-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fallback Support]Notation uses OCI image manifest to store the signature in the repository. #444
Comments
Illustration: |
This fallback is not defined in OCI spec. The only fallback defined in OCI spec is based on referrers API. Do we want to devise fallback based on failure to push artifact manifest? If yes, why? |
You are right. This fallback is not defined in OCI spec. OCI artifact manifest is introduced in OCI image spec v1.1. Not all the registries are OCI image spec v1.1 compatible. If notation pushes signatures using OCI artifact manifest, the push fails. So the question is really about "Does Notation support sign container images/artifacts in registries not OCI image v1.1 compatible?". |
I'd suggest we should be checking for support before attempting to push either manifest. Having to create the manifest and depend on PUT errors is a lot of code to write and make calls just to find out it won't work. OCI Artifact manifest fallback is defined here: Backwards Compatibility However, @shizhMSFT pointed out that the Question: what if we checked the root of the registry for the existence of the |
Add the link for related discussion at OCI: opencontainers/distribution-spec#365 |
While I was investigating unrelated issues in using OCI Artifacts and the oras-project, I opened: |
Notation fallback mechanism SFD on HackMD Note that this is not going to work on ECR until it allows unknown fields (
But I'm not sure if (being under In any case, I'm looking at what changes need to be made in ECR in advance of 1/30/2023 that would allow this field, and thus make possible for notary to utilize the fallback mechanism if the move to |
I've briefly reviewed the HackMD doc. The described behavior is similar to ORAS except the tag scheme (the fallback method of the Referrers API). Major differences: |
@nima Question on the flow of "Attempt artifact manifest upload via oci-v1.1 spec", why do we need to check and upload |
Hi @yizha1, sorry for the delay, in response to your question in #444:
My understanding is that when we revert to a fallback (to use an image manifest, instead of an artifact manifest), then we need to construct an image manifest in its stead. And since an image spec mandates the manifest contain a It's quite possible that I've missed something—in either your question or in my understanding in general—because I think you know all that I've explained better than I do. Let me know what I may have missed here, and I'll update the SFD. |
Hi @shizhMSFT, thank you for the review; that is indeed very important, I will update the SFD to reflect this for completeness. |
Thanks Nima. Your understanding is correct. The spec PR also described this notaryproject/specifications#217. My question is about the wording |
Oh! I'm so sorry I misunderstood that—I will update that immediately, and thank you for pointing it out. |
Closed as released in rc.2 |
What is the areas you would like to add the new feature to?
Notation CLI
Is your feature request related to a problem?
OCI artifact manifest
was introduced in OCI image spec 1.1.0. It takes time for registries to be compliant to the 1.1.0 spec. There could be cases that registries decide not uplifted to 1.1.0 spec. For these registries not compliant to 1.1.0 spec, it will fail if notation CLI usesOCI artifact manifest
to push the signatures.What solution do you propose?
This feature is to request notation to support using
OCI image manifest
to store the signature in the registry that doesn't supportOCI artifact manifest
.OCI image manifest
OCI image manifest
config
property required byOCI image manifest
What alternatives have you considered?
No other alternative.
Notation can claim that only OCI artifact manifest is supported to store the signatures, but this will cause notation not broadly adopted.
Any additional context?
No response
The text was updated successfully, but these errors were encountered: