@@ -5328,3 +5328,48 @@ func (s *DockerSuite) TestBuildRUNErrMsg(c *check.C) {

 		c.Fatalf("RUN doesn't have the correct output:\nGot:%s\nExpected:%s", out, exp)

 	}

 }

+

+func (s *DockerTrustSuite) TestTrustedBuild(c *check.C) {

+	repoName := s.setupTrustedImage(c, "trusted-build")

+	dockerFile := fmt.Sprintf(`

+  FROM %s

+  RUN []

+    `, repoName)

+

+	name := "testtrustedbuild"

+

+	buildCmd := buildImageCmd(name, dockerFile, true)

+	s.trustedCmd(buildCmd)

+	out, _, err := runCommandWithOutput(buildCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted build: %s\n%s", err, out)

+	}

+

+	if !strings.Contains(out, fmt.Sprintf("FROM %s@sha", repoName[:len(repoName)-7])) {

+		c.Fatalf("Unexpected output on trusted build:\n%s", out)

+	}

+

+	// Build command does not create untrusted tag

+	//dockerCmd(c, "rmi", repoName)

+}

+

+func (s *DockerTrustSuite) TestTrustedBuildUntrustedTag(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/build-untrusted-tag:latest", privateRegistryURL)

+	dockerFile := fmt.Sprintf(`

+  FROM %s

+  RUN []

+    `, repoName)

+

+	name := "testtrustedbuilduntrustedtag"

+

+	buildCmd := buildImageCmd(name, dockerFile, true)

+	s.trustedCmd(buildCmd)

+	out, _, err := runCommandWithOutput(buildCmd)

+	if err == nil {

+		c.Fatalf("Expected error on trusted build with untrusted tag: %s\n%s", err, out)

+	}

+

+	if !strings.Contains(out, fmt.Sprintf("no trust data available")) {

+		c.Fatalf("Unexpected output on trusted build with untrusted tag:\n%s", out)

+	}

+}

@@ -275,26 +275,12 @@ func (s *DockerSuite) TestCreateModeIpcContainer(c *check.C) {

 }

 func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {

-	repoName := fmt.Sprintf("%v/dockerclicreate/trusted:latest", privateRegistryURL)

-	// tag the image and upload it to the private registry

-	dockerCmd(c, "tag", "busybox", repoName)

-

-	pushCmd := exec.Command(dockerBinary, "push", repoName)

-	s.trustedCmd(pushCmd)

-	out, _, err := runCommandWithOutput(pushCmd)

-	if err != nil {

-		c.Fatalf("Error running trusted push: %s\n%s", err, out)

-	}

-	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

-		c.Fatalf("Missing expected output on trusted push:\n%s", out)

-	}

-

-	dockerCmd(c, "rmi", repoName)

+	repoName := s.setupTrustedImage(c, "trusted-create")

 	// Try create

 	createCmd := exec.Command(dockerBinary, "create", repoName)

 	s.trustedCmd(createCmd)

-	out, _, err = runCommandWithOutput(createCmd)

+	out, _, err := runCommandWithOutput(createCmd)

 	if err != nil {

 		c.Fatalf("Error running trusted create: %s\n%s", err, out)

 	}

@@ -338,22 +324,26 @@ func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {

 	}

 }

-func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {

-	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

-	// tag the image and upload it to the private registry

-	dockerCmd(c, "tag", "busybox", repoName)

+func (s *DockerTrustSuite) TestTrustedIsolatedCreate(c *check.C) {

+	repoName := s.setupTrustedImage(c, "trusted-isolated-create")

-	pushCmd := exec.Command(dockerBinary, "push", repoName)

-	s.trustedCmd(pushCmd)

-	out, _, err := runCommandWithOutput(pushCmd)

+	// Try create

+	createCmd := exec.Command(dockerBinary, "--config", "/tmp/docker-isolated-create", "create", repoName)

+	s.trustedCmd(createCmd)

+	out, _, err := runCommandWithOutput(createCmd)

 	if err != nil {

-		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+		c.Fatalf("Error running trusted create: %s\n%s", err, out)

 	}

-	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+

+	if !strings.Contains(string(out), "Tagging") {

 		c.Fatalf("Missing expected output on trusted push:\n%s", out)

 	}

 	dockerCmd(c, "rmi", repoName)

+}

+

+func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {

+	repoName := s.setupTrustedImage(c, "trusted-create-expired")

 	// Certificates have 10 years of expiration

 	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)

@@ -362,7 +352,7 @@ func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {

 		// Try create

 		createCmd := exec.Command(dockerBinary, "create", repoName)

 		s.trustedCmd(createCmd)

-		out, _, err = runCommandWithOutput(createCmd)

+		out, _, err := runCommandWithOutput(createCmd)

 		if err == nil {

 			c.Fatalf("Error running trusted create in the distant future: %s\n%s", err, out)

 		}

@@ -376,7 +366,7 @@ func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {

 		// Try create

 		createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName)

 		s.trustedCmd(createCmd)

-		out, _, err = runCommandWithOutput(createCmd)

+		out, _, err := runCommandWithOutput(createCmd)

 		if err != nil {

 			c.Fatalf("Error running untrusted create in the distant future: %s\n%s", err, out)

 		}

@@ -155,26 +155,12 @@ func (s *DockerSuite) TestPullImageWithAllTagFromCentralRegistry(c *check.C) {

 }

 func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {

-	repoName := fmt.Sprintf("%v/dockerclipull/trusted:latest", privateRegistryURL)

-	// tag the image and upload it to the private registry

-	dockerCmd(c, "tag", "busybox", repoName)

-

-	pushCmd := exec.Command(dockerBinary, "push", repoName)

-	s.trustedCmd(pushCmd)

-	out, _, err := runCommandWithOutput(pushCmd)

-	if err != nil {

-		c.Fatalf("Error running trusted push: %s\n%s", err, out)

-	}

-	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

-		c.Fatalf("Missing expected output on trusted push:\n%s", out)

-	}

-

-	dockerCmd(c, "rmi", repoName)

+	repoName := s.setupTrustedImage(c, "trusted-pull")

 	// Try pull

 	pullCmd := exec.Command(dockerBinary, "pull", repoName)

 	s.trustedCmd(pullCmd)

-	out, _, err = runCommandWithOutput(pullCmd)

+	out, _, err := runCommandWithOutput(pullCmd)

 	if err != nil {

 		c.Fatalf("Error running trusted pull: %s\n%s", err, out)

 	}

@@ -198,6 +184,24 @@ func (s *DockerTrustSuite) TestTrustedPull(c *check.C) {

 	}

 }

+func (s *DockerTrustSuite) TestTrustedIsolatedPull(c *check.C) {

+	repoName := s.setupTrustedImage(c, "trusted-isolatd-pull")

+

+	// Try pull (run from isolated directory without trust information)

+	pullCmd := exec.Command(dockerBinary, "--config", "/tmp/docker-isolated", "pull", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err := runCommandWithOutput(pullCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted pull: %s\n%s", err, out)

+	}

+

+	if !strings.Contains(string(out), "Tagging") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+}

+

 func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {

 	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

 	// tag the image and upload it to the private registry

@@ -219,21 +223,7 @@ func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {

 }

 func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {

-	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

-	// tag the image and upload it to the private registry

-	dockerCmd(c, "tag", "busybox", repoName)

-

-	pushCmd := exec.Command(dockerBinary, "push", repoName)

-	s.trustedCmd(pushCmd)

-	out, _, err := runCommandWithOutput(pushCmd)

-	if err != nil {

-		c.Fatalf("Error running trusted push: %s\n%s", err, out)

-	}

-	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

-		c.Fatalf("Missing expected output on trusted push:\n%s", out)

-	}

-

-	dockerCmd(c, "rmi", repoName)

+	repoName := s.setupTrustedImage(c, "trusted-cert-expired")

 	// Certificates have 10 years of expiration

 	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)

@@ -242,7 +232,7 @@ func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {

 		// Try pull

 		pullCmd := exec.Command(dockerBinary, "pull", repoName)

 		s.trustedCmd(pullCmd)

-		out, _, err = runCommandWithOutput(pullCmd)

+		out, _, err := runCommandWithOutput(pullCmd)

 		if err == nil {

 			c.Fatalf("Error running trusted pull in the distant future: %s\n%s", err, out)

 		}

@@ -256,7 +246,7 @@ func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {

 		// Try pull

 		pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName)

 		s.trustedCmd(pullCmd)

-		out, _, err = runCommandWithOutput(pullCmd)

+		out, _, err := runCommandWithOutput(pullCmd)

 		if err != nil {

 			c.Fatalf("Error running untrusted pull in the distant future: %s\n%s", err, out)

 		}

@@ -281,7 +281,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c

 		c.Fatalf("Error missing from trusted push with short targets passphrase: \n%s", out)

 	}

-	if !strings.Contains(string(out), "Password Invalid, operation has failed") {

+	if !strings.Contains(string(out), "password invalid, operation has failed") {

 		c.Fatalf("Missing expected output on trusted push with short targets/snapsnot passphrase:\n%s", out)

 	}

 }

@@ -2549,26 +2549,12 @@ func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {

 }

 func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {

-	repoName := fmt.Sprintf("%v/dockerclirun/trusted:latest", privateRegistryURL)

-	// tag the image and upload it to the private registry

-	dockerCmd(c, "tag", "busybox", repoName)

-

-	pushCmd := exec.Command(dockerBinary, "push", repoName)

-	s.trustedCmd(pushCmd)

-	out, _, err := runCommandWithOutput(pushCmd)

-	if err != nil {

-		c.Fatalf("Error running trusted push: %s\n%s", err, out)

-	}

-	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

-		c.Fatalf("Missing expected output on trusted push:\n%s", out)

-	}

-

-	dockerCmd(c, "rmi", repoName)

+	repoName := s.setupTrustedImage(c, "trusted-run")

 	// Try run

 	runCmd := exec.Command(dockerBinary, "run", repoName)

 	s.trustedCmd(runCmd)

-	out, _, err = runCommandWithOutput(runCmd)

+	out, _, err := runCommandWithOutput(runCmd)

 	if err != nil {

 		c.Fatalf("Error running trusted run: %s\n%s\n", err, out)

 	}

@@ -2613,21 +2599,7 @@ func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {

 }

 func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {

-	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

-	// tag the image and upload it to the private registry

-	dockerCmd(c, "tag", "busybox", repoName)

-

-	pushCmd := exec.Command(dockerBinary, "push", repoName)

-	s.trustedCmd(pushCmd)

-	out, _, err := runCommandWithOutput(pushCmd)

-	if err != nil {

-		c.Fatalf("Error running trusted push: %s\n%s", err, out)

-	}

-	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

-		c.Fatalf("Missing expected output on trusted push:\n%s", out)

-	}

-

-	dockerCmd(c, "rmi", repoName)

+	repoName := s.setupTrustedImage(c, "trusted-run-expired")

 	// Certificates have 10 years of expiration

 	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)

@@ -2636,7 +2608,7 @@ func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {

 		// Try run

 		runCmd := exec.Command(dockerBinary, "run", repoName)

 		s.trustedCmd(runCmd)

-		out, _, err = runCommandWithOutput(runCmd)

+		out, _, err := runCommandWithOutput(runCmd)

 		if err == nil {

 			c.Fatalf("Error running trusted run in the distant future: %s\n%s", err, out)

 		}

@@ -2650,7 +2622,7 @@ func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {

 		// Try run

 		runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName)

 		s.trustedCmd(runCmd)

-		out, _, err = runCommandWithOutput(runCmd)

+		out, _, err := runCommandWithOutput(runCmd)

 		if err != nil {

 			c.Fatalf("Error running untrusted run in the distant future: %s\n%s", err, out)

 		}

@@ -969,14 +969,20 @@ func getContainerState(c *check.C, id string) (int, bool, error) {

 	return exitStatus, running, nil

 }

-func buildImageWithOut(name, dockerfile string, useCache bool) (string, string, error) {

-	args := []string{"build", "-t", name}

+func buildImageCmd(name, dockerfile string, useCache bool) *exec.Cmd {

+	args := []string{"-D", "build", "-t", name}

 	if !useCache {

 		args = append(args, "--no-cache")

 	}

 	args = append(args, "-")

 	buildCmd := exec.Command(dockerBinary, args...)

 	buildCmd.Stdin = strings.NewReader(dockerfile)

+	return buildCmd

+

+}

+

+func buildImageWithOut(name, dockerfile string, useCache bool) (string, string, error) {

+	buildCmd := buildImageCmd(name, dockerfile, useCache)

 	out, exitCode, err := runCommandWithOutput(buildCmd)

 	if err != nil || exitCode != 0 {

 		return "", out, fmt.Errorf("failed to build the image: %s", out)

@@ -989,13 +995,7 @@ func buildImageWithOut(name, dockerfile string, useCache bool) (string, string,

 }

 func buildImageWithStdoutStderr(name, dockerfile string, useCache bool) (string, string, string, error) {

-	args := []string{"build", "-t", name}

-	if !useCache {

-		args = append(args, "--no-cache")

-	}

-	args = append(args, "-")

-	buildCmd := exec.Command(dockerBinary, args...)

-	buildCmd.Stdin = strings.NewReader(dockerfile)

+	buildCmd := buildImageCmd(name, dockerfile, useCache)

 	stdout, stderr, exitCode, err := runCommandWithStdoutStderr(buildCmd)

 	if err != nil || exitCode != 0 {

 		return "", stdout, stderr, fmt.Errorf("failed to build the image: %s", stdout)

@@ -8,6 +8,7 @@ import (

 	"os"

 	"os/exec"

 	"path/filepath"

+	"strings"

 	"time"

 	"github.com/docker/docker/pkg/tlsconfig"

@@ -107,6 +108,7 @@ func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) {

 	pwd := "12345678"

 	trustCmdEnv(cmd, server, pwd, pwd, pwd)

 }

+

 func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, snapshotPwd, targetPwd string) {

 	trustCmdEnv(cmd, s.not.address(), rootPwd, snapshotPwd, targetPwd)

 }

@@ -121,3 +123,25 @@ func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string)

 	}

 	cmd.Env = append(os.Environ(), env...)

 }

+

+func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string {

+	repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+

+	pushCmd := exec.Command(dockerBinary, "push", repoName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+	}

+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	if out, status := dockerCmd(c, "rmi", repoName); status != 0 {

+		c.Fatalf("Error removing image %q\n%s", repoName, out)

+	}

+

+	return repoName

+}