machine init: fix tls check

Ensure we verify the TLS connection when pulling the OCI image.

Fixes: CVE-2025-6032

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
2025-06-10 14:16:46 +02:00
parent 7808625785
commit 726b506acc
2 changed files with 4 additions and 4 deletions

View File

@ -217,7 +217,7 @@ func (o *OCIArtifactDisk) getDestArtifact() (types.ImageReference, digest.Digest
}
fmt.Printf("Looking up Podman Machine image at %s to create VM\n", imgRef.DockerReference())
sysCtx := &types.SystemContext{
DockerInsecureSkipTLSVerify: types.NewOptionalBool(!o.pullOptions.TLSVerify),
DockerInsecureSkipTLSVerify: o.pullOptions.SkipTLSVerify,
}
imgSrc, err := imgRef.NewImageSource(o.ctx, sysCtx)
if err != nil {

View File

@ -21,8 +21,8 @@ import (
// PullOptions includes data to alter certain knobs when pulling a source
// image.
type PullOptions struct {
// Require HTTPS and verify certificates when accessing the registry.
TLSVerify bool
// Skip TLS verification when accessing the registry.
SkipTLSVerify types.OptionalBool
// [username[:password] to use when connecting to the registry.
Credentials string
// Quiet the progress bars when pushing.
@ -46,7 +46,7 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
}
sysCtx := &types.SystemContext{
DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
DockerInsecureSkipTLSVerify: options.SkipTLSVerify,
}
if options.Credentials != "" {
authConf, err := parse.AuthConfig(options.Credentials)