feat(cosign): add support for cosign bundle (#4023)

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
2026-06-17 12:58:02 +08:00 · 2026-05-01 00:21:06 -07:00
parent 993a17f5d0
commit 0b2eaa0f9a
15 changed files with 135 additions and 47 deletions
@@ -439,7 +439,7 @@ func isSignature(reference string, manifestContent ispec.Manifest) (bool, string
 	}

 	// check cosign signature
-	if manifestArtifactType == zcommon.ArtifactTypeCosign && manifestContent.Subject != nil {
+	if zcommon.IsArtifactTypeCosign(manifestArtifactType) && manifestContent.Subject != nil {
 		return true, CosignType, manifestContent.Subject.Digest
 	}

@@ -556,6 +556,35 @@ func RunParseStorageTests(rootDir string, metaDB mTypes.MetaDB, log log.Logger)
 		So(repos[0].Signatures, ShouldContainKey, missingImageDigest.String())
 	})

+	Convey("Detect cosign bundle signatures by artifact type and subject", func() {
+		imageStore := local.NewImageStore(rootDir, false, false,
+			log, monitoring.NewMetricsServer(false, log), nil, nil, nil, nil)
+
+		storeController := storage.StoreController{DefaultStore: imageStore}
+
+		signedImage := CreateRandomImage()
+		err := WriteImageToFileSystem(signedImage, repo, "signed", storeController)
+		So(err, ShouldBeNil)
+
+		bundleSig := CreateMockCosignBundleSignature(signedImage.DescriptorRef())
+		err = WriteImageToFileSystem(bundleSig, repo, "bundle-sig", storeController)
+		So(err, ShouldBeNil)
+
+		err = meta.ParseStorage(metaDB, storeController, log) //nolint: contextcheck
+		So(err, ShouldBeNil)
+
+		repos, err := metaDB.GetMultipleRepoMeta(ctx,
+			func(repoMeta mTypes.RepoMeta) bool { return true })
+		So(err, ShouldBeNil)
+		So(repos, ShouldNotBeEmpty)
+
+		repoMeta := repos[0]
+		subjectDigest := signedImage.DigestStr()
+		So(repoMeta.Signatures, ShouldContainKey, subjectDigest)
+		So(repoMeta.Signatures[subjectDigest], ShouldContainKey, zcommon.CosignSignature)
+		So(len(repoMeta.Signatures[subjectDigest][zcommon.CosignSignature]), ShouldBeGreaterThan, 0)
+	})
+
 	Convey("Check statistics after load", func() {
 		imageStore := local.NewImageStore(rootDir, false, false,
 			log, monitoring.NewMetricsServer(false, log), nil, nil, nil, nil)