Update naming. strictReferers != laxReferrers

pkg/attest/example_sign_test.go

@@ -49,7 +49,7 @@ func ExampleSign_remote() {
 		panic(err)
 	}
 	signedIndex := attIdx.Index
-	signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests)
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
 	if err != nil {
 		panic(err)
 	}

pkg/attest/sign_test.go

@@ -64,7 +64,7 @@ func TestSignVerifyOCILayout(t *testing.T) {
 			signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
 			require.NoError(t, err)
 			signedIndex := attIdx.Index
-			signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(tc.replace))
+			signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(tc.replace))
 			require.NoError(t, err)
 			// output signed attestations
 			idx := v1.ImageIndex(empty.Index)

pkg/attest/verify_test.go

@@ -83,7 +83,7 @@ func TestVSA(t *testing.T) {
 	signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
 	signedIndex := attIdx.Index
-	signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests)
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
 	require.NoError(t, err)
 
 	// output signed attestations
@@ -140,7 +140,7 @@ func TestVerificationFailure(t *testing.T) {
 	signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
 	signedIndex := attIdx.Index
-	signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(true))
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true))
 	require.NoError(t, err)
 
 	// output signed attestations
@@ -217,7 +217,7 @@ func TestSignVerify(t *testing.T) {
 			signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
 			require.NoError(t, err)
 			signedIndex := attIdx.Index
-			signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(true))
+			signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true))
 			require.NoError(t, err)
 
 			imageName := tc.imageName

pkg/attestation/attestation.go

@@ -136,7 +136,7 @@ func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signe
 	return env, nil
 }
 
-func AddImageToIndex(
+func UpdateIndexImage(
 	idx v1.ImageIndex,
 	manifest *AttestationManifest,
 	options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
@@ -163,10 +163,10 @@ func AddImageToIndex(
 	return idx, nil
 }
 
-func AddImagesToIndex(idx v1.ImageIndex, manifest []*AttestationManifest, options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
+func UpdateIndexImages(idx v1.ImageIndex, manifest []*AttestationManifest, options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
 	var err error
 	for _, m := range manifest {
-		idx, err = AddImageToIndex(idx, m, options...)
+		idx, err = UpdateIndexImage(idx, m, options...)
 		if err != nil {
 			return nil, fmt.Errorf("failed to add image to index: %w", err)
 		}
@@ -223,7 +223,8 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte
 			resultLayers = append(resultLayers, existingLayer)
 		}
 	}
-
+	// so taht we attach all attestations to a single attestations image - as per current buildkit
+	opts.laxReferrers = true
 	newImg, err := buildImage(resultLayers, manifest.OriginalDescriptor, manifest.SubjectDescriptor, opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build image: %w", err)
@@ -235,9 +236,7 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte
 func (manifest *AttestationManifest) BuildReferringArtifacts() ([]v1.Image, error) {
 	var images []v1.Image
 	for _, layer := range manifest.SignedLayers {
-		opts := &AttestationManifestImageOptions{
-			strictReferrers: true,
-		}
+		opts := &AttestationManifestImageOptions{}
 		newImg, err := buildImage([]*AttestationLayer{layer}, manifest.OriginalDescriptor, manifest.SubjectDescriptor, opts)
 		if err != nil {
 			return nil, fmt.Errorf("failed to build image: %w", err)
@@ -265,12 +264,12 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1
 		}
 	}
 
-	if opts.strictReferrers {
+	// this is for attaching attestations to an attestation image in the index
+	if opts.laxReferrers {
+		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.image.config.v1+json")
+	} else {
 		newImg = mutate.ArtifactType(newImg, intoto.PayloadType)
 		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.empty.v1+json")
-
-	} else {
-		newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.image.config.v1+json")
 	}
 	// we need to set this even when we set the artifact type otherwise things break (even the go-container-registry client)
 	// even though it's allowed to be empty by spec when setting artifact type
@@ -280,7 +279,7 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1
 	if !opts.skipSubject {
 		newImg = mutate.Subject(newImg, *subject).(v1.Image)
 	}
-	if opts.strictReferrers {
+	if !opts.laxReferrers {
 		// as per https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidance-for-an-empty-descriptor
 		newImg = &EmptyConfigImage{newImg}
 	}

pkg/attestation/referrers_test.go

@@ -129,7 +129,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 				signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
 				require.NoError(t, err)
 				signedIndex := attIdx.Index
-				signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(true), attestation.WithoutSubject(tc.skipSubject))
+				signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true), attestation.WithoutSubject(tc.skipSubject))
 				require.NoError(t, err)
 				err = mirror.PushIndexToRegistry(signedIndex, indexName)
 				require.NoError(t, err)

pkg/attestation/types.go

@@ -43,9 +43,9 @@ type AttestationManifest struct {
 
 type AttestationManifestImageOptions struct {
 	// how to output the image
-	skipSubject     bool
-	replaceLayers   bool
-	strictReferrers bool
+	skipSubject   bool
+	replaceLayers bool
+	laxReferrers  bool
 }
 
 // the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged

pkg/mirror/mirror_test.go

@@ -20,7 +20,7 @@ func TestSavingIndex(t *testing.T) {
 	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
 	require.NoError(t, err)
 
-	server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true)))
+	server := httptest.NewServer(registry.New())
 	defer server.Close()
 
 	u, err := url.Parse(server.URL)
@@ -43,7 +43,7 @@ func TestSavingImage(t *testing.T) {
 
 	img := empty.Image
 
-	server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true)))
+	server := httptest.NewServer(registry.New())
 	defer server.Close()
 
 	u, err := url.Parse(server.URL)

pkg/oci/registry_test.go

@@ -31,7 +31,7 @@ func TestRegistry(t *testing.T) {
 	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
 	require.NoError(t, err)
 	signedIndex := attIdx.Index
-	signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests)
+	signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests)
 	require.NoError(t, err)
 
 	indexName := fmt.Sprintf("%s/repo:root", u.Host)