Proposal: set custom config media type on attestation manifests #3610
Conversation
|
I did a quick test to confirm how well this works across the different registries we test against: https://github.com/docker/build-push-action/actions/runs/4124641031. Looks like the only failure major failure is on GitLab container registry, which is because they validate the config media type against a list of hardcoded types in the database (for example, see here). |
jedevc
force-pushed
the
attestation-config-media-type
branch
from
723216e
to
de1927b
Compare
|
I believe quay.io is also filtering on the config media type. |
|
Ah shoot, I could have sworn we had e2e tests for quay in docker/build-push-action 😢 cc @crazy-max is it feasible to set something like that up? |
jedevc
force-pushed
the
attestation-config-media-type
branch
from
de1927b
to
9afd5a7
Compare
|
Did a test that includes quay as well 👀 https://github.com/docker/build-push-action/actions/runs/4142977994 Yup, as expected this fails, it explicitly fails against a validation check: |
|
Marking as do-not-merge until:
|
This patch sets the media type for attestation manifests to "application/vnd.docker.attestation.config.v1+json" instead of faking a "application/vnd.oci.image.config.v1+json" type. This updates the attestation manifests inline with the OCI artifact type defined at https://github.com/opencontainers/artifacts. Aside from just making us inline with the spec here, we would hopefully be able to see better integrations in registries that just handle config media types and don't inspect the custom buildkit attestations. Additionally, this makes it *firmly* impossible for runtimes to accidentally download and run the attestation manifest, treating it as an image manifest. Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
|
We've added a few more tests to the e2e suite for build-push-action, I'm fairly confident that the list includes most of the registries we're interested in. Out of those, the only ones that break are GitLab and Quay (https://github.com/docker/build-push-action/actions/runs/4321829355/jobs/7543515404), so I think we can try and reach out to them to see about making this change for the next release of BuildKit. |
jedevc
force-pushed
the
attestation-config-media-type
branch
from
9afd5a7
to
1c26b6e
Compare
|
Speaking for the GitLab registry, we don't accept media types we don't recognize. Explicitly adding support for anything new gives us the opportunity to ensure that we can properly validate media types we accept and that they behave with our features, particularly online garbage collection, in expected ways. Essentially, we're choosing to value stability over flexibility and experimentation. Please open an issue if you want us to support this media type: https://gitlab.com/gitlab-org/container-registry/-/issues |
|
With opencontainers/image-spec#1043, this should maybe be updated to use (probably also / separately worth considering setting |
|
If the config is currently empty and there are no plans to add config blob contents in the future, then For registry support, GitLab is the only one I'm aware of that has an approve list for If the subject field is used (which is the OCI way to associate artifacts with an image), then expect issues with Docker Hub and ECR until we release OCI image/distribution 1.1.0. Personally, I'd like to see the |
This patch sets the media type for attestation manifests to
application/vnd.docker.attestation.config.v1+jsoninstead of faking aapplication/vnd.oci.image.config.v1+jsontype.This updates the attestation manifests inline with the OCI artifact type defined at https://github.com/opencontainers/artifacts. Aside from just making us inline with the spec here, we would hopefully be able to see better integrations in registries that just handle config media types and don't inspect the custom buildkit attestations.
Additionally, this makes it firmly impossible for runtimes to accidentally download and run the attestation manifest, treating it as an image manifest.