From b1ebe98bb47c7fb49b695f83b917c742f9a696f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= <jguilhermevanz@suse.com>
Date: Wed, 10 Apr 2024 23:32:43 -0300
Subject: [PATCH] fix: do not use image url to get registry auth data.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updates the function used to verify container image signature to use
only the registry name to get the auth data from docker config.json
file. The current implementation uses the whole container image URL.
Which failed to find the relevant auth data falling back to a anonymous
authentication. This is a problem with private registries where access
credentials must be used.

To fix this problem, this commit extract the registry name from the
container image URL and use it to get the auth data from the config.json
file.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
---
 src/verify/mod.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/verify/mod.rs b/src/verify/mod.rs
index 8367a4c..caf1391 100644
--- a/src/verify/mod.rs
+++ b/src/verify/mod.rs
@@ -1,3 +1,4 @@
+use crate::registry::build_fully_resolved_reference;
 use crate::sources::Sources;
 use crate::{errors::FailedToParseYamlDataError, policy::Policy};
 
@@ -336,7 +337,8 @@ pub async fn fetch_sigstore_remote_data(
     }
 
     // obtain registry auth:
-    let auth = Registry::auth(image_url);
+    let reference = build_fully_resolved_reference(image_url)?;
+    let auth = Registry::auth(reference.registry());
 
     let sigstore_auth = match auth {
         RegistryAuth::Anonymous => sigstore::registry::Auth::Anonymous,