github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-16 04:17:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add support for oci1.1 cosign signatures(using referrers) (#1963)

Browse Source 
- Cosign supports 2 types of signature formats:

	1. Using tag -> each new signature of the same manifest is
	added as a new layer of the signature manifest having that
	specific tag("{alghoritm}-{digest_of_signed_manifest}.sig")

	2. Using referrers -> each new signature of the same manifest is
	added as a new manifest

- For adding these cosign signature to metadb, we reserved index 0 of the
list of cosign signatures for tag-based signatures. When a new tag-based
signature is added for the same manifest, the element on first position
in its list of cosign signatures(in metadb) will be updated/overwritten.
When a new cosign signature(using referrers) will be added for the same
manifest this new signature will be appended to the list of cosign
signatures.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
This commit is contained in:
Andreea Lupu
2023-11-07 00:09:39 +02:00
committed by GitHub
parent 6a66a9b9b4
commit d5065513f5
21 changed files with 511 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/storage/common/common.go
+5
View File
@@ -613,6 +613,11 @@ func IsSignature(descriptor ispec.Descriptor) bool {
return true
}
// is cosign signature (OCI 1.1 support)
if descriptor.ArtifactType == zcommon.ArtifactTypeCosign {
return true
}
// is notation signature
if descriptor.ArtifactType == zcommon.ArtifactTypeNotation {
return true
pkg/storage/gc/gc.go
+3 -1
View File
@@ -277,9 +277,11 @@ func (gc GarbageCollect) removeReferrer(repo string, index *ispec.Index, manifes
referenced := isManifestReferencedInIndex(index, subject.Digest)
var signatureType string
// check if its notation signature
// check if its notation or cosign signature
if artifactType == zcommon.ArtifactTypeNotation {
signatureType = storage.NotationType
} else if artifactType == zcommon.ArtifactTypeCosign {
signatureType = storage.CosignType
}
if !referenced {
pkg/storage/local/local_test.go
+9
View File
@@ -2154,6 +2154,15 @@ func TestGarbageCollectForImageStore(t *testing.T) {
err = WriteImageToFileSystem(notationSig, repoName, "notation", storeController)
So(err, ShouldBeNil)
// add fake signature for tag1
cosignWithReferrersSig := CreateImageWith().
RandomLayers(1, 10).
ArtifactConfig(common.ArtifactTypeCosign).
Subject(img.DescriptorRef()).Build()
err = WriteImageToFileSystem(cosignWithReferrersSig, repoName, "cosign", storeController)
So(err, ShouldBeNil)
err = gc.CleanRepo(repoName)
So(err, ShouldBeNil)
})
pkg/storage/storage.go
+5
View File
@@ -227,6 +227,11 @@ func CheckIsImageSignature(repoName string, manifestBlob []byte, reference strin
return true, NotationType, manifestContent.Subject.Digest, nil
}
// check cosign signature (OCI 1.1 support)
if manifestArtifactType == zcommon.ArtifactTypeCosign && manifestContent.Subject != nil {
return true, CosignType, manifestContent.Subject.Digest, nil
}
if tag := reference; zcommon.IsCosignTag(reference) {
prefixLen := len("sha256-")
digestLen := 64