github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(cosign): add support for cosign bundle (#4023)

Browse Source 
Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
This commit is contained in:
Ramkumar Chinchani
2026-05-01 00:21:06 -07:00
committed by GitHub
parent 993a17f5d0
commit 0b2eaa0f9a
15 changed files with 135 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/common/common.go
+9 -2
View File
@@ -30,8 +30,9 @@ const (
// ArtifactTypeNotation is the same value as github.com/notaryproject/notation-go/registry.ArtifactTypeNotation
// (assert by internal test).
// reason used: to reduce zot minimal binary size (otherwise adds oras.land/oras-go/v2 deps).
ArtifactTypeNotation = "application/vnd.cncf.notary.signature"
ArtifactTypeCosign = "application/vnd.dev.cosign.artifact.sig.v1+json"
ArtifactTypeNotation = "application/vnd.cncf.notary.signature"
ArtifactTypeCosign = "application/vnd.dev.cosign.artifact.sig.v1+json"
ArtifactTypeCosignBundle = "application/vnd.dev.sigstore.bundle.v0.3+json"
// CosignSignatureTagSuffix is the suffix used for cosign signature tags (e.g., "sha256-digest.sig").
// Using constant to avoid pulling in cosign dependency.
CosignSignatureTagSuffix = "sig"
@@ -53,6 +54,12 @@ func IsCosignTag(tag string) bool {
return IsCosignSignature(tag) || IsCosignSBOM(tag)
}
// IsArtifactTypeCosign returns true if the given artifact type corresponds to a cosign signature,
// covering both the legacy type and the newer sigstore bundle type.
func IsArtifactTypeCosign(artifactType string) bool {
return artifactType == ArtifactTypeCosign || artifactType == ArtifactTypeCosignBundle
}
// RemoveFrom removes matches of item in [].
func RemoveFrom(inputSlice []string, item string) []string {
var newSlice []string
pkg/common/common_test.go
+7
View File
@@ -61,6 +61,13 @@ func TestCommon(t *testing.T) {
So(common.ArtifactTypeNotation, ShouldEqual, notreg.ArtifactTypeNotation)
})
Convey("Test IsArtifactTypeCosign", t, func() {
So(common.IsArtifactTypeCosign(common.ArtifactTypeCosign), ShouldBeTrue)
So(common.IsArtifactTypeCosign(common.ArtifactTypeCosignBundle), ShouldBeTrue)
So(common.IsArtifactTypeCosign(common.ArtifactTypeNotation), ShouldBeFalse)
So(common.IsArtifactTypeCosign("application/example"), ShouldBeFalse)
})
Convey("Test GetLocalIPs", t, func() {
localIPs, err := common.GetLocalIPs()
So(err, ShouldBeNil)