in image/verify.go [174:215]
func (img *Image) VerifyManifest(man manifest.Manifest) error {
ver, err := ParseVersion(man.Version)
if err != nil {
return errors.Wrapf(err, "manifest contains invalid `version` field")
}
if ver.Major != img.Header.Vers.Major ||
ver.Minor != img.Header.Vers.Minor ||
ver.Rev != img.Header.Vers.Rev ||
ver.BuildNum != img.Header.Vers.BuildNum {
return errors.Errorf(
"manifest version different from image header: man=%s img=%s",
ver.String(), img.Header.Vers.String())
}
var imgHash string
if hash, err := img.Hash(); err == nil {
imgHash = hex.EncodeToString(hash)
}
// A manifest contains two image hashes: `id` and `image_hash`. Check
// both.
checkHash := func(manHash string) error {
if imgHash != manHash {
return errors.Errorf(
"manifest image hash different from image TLV: man=%s img=%s",
manHash, imgHash)
}
return nil
}
if err := checkHash(man.BuildID); err != nil {
return err
}
if err := checkHash(man.ImageHash); err != nil {
return err
}
return nil
}