github-actions[bot]
commented
2 years ago A friendly reminder that this issue had no activity for 30 days.
Closed mtrmac closed 2 years ago
github-actions[bot]
commented
2 years ago A friendly reminder that this issue had no activity for 30 days.
mtrmac
commented
2 years ago This was done by #1680.
- (Eventually we should to think more about
skopeo sync’s behavior in repos with Cosign signatures. It can copy signatures along with the individual signed images, or it can ignore the signature relationships and copy each OCI tag completely independently. It would be weird and inefficient(although not quite broken) if it ended up doing both.)
We will end up in the weird situation after #1701, for users that opt into use-sigstore-attachments.
1672 changes a repo we use for testing
skopeo sync, because that repo has added a Cosign signature, and the code now fails (the immediate cause is that it’s trying to compress the image and we don’t have a mapping for the signature blob’s MIME type).(Note that the signature is not quite an OCI artifact: it uses an ordinary image‘s config MIME type, just an invalid layer MIME type. Still, OCI artifact support is basically a superset of handling this signature.)
We should teach
skopeo syncto handle this image, and then revert #1672.Independent parts necessary for this:
localhost, is a very old version that doesn’t support OCI images at all. https://github.com/containers/automation_images/blob/main/skopeo_cidev/Containerfile#L15 probably needs updating, and then that needs to propagate to Skopeo (and hopefully doesn’t break anything).skopeo sync’s behavior in repos with Cosign signatures. It can copy signatures along with the individual signed images, or it can ignore the signature relationships and copy each OCI tag completely independently. It would be weird and inefficient(although not quite broken) if it ended up doing both.)