Skip to content

ggcr: descriptors in ImageIndex returned by referrers API do not fulfill requirements stated in OCI spec #1997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nmiyake opened this issue Aug 13, 2024 · 3 comments
Closed

ggcr: descriptors in ImageIndex returned by referrers API do not fulfill requirements stated in OCI spec #1997

nmiyake opened this issue Aug 13, 2024 · 3 comments
Labels
bug Something isn't working lifecycle/stale

Comments

@nmiyake
Copy link

nmiyake commented Aug 13, 2024

Describe the bug

The OCI 1.1 specification for the "referrers" API states that, for the descriptors in the returned referrers index, The descriptors MUST include an artifactType field that is set to the value of the artifactType in the image manifest or index, if present and The descriptors MUST include annotations from the image manifest or index..

However, the current go-containerregistry library does not fulfill either of these requirements.

To Reproduce

For annotations:

  1. Create a v1.Image with a non-empty annotations field and subject field and use remote.Write to write the image
  2. Call remote.Referrers on the subject and examine the manifest entry
  3. Current behavior is that the descriptor for the image from step 1 does not have an annotations field

For artifactType:

  1. Create a v1.Image that specifies a value for the artifactType field (can be done by including this field in the output of the RawManifest() implementation of v1.Image) and subject field and use remote.Write to write the image
  2. Call remote.Referrers on the subject and examine the manifest entry
  3. Current behavior is that the artifactType field of the descriptor for the image from step 1 is set to the value of Config.MediaType

Expected behavior

For annotations:

  • The descriptor for image should have an annotations field that matches the annotations field of the image

For artifactType:

  • The descriptor for the image should have an artifactType value that matches the aritfactType field of the image

Additional context

Full text of the referrers specification:

Upon success, the response MUST be a JSON body with an image index containing a list of descriptors. The Content-Type header MUST be set to application/vnd.oci.image.index.v1+json. Each descriptor is of an image manifest or index in the same <name> namespace with a subject field that specifies the value of <digest>. The descriptors MUST include an artifactType field that is set to the value of the artifactType in the image manifest or index, if present. If the artifactType is empty or missing in the image manifest, the value of artifactType MUST be set to the config descriptor mediaType value. If the artifactType is empty or missing in an index, the artifactType MUST be omitted. The descriptors MUST include annotations from the image manifest or index. If a query results in no matching referrers, an empty manifest list MUST be returned.

GitHub has implemented an action that uses the referrers API to upload referrers using subjects, and it looks like their implementation properly does this (sets annotations and artifact types for referrer ImageIndex): actions/attest-build-provenance#73 (comment)
@nmiyake nmiyake added the bug Something isn't working label Aug 13, 2024
@nmiyake
Copy link
Author

nmiyake commented Aug 13, 2024

#1931 is an open PR that fixes the artifactType component of this issue

nmiyake added a commit to nmiyake/go-containerregistry that referenced this issue Aug 13, 2024
@nmiyake
Set annotations on descriptors created by referrers API
b091e40 
Implement the behavior described by the OCI 1.1 specification at
https://github.com./opencontainers/distribution-spec/blob/main/spec.md#listing-referrers
for annotations for descriptors in the ImageIndex returned by the referrers API.

Addresses google#1997
@nmiyake nmiyake mentioned this issue Aug 13, 2024
Open
@nmiyake
Copy link
Author

nmiyake commented Aug 13, 2024

#1998 is a PR to fix the annotations component of this issue

@nmiyake nmiyake mentioned this issue Aug 13, 2024
Closed
nmiyake added a commit to nmiyake/go-containerregistry that referenced this issue Aug 13, 2024
@nmiyake
Set annotations on descriptors created by referrers API
96a80cd 
Implement the behavior described by the OCI 1.1 specification at
https://github.com./opencontainers/distribution-spec/blob/main/spec.md#listing-referrers
for annotations for descriptors in the ImageIndex returned by the referrers API.

Addresses google#1997
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nmiyake