pull by digest of encrypted images fails trying to edit the manifest

containers / image

Work with containers' images

Apache License 2.0

866 stars 377 forks source link

pull by digest of encrypted images fails trying to edit the manifest #1768

Open vans163 opened 1 year ago

vans163 commented 1 year ago

ERROR: copy needs an updated manifest but that was known to be forbidden. "Destination specifies a digest"

podman build --squash-all --format oci --omit-history --layers -t me/image .
podman push -f oci --compression-format=zstd:chunked --encryption-key=jwe:/me/key me/image

podman pull --decryption-key=/me/keyp me/image@sha256:abc123
# error here

mtrmac commented 1 year ago

Thanks for your report.

I’m afraid that doesn’t work now; the pull must use a tag. Transferring to c/image where this would be fixed.

(Note to self: it would be … easy enough … to allow writing modified manifests to c/storage digested references, but that could quite likely break consumers that assume the digests to match. Compare https://github.com/containers/image/issues/1049 .)

mtrmac commented 1 year ago

Note: https://github.com/containers/image/pull/1930#discussion_r1177040737