Kaniko can't repeated same tag image when Cosign-Enabled in Harbor config

[cumtzhangqijie]

Actual behavior When the Harbor project's Deployment Security is enabled with Cosign, Kaniko faces an issue. If a tag of an existing image has been cosigned, Kaniko can reuse the same tag for a new push. However, if the tag hasn't been cosigned, Kaniko fails to push, and an error message is received: "unexpected status code 412 Precondition Failed (HEAD responses have no body, use GET for details)."

Expected behavior Optimize the RetrieveRemoteImage function in remote.go to enable the retrieval of the manifest for images that are not cosigned, while still operating under the prerequisite of Cosign being enabled.（like docker push）

To Reproduce Steps to reproduce the behavior:

1. Enable harbor project config Deployment Security cosign
2. Push the same tagged image multiple times using Kaniko, ensuring that Cosign is not applied to the image.

Additional Information

• Kaniko Version：v0.17.0-debug

• Harbor Version: v2.5.1

  Triage Notes for the Maintainers

  Description	Yes/No
  Please check if this a new feature you are proposing	- [ ]
  Please check if the build works in docker but not in kaniko	- [ ]
  Please check if this error is seen when you use --cache flag	- [ ]
  Please check if your dockerfile is a multistage dockerfile	- [ ]

[JeromeJu]

Thanks @cumtzhangqijie for the issue. Could you provide more details what does cosign in harbour alter the image manifest? It sounds like this is proposing that we use the new image sha to differentiate the images to be pushed.

[cumtzhangqijie]

Hello @JeromeJu ，

I apologize for the delayed response.

I have verified that the manifest of the image remains unchanged whether or not Cosign.

Here are the details:

Before Cosign curl -u USER:PASSWD -X GET https://harbor/v2/repository/test/manifests/1 {"errors":[{"code":"PROJECTPOLICYVIOLATION","message":"The image is not signed in Cosign."}]}

When comparing the manifest obtained with Cosign disabled and the manifest obtained after enabling Cosign and cosigning the image, the results are consistent. curl -u USER:PASSWD -X GET https://harbor/v2/repository/test/manifests/1 { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 7675, "digest": "sha256:bed84e7ff3904f0a075c3a75c72189ff1c0c0e76fe12d9b7d55091e7914b095f" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 49582225, "digest": "sha256:90e5e7d8b87a34877f61c2b86d053db1c4f440b9054cf49573e3be5d6a674a47" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 24049172, "digest": "sha256:27e1a8ca91d35598fbae8dee7f1c211f0f93cec529f6804a60e9301c53a604d0" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 64130771, "digest": "sha256:d3a767d1d12e57724b9f254794e359f3b04d4d5ad966006e5b5cda78cc382762" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 211066535, "digest": "sha256:711be5dc50448ab08ccab0b44d65962f36574d341749ab30651b78ec0d4bfd1c" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 3367, "digest": "sha256:22956530cc64ef2361591684e23e3b8e5bb5910da23197635a2b5b96a34b488d" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 45891522, "digest": "sha256:d38ebdae17cda1f8ba10ea57ccee2f4a1c483224fbc9048e81fd93e78acd5bd8" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 2208512, "digest": "sha256:bfacda23df76b92a2cb237825d66985ef4dfb53579bac39df67d310ea291cb3f" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 453, "digest": "sha256:4b9302a8baa0f3a1305644dbdf41e307a6297a04ac7e65c9b5a763b909f4a457" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 207, "digest": "sha256:6c891103e84e5f3b9ed705d3ba41cfcffc26fb40772f7f55923b1bfbea3ef73a" } ]