set artifactType correctly for referrers fallback (#94)

* set artifactType correctly for referrers fallback
2024-07-19 16:39:35 +01:00
parent 10d4f129b5
commit 5e68d94ad4
3 changed files with 49 additions and 3 deletions
--- a/go.mod
+++ b/go.mod
@@ -31,7 +31,7 @@ require (
 )

 // fork of a fork (in case it goes away) with changes to support ArtifactType (https://github.com/google/go-containerregistry/pull/1931)
-replace github.com/google/go-containerregistry v0.20.0 => github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2
+replace github.com/google/go-containerregistry v0.20.0 => github.com/kipz/go-containerregistry v0.0.0-20240719153227-9edd0a0441c8

 require (
 	cloud.google.com/go v0.115.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -415,8 +415,8 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2 h1:Q8a+lW1mDc5ta1kelfIVqXl/DC+KQg6PG/F33kCC9TA=
-github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/kipz/go-containerregistry v0.0.0-20240719153227-9edd0a0441c8 h1:jxznpXHtDmo7x90Fc26H1FEmcdQ0K6PF13OgXcrkcSc=
+github.com/kipz/go-containerregistry v0.0.0-20240719153227-9edd0a0441c8/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
--- a/pkg/attestation/referrers_test.go
+++ b/pkg/attestation/referrers_test.go
@@ -294,3 +294,49 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 		}
 	}
 }
+
+func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	server := httptest.NewServer(registry.New())
+
+	defer server.Close()
+	serverUrl, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	repoName := "repo"
+
+	opts := &attestation.SigningOptions{
+		SkipTL: true,
+	}
+	attIdx, err := oci.IndexFromPath(UnsignedTestImage)
+	require.NoError(t, err)
+
+	indexName := fmt.Sprintf("%s/%s:latest", serverUrl.Host, repoName)
+	err = mirror.PushIndexToRegistry(attIdx.Index, indexName)
+	require.NoError(t, err)
+
+	signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts)
+	require.NoError(t, err)
+
+	// this should create and maintain an index of referrers
+	for _, mf := range signedManifests {
+		imgs, err := mf.BuildReferringArtifacts()
+		require.NoError(t, err)
+		for _, img := range imgs {
+			err = mirror.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", serverUrl.Host, repoName))
+			require.NoError(t, err)
+			mf, err := img.Manifest()
+			require.NoError(t, err)
+			subject := mf.Subject
+			subjectRef, err := name.ParseReference(fmt.Sprintf("%s/%s:sha256-%s", serverUrl.Host, repoName, subject.Digest.Hex))
+			require.NoError(t, err)
+			idx, err := remote.Index(subjectRef)
+			require.NoError(t, err)
+			imf, err := idx.IndexManifest()
+			require.NoError(t, err)
+			for _, m := range imf.Manifests {
+				assert.Equal(t, "application/vnd.in-toto+json", m.ArtifactType)
+			}
+		}
+	}
+}