Skip to content

Add PutSignaturesWithFormat/GetSignaturesWithFormat to OCI layout #312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Add PutSignaturesWithFormat/GetSignaturesWithFormat to OCI layout #312

wants to merge 22 commits into from

Conversation

bitoku
Copy link

@bitoku bitoku commented Sep 3, 2025
edited
Loading

This PR is copied from containers/image#2934 .

This PR adds PutSignaturesWithFormat/GetSignaturesWithFormat support to OCI layout.
The general idea is tag-based discovery, same as sigstore signature discovery.

It stores the signature with annotation org.opencontainers.image.ref.name: "sha256-<hash>.sig", which can be used as a tag. https://specs.opencontainers.org/image-spec/image-layout/#IMAGE-SPEC-IMAGE-LAYOUT-19

Fixes #186

@github-actions github-actions bot added the image Related to "image" package label Sep 3, 2025
@packit-as-a-service Packit-as-a-Service
Copy link

Packit jobs failed. @containers/packit-build please check.

mtrmac
mtrmac reviewed Sep 3, 2025
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self: previously containers/image#2934 (review) .

@mtrmac
Copy link
Contributor

mtrmac commented Sep 3, 2025

The common/pkg/manifests/manifests_test.go tests might be fixed by #314.

The “Skopeo test” failures here look relevant, I’m not immediately sure (I’m afraid I didn’t yet read the updated version of this PR) whether they are bugs to be fixed here, or whether the tests will need to be adjusted.

@bitoku
Copy link
Author

bitoku commented Sep 5, 2025

This is the commit ffcc126 to fix the CI

@bitoku bitoku requested a review from mtrmac September 5, 2025 12:41
@bitoku
Copy link
Author

bitoku commented Sep 16, 2025

@mtrmac PTAL when you have a moment. thanks!

mtrmac
mtrmac reviewed Sep 17, 2025
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, and I apologize for the delay.

image/oci/layout/oci_transport.go

import (
"context"
"encoding/json"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m afraid this is not documented anywhere, but the *_transport.go files primarily deal with image references and naming; and because image identity is critical for preserving the users’ intent when verifying signatures, we want as good unit test coverage as possible for *_transport.go.

That’s, in principle, an option, but it might be easier to move some of the helper functions to oci_src.go or oci_dest.go, where the unit test coverage requirements are much more pragmatic. E.g. getOCIDescriptorContents seems to have a single caller outside of this file, so it can be moved closer to the caller; probably similarly for getBlob and others.

Also, getManifestDescriptor should have unit test coverage for the new code paths.

Copy link
Author

@bitoku bitoku Sep 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to do that, but some functions are used in oci_src.go and oci_dest.go. To avoid cyclic dependency, I did this way.
getOCIDescriptorContents is used in both src and dest after addressing #312 (comment)
getBlob is used in getSigstoreAttachmentManifest and getOCIDescriptorContents, which are used in both src and dest.

I don't like putting everything in transport either. If we have any idea to fix this complexity, I'm happy to change that.

Also, getManifestDescriptor should have unit test coverage for the new code paths.

👍

podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
ce9e2bf
@podmanbot
Copy link

✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6394

@podmanbot podmanbot mentioned this pull request Sep 24, 2025
Draft
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
1df8976
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
6ce4112
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
2c3431e
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
82cca77
@bitoku bitoku force-pushed the layout-signature branch 2 times, most recently from 811a527 to e61dbb7 Compare September 30, 2025 16:19
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 30, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
d29c74b
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 30, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
90f0875
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 30, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
578c04a
bitoku added 16 commits September 30, 2025 17:04
@bitoku
Delete old signature manifest config
cfefbe3 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Fix oci delete test
590fda6 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Fix oci dest test
9b3cca2 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Don't store old signature manifest
c365899 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Fix lint error
5e92317 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Ignore signature when getManifestDescriptor
ef902ef 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Improve sigstore tag validation with strings.CutSuffix
75c616d 
Refactor `digestPart` validation by replacing `Validate` with `Parse` for clarity and correctness

Use signDesc MediaType to validate signature MIMEType.

Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Refactor getOCIDescriptorContents to use digest.Digest parameter
506fbd4 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Simplify signature retrieval by refactoring to use getOCIDescriptorCo…
6f6cd38 
…ntents

Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Refactor blob deletion logic by renaming blobsToDelete to `blobDele…
04bb65f 
…teCandidates` and improving unused blob handling

Remove redundant implementation in `ociImageDestination`

Simplify error handling in putSignaturesToSigstoreAttachment logic

Normalize error message for sigstore signature support in OCI layout

Add comment clarifying manifest digest requirement in PutSignaturesWithFormat

Clarify comment for `manifestDigest` field in `ociImageDestination`

Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Add the same comment as appendSignaturesFromSigstoreAttachments in Ge…
41a6028 
…tSignaturesWithFormat

Remove unused `impl.NoSignatures` from `ociImageSource` structure

Simplify `GetSignaturesWithFormat` by removing redundant nil check for `instanceDigest`

Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Add getManifestDescriptor tests for the new code path.
391ab6c 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Move manifestDigest assignment in ociImageDestination
a30076b 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Remove pointer usage for digest in getDescriptor.
6f9b1c0 
Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Refactor TestPutSignaturesWithFormat to use table-driven tests for …
e555fef 
…improved readability and maintainability.

Signed-off-by: Ayato Tokubi <[email protected]>
@bitoku
Refactor signature handling in putSignaturesToSigstoreAttachment an…
278c5db 
…d `getSigstoreAttachmentManifest`

Signed-off-by: Ayato Tokubi <[email protected]>
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Sep 30, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
c0406c4
@bitoku
Refactor blob deletion logic
f74ad30 
Signed-off-by: Ayato Tokubi <[email protected]>
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Oct 1, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#312
e9b5d37
@bitoku
Copy link
Author

bitoku commented Oct 1, 2025

@mtrmac I'd appreciate if you could give another round of review.
I'll fix validate / git-validate (pull_request) when everything is sorted out.

@mtrmac mtrmac added the enhancement New feature or request label Oct 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac mtrmac left review comments

Assignees

No one assigned

Labels

enhancement New feature or request image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support OCI layout signature storage

3 participants

@bitoku @mtrmac @podmanbot