You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I reported this in skopeo (see containers/skopeo#1051) but the fix might be required in containers/image instead.
When running a skopeo inspect docker-daemon:repo@sha256:digest it fails with a "Manifest does not match provided manifest digest" error.
After some tests, the cause might be that the contents of the manifest are different (testing with skopeo inspect --raw for docker:// source and for docker-daemon: source. My guess in here is that for docker-daemon: source the manifest is automatically generated by Skopeo or the underlying libraries, while for docker:// source, the manifest is downloaded "as is". The docker:// version, when retrieved from the registry, is indented and formatted, so the hash differs with the hash of the locally generated manifest. See my tests:
I would expect that it is possible to do a skopeo inspect docker-daemon:repo@sha256:digest instead of failing. So some proposals would be:
Fix the manifest generation, so it matches the remote manifest format. I am not sure if this is in general a good idea. Is there an standard for manifest formatting?
returnnil, "", errors.Errorf("Manifest does not match provided manifest digest %s", digest)
, as the digest for the manifest generated on the fly won't probably match the real manifest in the remote repository.
The issue also applies for other commands like skopeo copy:
kopeo copy docker-daemon:alpine@sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65 oci:test.tar
FATA[0000] Error determining manifest MIME type for docker-daemon:alpine@sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65: Manifest does not match provided manifest digest sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd6
Probably because the locally generated version is using the uncompressed version of the layer (is the mediaType correct?) and the real manifest is using the distribution .tar.gz layer, the digest of the blob in the remote registry.
So, as this is expected, does it make sense to enable the manifest digest verification when using the docker-daemon:// source?
I reported this in skopeo (see containers/skopeo#1051) but the fix might be required in containers/image instead.
When running a
skopeo inspect docker-daemon:repo@sha256:digest
it fails with a "Manifest does not match provided manifest digest" error.After some tests, the cause might be that the contents of the manifest are different (testing with
skopeo inspect --raw
for docker:// source and for docker-daemon: source. My guess in here is that for docker-daemon: source the manifest is automatically generated by Skopeo or the underlying libraries, while for docker:// source, the manifest is downloaded "as is". The docker:// version, when retrieved from the registry, is indented and formatted, so the hash differs with the hash of the locally generated manifest. See my tests:I would expect that it is possible to do a
skopeo inspect docker-daemon:repo@sha256:digest
instead of failing. So some proposals would be:image/image/unparsed.go
Line 59 in 21244c9
The issue also applies for other commands like
skopeo copy
:and anything using FromUnparsedImage (
image/image/sourced.go
Line 68 in 1a0dda7
image/image/unparsed.go
Line 59 in 21244c9
The text was updated successfully, but these errors were encountered: