Send push information to trust code out-of-band

The trust code used to parse the console output of `docker push` to
extract the digest, tag, and size information and determine what to
sign. This is fragile and might give an attacker control over what gets
signed if the attacker can find a way to influence what gets printed as
part of the push output.

This commit sends the push metadata out-of-band. It introduces an `Aux`
field in JSONMessage that can carry application-specific data alongside
progress updates. Instead of parsing formatted output, the client looks
in this field to get the digest, size, and tag from the push.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/pkg/progress/progress.go b/pkg/progress/progress.go
index 1f3b34a832..61315cb82c 100644
--- a/pkg/progress/progress.go
+++ b/pkg/progress/progress.go
@@ -16,6 +16,10 @@ type Progress struct {
 	Current int64
 	Total   int64
 
+	// Aux contains extra information not presented to the user, such as
+	// digests for push signing.
+	Aux interface{}
+
 	LastUpdate bool
 }
 
@@ -61,3 +65,9 @@ func Message(out Output, id, message string) {
 func Messagef(out Output, id, format string, a ...interface{}) {
 	Message(out, id, fmt.Sprintf(format, a...))
 }
+
+// Aux sends auxiliary information over a progress interface, which will not be
+// formatted for the UI. This is used for things such as push signing.
+func Aux(out Output, a interface{}) {
+	out.WriteProgress(Progress{Aux: a})
+}