zarf-dev · AustinAbro321 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024
@@ -31,9 +31,10 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk
 ### Options
 
 ```
-  -h, --help                      help for pull
-  -o, --output-directory string   Specify the output directory for the pulled Zarf package
-      --shasum string             Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum <url>'
+  -h, --help                        help for pull
+  -o, --output-directory string     Specify the output directory for the pulled Zarf package
+      --shasum string               Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum <url>'
+      --skip-signature-validation   Skip validating the signature of the Zarf package
 ```
 
 ### Options inherited from parent commands

@@ -615,6 +615,7 @@ func NewPackagePullCommand(v *viper.Viper) *cobra.Command {
 
 	cmd.Flags().StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum)
 	cmd.Flags().StringVarP(&pkgConfig.PullOpts.OutputDirectory, "output-directory", "o", v.GetString(common.VPkgPullOutputDir), lang.CmdPackagePullFlagOutputDirectory)
+	cmd.Flags().BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation)
 
 	return cmd
 }
@@ -629,7 +630,7 @@ func (o *PackagePullOptions) Run(cmd *cobra.Command, args []string) error {
 		}
 		outputDir = wd
 	}
-	err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty(), pkgConfig.PkgOpts.PublicKeyPath)
+	err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty(), pkgConfig.PkgOpts.PublicKeyPath, pkgConfig.PkgOpts.SkipSignatureValidation)
 	if err != nil {
 		return err
 	}

@@ -29,7 +29,7 @@ import (
 )
 
 // Pull fetches the Zarf package from the given sources.
-func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy, publicKeyPath string) error {
+func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy, publicKeyPath string, skipSignatureValidation bool) error {
 	u, err := url.Parse(src)
 	if err != nil {
 		return err
@@ -48,9 +48,10 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component
 	defer os.Remove(tmpDir)
 	tmpPath := filepath.Join(tmpDir, "data.tar.zst")
 
+	isPartial := false
 	switch u.Scheme {
 	case "oci":
-		_, err := pullOCI(ctx, src, tmpPath, shasum, filter)
+		isPartial, err = pullOCI(ctx, src, tmpPath, shasum, filter)
 		if err != nil {
 			return err
 		}
@@ -66,8 +67,8 @@ func Pull(ctx context.Context, src, dir, shasum string, filter filters.Component
 	// This loadFromTar is done so that validatePackageIntegrtiy and validatePackageSignature are called
 	layoutOpt := layout.PackageLayoutOptions{
 		PublicKeyPath:           publicKeyPath,
-		SkipSignatureValidation: false,
-		IsPartial:               false,
+		SkipSignatureValidation: skipSignatureValidation,
+		IsPartial:               isPartial,
 	}
 	_, err = layout.LoadFromTar(ctx, tmpPath, layoutOpt)
 	if err != nil {

@@ -39,7 +39,7 @@ func TestPull(t *testing.T) {
 
 	dir := t.TempDir()
 	shasum := "bef73d652f004d214d5cf9e00195293f7ae8390b8ff6ed45e39c2c9eb622b873"
-	err := Pull(ctx, srv.URL, dir, shasum, filters.Empty(), "")
+	err := Pull(ctx, srv.URL, dir, shasum, filters.Empty(), "", false)
 	require.NoError(t, err)
 
 	packageData, err := os.ReadFile(packagePath)

@@ -52,7 +52,10 @@ func (suite *PullInspectTestSuite) Test_0_Pull() {
 	stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http")
 	suite.Error(err, stdOut, stdErr)
 
-	stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", publicKeyFlag)
+	stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", publicKeyFlag, "-o", outputPath)
+	suite.NoError(err, stdOut, stdErr)
+
+	stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", simplePackageRef, "--plain-http", "--skip-signature-validation", "-o", outputPath)
 	suite.NoError(err, stdOut, stdErr)
 
 	stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", simplePackageRef, "--plain-http")

@@ -63,16 +63,15 @@ func TestECRPublishing(t *testing.T) {
 	require.NoError(t, err, stdOut, stdErr)
 
 	// Validate that we can pull the package down from ECR
-	stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL)
+	pullTempDir := t.TempDir()
+	stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL, keyFlag, fmt.Sprintf("-o=%s", pullTempDir))
 	require.NoError(t, err, stdOut, stdErr)
-	defer e2e.CleanFiles(t, testPackageFileName)
 
-	// Ensure we get a warning when trying to inspect the package without providing the public key
-	// and the insecure flag
-	stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, "--skip-signature-validation")
+	pulledPackagePath := filepath.Join(pullTempDir, testPackageFileName)
+
+	stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPackagePath, "--skip-signature-validation")
 	require.NoError(t, err, stdOut, stdErr)
 
-	// Validate that we get no warnings when inspecting the package while providing the public key
-	stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", testPackageFileName, keyFlag)
+	stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", pulledPackagePath, keyFlag)
 	require.NoError(t, err, stdOut, stdErr)
 }