search

sigstore / sigstore-js

Code-signing for npm packages
Apache License 2.0
155 stars 22 forks source link

accept docker media types #1162

Closed bdehamer closed 4 months ago

bdehamer commented 4 months ago

When an image is pushed to a registry, the tagged manifest may use any of a number of different content types:

application/vnd.oci.image.index.v1+json
application/vnd.oci.image.manifest.v1+json
application/vnd.docker.distribution.manifest.v2+json
application/vnd.docker.distribution.manifest.list.v2+json

When the OCI client in this package goes to verify the image digest, it needs to explicitly identify the different content types that it will accept. If the content type which was used to push the image is not present in the Accept header of the request, the repository will return a 404 -- making it appear it seem that the image does not exist.

The change here is simply to expand the list of media types sent in the Accept header to encompass ALL of the types we may encounter in the wild -- ensuring that we can resolve the image regardless of its associated media type.

See: https://github.com/actions/attest-build-provenance/issues/73

changeset-bot[bot] commented 4 months ago

🦋 Changeset detected

Latest commit: a7dcff528d1e1fc58994b7f5645fd2f652299340

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package | Name | Type | | ------------- | ----- | | @sigstore/oci | Patch |

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

bdehamer commented 4 months ago

@ejahnGithub

gtm! should we also contain these 2

  • application/vnd.docker.image.rootfs.diff.tar.gzip
  • application/vnd.docker.container.image.v1+json

Those media types may be used when retrieving blobs, but would never appear in response to the /manifests API so are not relevant here.