feat: add support for oci1.1 cosign signatures(using referrers) (#1963)

- Cosign supports 2 types of signature formats: 1. Using tag -> each new signature of the same manifest is added as a new layer of the signature manifest having that specific tag("{alghoritm}-{digest_of_signed_manifest}.sig") 2. Using referrers -> each new signature of the same manifest is added as a new manifest - For adding these cosign signature to metadb, we reserved index 0 of the list of cosign signatures for tag-based signatures. When a new tag-based signature is added for the same manifest, the element on first position in its list of cosign signatures(in metadb) will be updated/overwritten. When a new cosign signature(using referrers) will be added for the same manifest this new signature will be appended to the list of cosign signatures. Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2026-06-16 20:38:08 +08:00 · 2023-11-07 00:09:39 +02:00
parent 6a66a9b9b4
commit d5065513f5
21 changed files with 511 additions and 85 deletions
@@ -289,6 +289,7 @@ func SetImageMetaFromInput(ctx context.Context, repo, reference, mediaType strin
 				mTypes.SignatureMetadata{
 					SignatureType:   sigType,
 					SignatureDigest: digest.String(),
+					SignatureTag:    reference,
 					LayersInfo:      layers,
 				})
 			if err != nil {
@@ -342,6 +343,11 @@ func isSignature(reference string, manifestContent ispec.Manifest) (bool, string
 		return true, NotationType, manifestContent.Subject.Digest
 	}

+	// check cosign signature
+	if manifestArtifactType == zcommon.ArtifactTypeCosign && manifestContent.Subject != nil {
+		return true, CosignType, manifestContent.Subject.Digest
+	}
+
 	if tag := reference; zcommon.IsCosignTag(reference) {
 		prefixLen := len("sha256-")
 		digestLen := 64