From 3d00049e40a764002eb5c10cfb08af613a5aa93c Mon Sep 17 00:00:00 2001
From: "Jose R. Gonzalez" <jrg@redhat.com>
Date: Fri, 3 Feb 2023 11:04:33 -0600
Subject: [PATCH] configure the insecure flag to allow access to registries
 with self-signed certificate

Signed-off-by: Jose R. Gonzalez <jrg@redhat.com>
---
 internal/engine/engine.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/internal/engine/engine.go b/internal/engine/engine.go
index ab4ff85a..eefca6e0 100644
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/md5"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -102,7 +103,18 @@ func (c *CraneEngine) ExecuteChecks(ctx context.Context) error {
 	}
 
 	if c.Insecure {
-		options = append(options, crane.Insecure)
+		// Adding WithTransport opt is a workaround to allow for access to HTTPS
+		// container registries with self-signed or non-trusted certificates.
+		//
+		// See https://github.com/google/go-containerregistry/issues/1553 for more context. If this issue
+		// is resolved, then this workaround can likely be removed or adjusted to use new features in the
+		// go-containerregistry project.
+		rt := remote.DefaultTransport.(*http.Transport).Clone()
+		rt.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true, //nolint: gosec
+		}
+
+		options = append(options, crane.Insecure, crane.WithTransport(rt))
 	}
 
 	// pull the image and save to fs
@@ -674,6 +686,7 @@ func New(ctx context.Context,
 		IsBundle:     isBundle,
 		IsScratch:    isScratch,
 		Platform:     platform,
+		Insecure:     insecure,
 	}, nil
 }