diff --git a/pkg/attest/example_sign_test.go b/pkg/attest/example_sign_test.go index 2d006b2..6fa0411 100644 --- a/pkg/attest/example_sign_test.go +++ b/pkg/attest/example_sign_test.go @@ -49,7 +49,7 @@ func ExampleSign_remote() { panic(err) } signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests) if err != nil { panic(err) } diff --git a/pkg/attest/sign_test.go b/pkg/attest/sign_test.go index 89e0dc7..047792a 100644 --- a/pkg/attest/sign_test.go +++ b/pkg/attest/sign_test.go @@ -64,7 +64,7 @@ func TestSignVerifyOCILayout(t *testing.T) { signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts) require.NoError(t, err) signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(tc.replace)) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(tc.replace)) require.NoError(t, err) // output signed attestations idx := v1.ImageIndex(empty.Index) diff --git a/pkg/attest/verify_test.go b/pkg/attest/verify_test.go index b2ed630..fcbd734 100644 --- a/pkg/attest/verify_test.go +++ b/pkg/attest/verify_test.go @@ -83,7 +83,7 @@ func TestVSA(t *testing.T) { signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts) require.NoError(t, err) signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests) require.NoError(t, err) // output signed attestations @@ -140,7 +140,7 @@ func TestVerificationFailure(t *testing.T) { signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts) require.NoError(t, err) signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(true)) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true)) require.NoError(t, err) // output signed attestations @@ -217,7 +217,7 @@ func TestSignVerify(t *testing.T) { signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts) require.NoError(t, err) signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(true)) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true)) require.NoError(t, err) imageName := tc.imageName diff --git a/pkg/attestation/attestation.go b/pkg/attestation/attestation.go index 5447c99..425ac85 100644 --- a/pkg/attestation/attestation.go +++ b/pkg/attestation/attestation.go @@ -136,7 +136,7 @@ func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signe return env, nil } -func AddImageToIndex( +func UpdateIndexImage( idx v1.ImageIndex, manifest *AttestationManifest, options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) { @@ -163,10 +163,10 @@ func AddImageToIndex( return idx, nil } -func AddImagesToIndex(idx v1.ImageIndex, manifest []*AttestationManifest, options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) { +func UpdateIndexImages(idx v1.ImageIndex, manifest []*AttestationManifest, options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) { var err error for _, m := range manifest { - idx, err = AddImageToIndex(idx, m, options...) + idx, err = UpdateIndexImage(idx, m, options...) if err != nil { return nil, fmt.Errorf("failed to add image to index: %w", err) } @@ -223,7 +223,8 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte resultLayers = append(resultLayers, existingLayer) } } - + // so taht we attach all attestations to a single attestations image - as per current buildkit + opts.laxReferrers = true newImg, err := buildImage(resultLayers, manifest.OriginalDescriptor, manifest.SubjectDescriptor, opts) if err != nil { return nil, fmt.Errorf("failed to build image: %w", err) @@ -235,9 +236,7 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte func (manifest *AttestationManifest) BuildReferringArtifacts() ([]v1.Image, error) { var images []v1.Image for _, layer := range manifest.SignedLayers { - opts := &AttestationManifestImageOptions{ - strictReferrers: true, - } + opts := &AttestationManifestImageOptions{} newImg, err := buildImage([]*AttestationLayer{layer}, manifest.OriginalDescriptor, manifest.SubjectDescriptor, opts) if err != nil { return nil, fmt.Errorf("failed to build image: %w", err) @@ -265,12 +264,12 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1 } } - if opts.strictReferrers { + // this is for attaching attestations to an attestation image in the index + if opts.laxReferrers { + newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.image.config.v1+json") + } else { newImg = mutate.ArtifactType(newImg, intoto.PayloadType) newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.empty.v1+json") - - } else { - newImg = mutate.ConfigMediaType(newImg, "application/vnd.oci.image.config.v1+json") } // we need to set this even when we set the artifact type otherwise things break (even the go-container-registry client) // even though it's allowed to be empty by spec when setting artifact type @@ -280,7 +279,7 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1 if !opts.skipSubject { newImg = mutate.Subject(newImg, *subject).(v1.Image) } - if opts.strictReferrers { + if !opts.laxReferrers { // as per https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidance-for-an-empty-descriptor newImg = &EmptyConfigImage{newImg} } diff --git a/pkg/attestation/referrers_test.go b/pkg/attestation/referrers_test.go index 61b8aef..e606d67 100644 --- a/pkg/attestation/referrers_test.go +++ b/pkg/attestation/referrers_test.go @@ -129,7 +129,7 @@ func TestAttestationReferenceTypes(t *testing.T) { signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts) require.NoError(t, err) signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests, attestation.WithReplacedLayers(true), attestation.WithoutSubject(tc.skipSubject)) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests, attestation.WithReplacedLayers(true), attestation.WithoutSubject(tc.skipSubject)) require.NoError(t, err) err = mirror.PushIndexToRegistry(signedIndex, indexName) require.NoError(t, err) diff --git a/pkg/attestation/types.go b/pkg/attestation/types.go index f6848cc..de55fe8 100644 --- a/pkg/attestation/types.go +++ b/pkg/attestation/types.go @@ -43,9 +43,9 @@ type AttestationManifest struct { type AttestationManifestImageOptions struct { // how to output the image - skipSubject bool - replaceLayers bool - strictReferrers bool + skipSubject bool + replaceLayers bool + laxReferrers bool } // the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged diff --git a/pkg/mirror/mirror_test.go b/pkg/mirror/mirror_test.go index c3dc3cc..8fdce52 100644 --- a/pkg/mirror/mirror_test.go +++ b/pkg/mirror/mirror_test.go @@ -20,7 +20,7 @@ func TestSavingIndex(t *testing.T) { attIdx, err := oci.IndexFromPath(UnsignedTestImage) require.NoError(t, err) - server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true))) + server := httptest.NewServer(registry.New()) defer server.Close() u, err := url.Parse(server.URL) @@ -43,7 +43,7 @@ func TestSavingImage(t *testing.T) { img := empty.Image - server := httptest.NewServer(registry.New(registry.WithReferrersSupport(true))) + server := httptest.NewServer(registry.New()) defer server.Close() u, err := url.Parse(server.URL) diff --git a/pkg/oci/registry_test.go b/pkg/oci/registry_test.go index cb56f76..d6b1edf 100644 --- a/pkg/oci/registry_test.go +++ b/pkg/oci/registry_test.go @@ -31,7 +31,7 @@ func TestRegistry(t *testing.T) { signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts) require.NoError(t, err) signedIndex := attIdx.Index - signedIndex, err = attestation.AddImagesToIndex(signedIndex, signedManifests) + signedIndex, err = attestation.UpdateIndexImages(signedIndex, signedManifests) require.NoError(t, err) indexName := fmt.Sprintf("%s/repo:root", u.Host)