From 7739f247b4f01f0f2f920a0a8046a6c8139f2026 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamagee@microsoft.com>
Date: Fri, 26 Apr 2024 08:44:20 -0700
Subject: [PATCH] Enable Docker content trust

---
 script/_common | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/script/_common b/script/_common
index ae2e13f8263..25c73a634fd 100755
--- a/script/_common
+++ b/script/_common
@@ -41,6 +41,10 @@ function docker_build() {
     export DEPENDABOT_USER_GID=1000
   fi
 
+  # Only check Docker Content Trust for the updater-core image
+  # shellcheck disable=SC2034 # Used implicitly in docker build
+  DOCKER_CONTENT_TRUST=1
+
   # shellcheck disable=SC2086  # as $DOCKER_BUILD_ARGS relies on word-splitting
   docker build \
     $DOCKER_BUILD_ARGS \
@@ -53,6 +57,9 @@ function docker_build() {
     -f Dockerfile.updater-core \
     .
 
+  # We don't sign the updater image with Notary, so disable Docker Content Trust for remaining builds
+  unset DOCKER_CONTENT_TRUST
+
   export UPDATER_IMAGE_NAME="$UPDATER_IMAGE$TAG"
 
   # shellcheck disable=SC2086  # as $DOCKER_BUILD_ARGS relies on word-splitting