Merge pull request #6361 from thaJeztah/cli_trust_cleanups

thaJeztah · web-flow · commit a6826de3e2d7 · 2025-08-25T16:20:56.000+02:00
cli/trust: some cleanups
diff --git a/cli/trust/trust.go b/cli/trust/trust.go
@@ -156,26 +156,23 @@ func GetNotaryRepository(in io.Reader, out io.Writer, userAgent string, repoInfo
 		}
 	}
 
-	scope := auth.RepositoryScope{
-		Repository: repoInfo.Name.Name(),
-		Actions:    actions,
-	}
-	creds := simpleCredentialStore{auth: *authConfig}
 	tokenHandler := auth.NewTokenHandlerWithOptions(auth.TokenHandlerOptions{
 		Transport:   authTransport,
-		Credentials: creds,
-		Scopes:      []auth.Scope{scope},
-		ClientID:    registry.AuthClientID,
+		Credentials: simpleCredentialStore{auth: *authConfig},
+		Scopes: []auth.Scope{auth.RepositoryScope{
+			Repository: repoInfo.Name.Name(),
+			Actions:    actions,
+		}},
+		ClientID: registry.AuthClientID,
 	})
-	basicHandler := auth.NewBasicHandler(creds)
+	basicHandler := auth.NewBasicHandler(simpleCredentialStore{auth: *authConfig})
 	modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
-	tr := transport.NewTransport(base, modifiers...)
 
 	return client.NewFileCachedRepository(
 		GetTrustDirectory(),
 		data.GUN(repoInfo.Name.Name()),
 		server,
-		tr,
+		transport.NewTransport(base, modifiers...),
 		GetPassphraseRetriever(in, out),
 		trustpinning.TrustPinConfig{})
 }
@@ -234,9 +231,9 @@ func NotaryError(repoName string, err error) error {
 		return fmt.Errorf("error: remote trust data does not exist for %s: %v", repoName, err)
 	case signed.ErrInsufficientSignatures:
 		return fmt.Errorf("error: could not produce valid signature for %s.  If Yubikey was used, was touch input provided?: %v", repoName, err)
+	default:
+		return err
 	}
-
-	return err
 }
 
 // AddToAllSignableRoles attempts to add the image target to all the top level
@@ -346,9 +343,9 @@ func GetImageReferencesAndAuth(ctx context.Context,
 
 func getTag(ref reference.Named) string {
 	switch x := ref.(type) {
-	case reference.Canonical, reference.Digested:
-		return ""
-	case reference.NamedTagged:
+	case reference.Digested:
+		return "" // TODO(thaJeztah): is it intentional to discard the tag when "Tagged+Digested"?
+	case reference.Tagged:
 		return x.Tag()
 	default:
 		return ""
@@ -357,12 +354,10 @@ func getTag(ref reference.Named) string {
 
 func getDigest(ref reference.Named) digest.Digest {
 	switch x := ref.(type) {
-	case reference.Canonical:
-		return x.Digest()
 	case reference.Digested:
 		return x.Digest()
 	default:
-		return digest.Digest("")
+		return ""
 	}
 }
 
diff --git a/cli/trust/trust_push.go b/cli/trust/trust_push.go
@@ -63,9 +63,9 @@ func PushTrustedReference(ctx context.Context, ioStreams Streams, repoInfo *Repo
 
 	var tag string
 	switch x := ref.(type) {
-	case reference.Canonical:
+	case reference.Digested:
 		return errors.New("cannot push a digest reference")
-	case reference.NamedTagged:
+	case reference.Tagged:
 		tag = x.Tag()
 	default:
 		// We want trust signatures to always take an explicit tag,
