fix: add support for uploaded index when signing using notation (#1882)

ci(notation): update to latest notation version fix(sync): add layers info when syncing signatures Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2026-06-16 20:38:08 +08:00 · 2023-10-13 04:45:20 +03:00
parent 458d40fb48
commit fc2380b57b
24 changed files with 576 additions and 45 deletions
@@ -3,6 +3,7 @@ package meta
 import (
 	godigest "github.com/opencontainers/go-digest"

+	zcommon "zotregistry.io/zot/pkg/common"
 	"zotregistry.io/zot/pkg/log"
 	"zotregistry.io/zot/pkg/meta/common"
 	mTypes "zotregistry.io/zot/pkg/meta/types"
@@ -15,6 +16,10 @@ import (
 func OnUpdateManifest(repo, reference, mediaType string, digest godigest.Digest, body []byte,
 	storeController storage.StoreController, metaDB mTypes.MetaDB, log log.Logger,
 ) error {
+	if zcommon.IsReferrersTag(reference) {
+		return nil
+	}
+
 	imgStore := storeController.GetImageStore(repo)

 	// check if image is a signature
@@ -87,6 +92,10 @@ func OnUpdateManifest(repo, reference, mediaType string, digest godigest.Digest,
 func OnDeleteManifest(repo, reference, mediaType string, digest godigest.Digest, manifestBlob []byte,
 	storeController storage.StoreController, metaDB mTypes.MetaDB, log log.Logger,
 ) error {
+	if zcommon.IsReferrersTag(reference) {
+		return nil
+	}
+
 	imgStore := storeController.GetImageStore(repo)

 	isSignature, signatureType, signedManifestDigest, err := storage.CheckIsImageSignature(repo, manifestBlob,
@@ -154,7 +163,7 @@ func OnGetManifest(name, reference string, body []byte,
 		return err
 	}

-	if !isSignature {
+	if !isSignature && !zcommon.IsReferrersTag(reference) {
 		err := metaDB.IncrementImageDownloads(name, reference)
 		if err != nil {
 			log.Error().Err(err).Str("repository", name).Str("reference", reference).
@@ -108,6 +108,12 @@ func TestUpdateErrors(t *testing.T) {
 				So(err, ShouldNotBeNil)
 			})

+			Convey("IsReferrersTag true", func() {
+				err := meta.OnUpdateManifest("repo", "sha256-123", "digest", "media", []byte("bad"),
+					storeController, metaDB, log)
+				So(err, ShouldBeNil)
+			})
+
 			Convey("GetSignatureLayersInfo errors", func() {
 				// get notation signature layers info
 				badNotationManifestContent := ispec.Manifest{
@@ -180,6 +186,12 @@ func TestUpdateErrors(t *testing.T) {
 				So(err, ShouldNotBeNil)
 			})

+			Convey("IsReferrersTag true", func() {
+				err := meta.OnDeleteManifest("repo", "sha256-123", "digest", "media", []byte("bad"),
+					storeController, metaDB, log)
+				So(err, ShouldBeNil)
+			})
+
 			Convey("DeleteReferrers errors", func() {
 				metaDB.DeleteReferrerFn = func(repo string, referredDigest, referrerDigest godigest.Digest) error {
 					return ErrTestError
@@ -80,6 +80,10 @@ func ParseRepo(repo string, metaDB mTypes.MetaDB, storeController storage.StoreC
 	for _, descriptor := range indexContent.Manifests {
 		tag := descriptor.Annotations[ispec.AnnotationRefName]

+		if zcommon.IsReferrersTag(tag) {
+			continue
+		}
+
 		descriptorBlob, err := getCachedBlob(repo, descriptor, metaDB, imageStore, log)
 		if err != nil {
 			log.Error().Err(err).Msg("load-repo: error checking manifestMeta in MetaDB")
@@ -299,6 +303,11 @@ func getNotationSignatureLayersInfo(
 		return layers, err
 	}

+	// skip if is a notation index
+	if manifestContent.MediaType == ispec.MediaTypeImageIndex {
+		return []mTypes.LayerInfo{}, nil
+	}
+
 	if len(manifestContent.Layers) != 1 {
 		log.Error().Err(zerr.ErrBadManifest).Str("repository", repo).Str("reference", manifestDigest).
 			Msg("load-repo: notation signature manifest requires exactly one layer but it does not")
@@ -347,6 +347,33 @@ func TestParseStorageErrors(t *testing.T) {
 				err = meta.ParseRepo("repo", metaDB, storeController, log)
 				So(err, ShouldNotBeNil)
 			})
+
+			Convey("IsReferrersTag -> true", func() {
+				indexContent := ispec.Index{
+					Manifests: []ispec.Descriptor{
+						{
+							Digest:    godigest.FromString("indx1"),
+							MediaType: ispec.MediaTypeImageIndex,
+							Annotations: map[string]string{
+								ispec.AnnotationRefName: "sha256-123",
+							},
+						},
+					},
+				}
+				indexBlob, err := json.Marshal(indexContent)
+				So(err, ShouldBeNil)
+
+				imageStore.GetIndexContentFn = func(repo string) ([]byte, error) {
+					return indexBlob, nil
+				}
+
+				metaDB.SetIndexDataFn = func(digest godigest.Digest, indexData mTypes.IndexData) error {
+					return ErrTestError
+				}
+
+				err = meta.ParseRepo("repo", metaDB, storeController, log)
+				So(err, ShouldBeNil)
+			})
 		})
 	})
 }
@@ -605,6 +632,19 @@ func TestGetSignatureLayersInfo(t *testing.T) {
 		So(layers, ShouldBeEmpty)
 	})

+	Convey("notation index", t, func() {
+		notationIndex := ispec.Index{
+			MediaType: ispec.MediaTypeImageIndex,
+		}
+
+		notationIndexBlob, err := json.Marshal(notationIndex)
+		So(err, ShouldBeNil)
+		layers, err := meta.GetSignatureLayersInfo("repo", "tag", "123", zcommon.NotationSignature, notationIndexBlob,
+			nil, log.NewLogger("debug", ""))
+		So(err, ShouldBeNil)
+		So(layers, ShouldBeEmpty)
+	})
+
 	Convey("error while unmarshaling manifest content", t, func() {
 		_, err := meta.GetSignatureLayersInfo("repo", "tag", "123", zcommon.CosignSignature, []byte("bad manifest"),
 			nil, log.NewLogger("debug", ""))