Docker.Registry.DotNet icon indicating copy to clipboard operation
Docker.Registry.DotNet copied to clipboard
verified publisher icon ChangemakerStudios

Unable to read manifest with provenance enabled image

Open toras9000 opened this issue 2 years ago • 2 comments

I noticed that recently docker (buildkit) pushed image manifests are sometimes not readable by Docker.Registry.DotNet. Specifically, the call to IManifestOperations.GetManifestAsync() fails.

I don't know much about API specs, but I did a little research, so here's the information.

This seems to be related to the provenance option when building with docker buildx (buildkit).
Recent versions seem to default to the equivalent of --provenance true. An image built with it will have an error getting the manifest. Even if you use the same version of docker buildx, the image built with --provenance false can get the manifest normally.

When built with --provenance true, the MediaType in the manifest seems to be application/vnd.oci.*****. I think it's relevant here. (But I don't fully understand what this means.) https://docs.docker.com/build/attestations/slsa-provenance/

Failure to retrieve the manifest appears to be due to the fact that the current(v1.2.1) GetManifestAsync() does not support this MediaType. Specifically, the server seems to be returning a 404 Not Found because the Accept header of the request does not contain application/vnd.oci.*****.

For reference, here are the materials I used when I tried it. https://github.com/toras9000/test-docker-registry

You may have already figured it out, but I've included it for reference.

I rely on translation tools. I'm sorry if there is a strange sentence.

toras9000 avatar Mar 21 '23 08:03 toras9000

Do you know of any public images that have this feature enabled so I can see what the response looks like?

Thanks.

Jaben avatar Aug 11 '24 04:08 Jaben

I have never encountered a subject in a public repository that falls under this category.
However, I think it is possible to make it intentional.

For testing purposes, the following two repositories were created. The only difference is the value of provenance in docker-publish.yml.

  • https://github.com/toras9000/test-provenance-false
  • https://github.com/toras9000/test-provenance-true

I have not checked in as much detail as I did in my first post, but I have checked with the following code and can confirm that it succeeds with false and fails with true.

var config = new RegistryClientConfiguration("ghcr.io");
var authenticator = new AnonymousOAuthAuthenticationProvider();
using var client = config.CreateClient(authenticator);

var manifest1 = await client.Manifest.GetManifestAsync("toras9000/test-provenance-false", "latest");
var manifest2 = await client.Manifest.GetManifestAsync("toras9000/test-provenance-true", "latest");

toras9000 avatar Aug 11 '24 16:08 toras9000