search

grafeas / voucher

🎟 Voucher creates attestations for Binary Authorization
Apache License 2.0
73 stars 24 forks source link

Multi-arch image vouching fails: failed to load manifest with status 404 Not Found #47

Open kimbilida opened 2 years ago

kimbilida commented 2 years ago

I'm trying to vouch for a multi-arch image and getting this response:

failed to load manifest with status 404 Not Found: 
"{"errors":[{
"code":"MANIFEST_UNKNOWN",
"message":"Manifest with digest 'sha256:XXX' has media type 
'application/vnd.docker.distribution.manifest.list.v2+json', 
but client accepts 'application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws'."}]}"

the request is:

http.post(
            'https://voucher.acme.com/diy',
            headers: {
              'Authorization' => "Basic #{basic_authentication}",
              'Content-Type' => 'application/json',
            },
            max_attempts: 4,
            body: {
              image_url: canonical_image_url,
            }.to_json

and the manifest is:

{
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "schemaVersion": 2,
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "digest": "sha256:1512682275109406d73565ec11b8bd3aeaf53bfac83e8e12202a3effd0ae8ea4",
         "size": 528,
         "platform": {
            "architecture": "arm",
            "os": "linux",
            "variant": "v7"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "digest": "sha256:f587207cab008ab273d77a3b1c9f9c983888fa659a46e1284c1984272e4dc208",
         "size": 528,
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "digest": "sha256:fbb75455e35366f89fe310e88420a1a35a15ee54bc86aeef36fd561de68ce5ae",
         "size": 528,
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      }
   ]
}
thepwagner commented 2 years ago

In https://github.com/Shopify/voucher/pull/4 , I'm proposing a quick and naive solution: only vouch the linux/amd64 platform image. This shouldn't be a surprise to users: image registries do the same thing when clients don't Accept: application/vnd.docker.distribution.manifest.list.v2+json

This issue should be closed by adding a foreach: iterate every manifest in the list and attest individually. As such, I won't send the above PR to this repo - but it's there if anyone else wants it.