Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to read manifest with provenance enabled image #28

Open
toras9000 opened this issue Mar 21, 2023 · 2 comments
Open

Unable to read manifest with provenance enabled image #28

toras9000 opened this issue Mar 21, 2023 · 2 comments

Comments

@toras9000
Copy link

I noticed that recently docker (buildkit) pushed image manifests are sometimes not readable by Docker.Registry.DotNet.
Specifically, the call to IManifestOperations.GetManifestAsync() fails.

I don't know much about API specs, but I did a little research, so here's the information.

This seems to be related to the provenance option when building with docker buildx (buildkit).
Recent versions seem to default to the equivalent of --provenance true.
An image built with it will have an error getting the manifest.
Even if you use the same version of docker buildx, the image built with --provenance false can get the manifest normally.

When built with --provenance true, the MediaType in the manifest seems to be application/vnd.oci.*****.
I think it's relevant here. (But I don't fully understand what this means.)
https://docs.docker.com/build/attestations/slsa-provenance/

Failure to retrieve the manifest appears to be due to the fact that the current(v1.2.1) GetManifestAsync() does not support this MediaType.
Specifically, the server seems to be returning a 404 Not Found because the Accept header of the request does not contain application/vnd.oci.*****.

For reference, here are the materials I used when I tried it.
https://github.com/toras9000/test-docker-registry

You may have already figured it out, but I've included it for reference.

I rely on translation tools. I'm sorry if there is a strange sentence.
@Jaben
Copy link
Member

Jaben commented Aug 11, 2024

Do you know of any public images that have this feature enabled so I can see what the response looks like?

Thanks.

@toras9000
Copy link
Author

I have never encountered a subject in a public repository that falls under this category.
However, I think it is possible to make it intentional.

For testing purposes, the following two repositories were created.
The only difference is the value of provenance in docker-publish.yml.

I have not checked in as much detail as I did in my first post, but I have checked with the following code and can confirm that it succeeds with false and fails with true.

var config = new RegistryClientConfiguration("ghcr.io");
var authenticator = new AnonymousOAuthAuthenticationProvider();
using var client = config.CreateClient(authenticator);

var manifest1 = await client.Manifest.GetManifestAsync("toras9000/test-provenance-false", "latest");
var manifest2 = await client.Manifest.GetManifestAsync("toras9000/test-provenance-true", "latest");

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jaben @toras9000