Multi-platform image signature & artifacts look incorrect

[stevehipwell]

Great work sneaking out ARM64 support but I think it might have led to the image signature & artifacts for multi-platform images being incorrect.

I expected to see both the index and manifests signed but currently only the index is. I expected to see SBOMs on the manifests but there aren't any. I also expected to see artifacts added to the manifests but there aren't any.

[dlorenc]

Can you share the commands you're running to look for them?

[stevehipwell]

@dlorenc I was double checking on the CLI, which works correctly, and it looks like it's the web UI . I'd be happy to close this and open another issue elsewhere for the UI if it's expected to work.

https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/ruby:latest-3.2@sha256:c54af537a214e6c0dcd1afecdd213b34096c58cbd40ee4df390c5d05782f7107

Index

cosign tree cgr.dev/chainguard/ruby:latest-3.2@sha256:975d7882432c4dbb6f860d8d43a68a41810450b906bb68894d28a01f23b45a82
📦 Supply Chain Security Related artifacts for an image: cgr.dev/chainguard/ruby:latest-3.2@sha256:975d7882432c4dbb6f860d8d43a68a41810450b906bb68894d28a01f23b45a82
└── 💾 Attestations for an image tag: cgr.dev/chainguard/ruby:sha256-975d7882432c4dbb6f860d8d43a68a41810450b906bb68894d28a01f23b45a82.att
   ├── 🍒 sha256:04ab72a81b6a164587447eaa4cdebc2a2c46ed61723e9d29170ac0f33ebb98c3
   └── 🍒 sha256:54668c8a411e1a7b06654c1df7d8bccdaaff932e334a58a1e7c7d10c04134eed
└── 🔐 Signatures for an image tag: cgr.dev/chainguard/ruby:sha256-975d7882432c4dbb6f860d8d43a68a41810450b906bb68894d28a01f23b45a82.sig
   └── 🍒 sha256:8ee77f17af0fabc43f7ec19cd54ce44cdbfae1341356afcb2e7bb2db79fd91a9
└── 📦 SBOMs for an image tag: cgr.dev/chainguard/ruby:sha256-975d7882432c4dbb6f860d8d43a68a41810450b906bb68894d28a01f23b45a82.sbom
   └── 🍒 sha256:e7179bda31a03aab5847a7b8aea30b6528247fb949f735910c564fc377061309

Manifest

cosign tree cgr.dev/chainguard/ruby:latest-3.2@sha256:c54af537a214e6c0dcd1afecdd213b34096c58cbd40ee4df390c5d05782f7107
📦 Supply Chain Security Related artifacts for an image: cgr.dev/chainguard/ruby:latest-3.2@sha256:c54af537a214e6c0dcd1afecdd213b34096c58cbd40ee4df390c5d05782f7107
└── 💾 Attestations for an image tag: cgr.dev/chainguard/ruby:sha256-c54af537a214e6c0dcd1afecdd213b34096c58cbd40ee4df390c5d05782f7107.att
   ├── 🍒 sha256:53d4f2e81cf7460bcf77dd140ef159f31e69c7eb13fe34658b5eb400920bbada
   └── 🍒 sha256:5f15a93988d350e84e9d778fb57827924148e5b4abef54daabebea8975544793
└── 🔐 Signatures for an image tag: cgr.dev/chainguard/ruby:sha256-c54af537a214e6c0dcd1afecdd213b34096c58cbd40ee4df390c5d05782f7107.sig
   └── 🍒 sha256:58e2bfb14855cf56abfce18dcbcaf4fb3e9c4f7d1679dce36ab26ebe7f0c6182
└── 📦 SBOMs for an image tag: cgr.dev/chainguard/ruby:sha256-c54af537a214e6c0dcd1afecdd213b34096c58cbd40ee4df390c5d05782f7107.sbom
   └── 🍒 sha256:29e1d839cfcd15477d1f503d59f9f2586070c3474f91932fb3b5126c9a41e2fa

[imjasonh]

I'll look into why the web UI isn't showing these... 🤔

edit: I see the platform-specific signatures for, e.g., static: https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/static@sha256:760a07de02dc5f766120e2bfa4911783098b46469af7d001785c554eb6401c44

[stevehipwell]

Happy to close this as not an issue, I jumped the gun and created the issue before the tree command had finished.

[imjasonh]

I think this might be an unfortunate lag/timing bug in the web UI. The first time an image is loaded it takes a bit longer to cache it, and the web UI might lose the race. Reloading seems to fix it.

Sorry for the bug, and thanks for bringing this to our attention!

[stevehipwell]

@imjasonh I can't get the link I shared above to show the artifacts by reloading?

[stevehipwell]

Could it be down to the manifest size as I can't get any manifest other than static to show the artifacts?

• https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/wolfi-base:latest@sha256:9d17e16afeeebeaf4f2678dea33a372e4a3be099f834cae3f3f3c4ef6fd51a0a
• https://registry-ui.chainguard.app/?image=cgr.dev/chainguard/jenkins:latest@sha256:97567079f7990f3d50b69b4e4514ebcd2caa9bbee64f0a30ddca3384228accf3

[imjasonh]

Larger manifests and larger images would definitely slow things down and make the race easier for the browser to "win" (and show bad data 💥 ).

I managed to refresh enough to get it to load. And now that it's loaded it should load consistently, for all users.

Sorry this isn't the best experience. The web UI currently relies on mirror.kontain.me to be able to fetch manifests and blobs from the browser using CORS, which unfortunately adds a somewhat flaky dependency. Ideally it would go straight to the registry to get this (not possible due to cross-site XHR), or have a server-side component to serve this (today it's just client-side). We have some plans in the works that should make this more reliable.