diff --git a/go.mod b/go.mod index 2426dcc..9368916 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( ) // fork of a fork (in case it goes away) with changes to support ArtifactType (https://github.com/google/go-containerregistry/pull/1931) -replace github.com/google/go-containerregistry v0.20.0 => github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2 +replace github.com/google/go-containerregistry v0.20.0 => github.com/kipz/go-containerregistry v0.0.0-20240719153227-9edd0a0441c8 require ( cloud.google.com/go v0.115.0 // indirect diff --git a/go.sum b/go.sum index 2991d2c..277164e 100644 --- a/go.sum +++ b/go.sum @@ -415,8 +415,8 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2 h1:Q8a+lW1mDc5ta1kelfIVqXl/DC+KQg6PG/F33kCC9TA= -github.com/kipz/go-containerregistry v0.0.0-20240423201245-bf57eace21f2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/kipz/go-containerregistry v0.0.0-20240719153227-9edd0a0441c8 h1:jxznpXHtDmo7x90Fc26H1FEmcdQ0K6PF13OgXcrkcSc= +github.com/kipz/go-containerregistry v0.0.0-20240719153227-9edd0a0441c8/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= diff --git a/pkg/attestation/referrers_test.go b/pkg/attestation/referrers_test.go index bce9ced..c77eaf8 100644 --- a/pkg/attestation/referrers_test.go +++ b/pkg/attestation/referrers_test.go @@ -294,3 +294,49 @@ func TestReferencesInDifferentRepo(t *testing.T) { } } } + +func TestCorrectArtifactTypeInTagFallback(t *testing.T) { + ctx, signer := test.Setup(t) + server := httptest.NewServer(registry.New()) + + defer server.Close() + serverUrl, err := url.Parse(server.URL) + require.NoError(t, err) + + repoName := "repo" + + opts := &attestation.SigningOptions{ + SkipTL: true, + } + attIdx, err := oci.IndexFromPath(UnsignedTestImage) + require.NoError(t, err) + + indexName := fmt.Sprintf("%s/%s:latest", serverUrl.Host, repoName) + err = mirror.PushIndexToRegistry(attIdx.Index, indexName) + require.NoError(t, err) + + signedManifests, err := attest.SignStatements(ctx, attIdx.Index, signer, opts) + require.NoError(t, err) + + // this should create and maintain an index of referrers + for _, mf := range signedManifests { + imgs, err := mf.BuildReferringArtifacts() + require.NoError(t, err) + for _, img := range imgs { + err = mirror.PushImageToRegistry(img, fmt.Sprintf("%s/%s:tag-does-not-matter", serverUrl.Host, repoName)) + require.NoError(t, err) + mf, err := img.Manifest() + require.NoError(t, err) + subject := mf.Subject + subjectRef, err := name.ParseReference(fmt.Sprintf("%s/%s:sha256-%s", serverUrl.Host, repoName, subject.Digest.Hex)) + require.NoError(t, err) + idx, err := remote.Index(subjectRef) + require.NoError(t, err) + imf, err := idx.IndexManifest() + require.NoError(t, err) + for _, m := range imf.Manifests { + assert.Equal(t, "application/vnd.in-toto+json", m.ArtifactType) + } + } + } +}