Implement signature-lint cleanup and fix lint formatting

pkg/storage/imagestore/imagestore.go

@@ -638,6 +638,8 @@ func (is *ImageStore) PutImageManifest(repo, reference, mediaType string, //noli
 	manifestPath := path.Join(dir, mDigest.Encoded())
 
 	binfo, err := is.storeDriver.Stat(manifestPath)
+	manifestUploaded := false
+
 	if err != nil || binfo.Size() != desc.Size {
 		// The blob isn't already there, or it is corrupted, and needs a correction
 		if _, err = is.storeDriver.WriteFile(manifestPath, body); err != nil {
@@ -645,6 +647,8 @@ func (is *ImageStore) PutImageManifest(repo, reference, mediaType string, //noli
 
 			return "", "", err
 		}
+
+		manifestUploaded = true
 	}
 
 	var (
@@ -761,6 +765,13 @@ func (is *ImageStore) PutImageManifest(repo, reference, mediaType string, //noli
 		is.log.Error().Err(err).Str("repository", repo).Str("reference", reference).
 			Msg("linter didn't pass")
 
+		if manifestUploaded && zerr.GetDetails(err)["missingSignatures"] != "" {
+			if deleteErr := is.storeDriver.Delete(manifestPath); deleteErr != nil {
+				is.log.Error().Err(deleteErr).Str("repository", repo).Str("reference", reference).
+					Str("digest", mDigest.String()).Msg("failed to delete untrusted manifest")
+			}
+		}
+
 		if is.events != nil {
 			is.events.ImageLintFailed(repo, reference, mDigest.String(), mediaType, string(body))
 		}

pkg/storage/storage_test.go

@@ -1492,12 +1492,50 @@ func TestMandatoryAnnotations(t *testing.T) {
 				manifest.SchemaVersion = 2
 				manifestBuf, err := json.Marshal(manifest)
 				So(err, ShouldBeNil)
+				manifestDigest := godigest.FromBytes(manifestBuf)
 
 				Convey("Missing mandatory annotations", func() {
 					_, _, err = imgStore.PutImageManifest("test", "1.0.0", ispec.MediaTypeImageManifest, manifestBuf, nil)
 					So(err, ShouldNotBeNil)
 				})
 
+				Convey("Signature lint failure deletes uploaded manifest blob and does not update index", func() {
+					if testcase.storageType == storageConstants.S3StorageDriverName {
+						imgStore = imagestore.NewImageStore(testDir, cacheDir, false, false, log, metrics,
+							&mocks.MockedLint{
+								LintFn: func(repo string, manifestDigest godigest.Digest,
+									imageStore storageTypes.ImageStore,
+								) (bool, error) {
+									return false, zerr.NewError(zerr.ErrImageLintAnnotations).
+										AddDetail("missingSignatures", "missing trusted signature")
+								},
+							}, store, nil, nil, nil)
+					} else {
+						var cacheDriver storageTypes.Cache
+						store, _, cacheDriver, err := createObjectsStore(opts)
+						So(err, ShouldBeNil)
+						imgStore = imagestore.NewImageStore(cacheDir, cacheDir, true, true, log, metrics,
+							&mocks.MockedLint{
+								LintFn: func(repo string, manifestDigest godigest.Digest,
+									imageStore storageTypes.ImageStore,
+								) (bool, error) {
+									return false, zerr.NewError(zerr.ErrImageLintAnnotations).
+										AddDetail("missingSignatures", "missing trusted signature")
+								},
+							}, store, cacheDriver, nil, nil)
+					}
+
+					_, _, err = imgStore.PutImageManifest("test", "1.0.0", ispec.MediaTypeImageManifest, manifestBuf, nil)
+					So(err, ShouldNotBeNil)
+
+					_, err = imgStore.GetBlobContent("test", manifestDigest)
+					So(err, ShouldEqual, zerr.ErrBlobNotFound)
+
+					index, err := storageCommon.GetIndex(imgStore, "test", log)
+					So(err, ShouldBeNil)
+					So(len(index.Manifests), ShouldEqual, 0)
+				})
+
 				Convey("Error on mandatory annotations", func() {
 					if testcase.storageType == storageConstants.S3StorageDriverName {
 						imgStore = imagestore.NewImageStore(testDir, cacheDir, false, false, log, metrics,