..c659deb9ad 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -615,6 +615,7 @@ func NewPackagePullCommand(v *viper.Viper) *cobra.Command { cmd.Flags().StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum) cmd.Flags().StringVarP(&pkgConfig.PullOpts.OutputDirectory, "output-directory", "o", v.GetString(common.VPkgPullOutputDir), lang.CmdPackagePullFlagOutputDirectory) + cmd.Flags().BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) return cmd } @@ -629,7 +630,7 @@ func (o *PackagePullOptions) Run(cmd *cobra.Command, args []string) error { } outputDir = wd } - err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty(), pkgConfig.PkgOpts.PublicKeyPath) + err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty(), pkgConfig.PkgOpts.PublicKeyPath, pkgConfig.PkgOpts.SkipSignatureValidation) if err != nil { return err } diff --git a/src/internal/packager2/pull.go b/src/internal/packager2/pull.go index a8426857fc..31a57fa8d9 100644 --- a/src/internal/packager2/pull.go +++ b/src/internal/packager2/pull.go @@ -29,7 +29,7 @@ import ( ) // Pull fetches the Zarf package from the given sources. -func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy, publicKeyPath string) error { +func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy, publicKeyPath string, skipSignatureValidation bool) error { u, err := url.Parse(src) if err != nil { return err @@ -48,9 +48,10 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component defer os.Remove(tmpDir) tmpPath := filepath.Join(tmpDir, "data.tar.zst") + isPartial := false switch u.Scheme { case "oci": - _, err := pullOCI(ctx, src, tmpPath, shasum, filter) + isPartial, err = pullOCI(ctx, src, tmpPath, shasum, filter) if err != nil { return err } @@ -66,8 +67,8 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component // This loadFromTar is done so that validatePackageIntegrtiy and validatePackageSignature are called layoutOpt := layout.PackageLayoutOptions{ PublicKeyPath: publicKeyPath, - SkipSignatureValidation: false, - IsPartial: false, + SkipSignatureValidation: skipSignatureValidation, + IsPartial: isPartial, } _, err = layout.LoadFromTar(ctx, tmpPath, layoutOpt) if err != nil { diff --git a/src/internal/packager2/pull_test.go b/src/internal/packager2/pull_test.go index da649d71e5..e0497871b1 100644 --- a/src/internal/packager2/pull_test.go +++ b/src/internal/packager2/pull_test.go @@ -39,7 +39,7 @@ func TestPull(t *testing.T) { dir := t.TempDir() shasum := "bef73d652f004d214d5cf9e00195293f7ae8390b8ff6ed45e39c2c9eb622b873" - err := Pull(ctx, srv.URL, dir, shasum, filters.Empty(), "") + err := Pull(ctx, srv.URL, dir, shasum, filters.Empty(), "", false) require.NoError(t, err) packageData, err := os.ReadFile(packagePath) diff --git a/src/test/e2e/11_oci_pull_inspect_test.go b/src/test/e2e/11_oci_pull_inspect_test.go index f3525c8109..2ad374d238 100644 --- a/src/test/e2e/11_oci_pull_inspect_test.go +++ b/src/test/e2e/11_oci_pull_inspect_test.go @@ -52,7 +52,10 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http") suite.Error(err, stdOut, stdErr) - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", publicKeyFlag) + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", publicKeyFlag, "-o", outputPath) + suite.NoError(err, stdOut, stdErr) + + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", "--skip-signature-validation", "-o", outputPath) suite.NoError(err, stdOut, stdErr) stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", simplePackageRef, "--plain-http") diff --git a/src/test/nightly/ecr_publish_test.go b/src/test/nightly/ecr_publish_test.go index 7ada0c5eda..8c35dde0e4 100644 --- a/src/test/nightly/ecr_publish_test.go +++ b/src/test/nightly/ecr_publish_test.go @@ -63,16 +63,15 @@ func TestECRPublishing(t *testing.T) { require.NoError(t, err, stdOut, stdErr) // Validate that we can pull the package down from ECR - stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL) + pullTempDir := t.TempDir() + stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL, keyFlag, fmt.Sprintf("-o=%s", pullTempDir)) require.NoError(t, err, stdOut, stdErr) - defer e2e.CleanFiles(t, testPackageFileName) - // Ensure we get a warning when trying to inspect the package without providing the public key - // and the insecure flag - stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, "--skip-signature-validation") + pulledPackagePath := filepath.Join(pullTempDir, testPackageFileName) + + stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPackagePath, "--skip-signature-validation") require.NoError(t, err, stdOut, stdErr) - // Validate that we get no warnings when inspecting the package while providing the public key - stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, keyFlag) + stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPackagePath, keyFlag) require.NoError(t, err, stdOut, stdErr) }