skopeo icon indicating copy to clipboard operation
skopeo copied to clipboard
verified publisher icon containers

skopeo fails to copy with signature `COSIGN_DOCKER_MEDIA_TYPES=1`

Open mesaglio opened this issue 9 months ago • 4 comments

Description

When attempting to copy a Docker image along with its signature between registries using skopeo, the operation fails if the signature was created with cosign while the COSIGN_DOCKER_MEDIA_TYPES=1 environment variable was set.

Steps to Reproduce

echo "FROM alpine" > Dockerfile
docker build -t ttl.sh/juani/skope-issue:latest .
docker push ttl.sh/juani/skope-issue:latest
cosign generate-key-pair
COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key --tlog-upload=false ttl.sh/juani/skope-issue:latest
mkdir -p /etc/containers/registries.d
echo "docker:
    ttl.sh:
        use-sigstore-attachments: true" > /etc/containers/registries.d/ttl.yaml
skopeo --insecure-policy copy "docker://ttl.sh/juani/skope-issue:latest" "docker://ttl.sh/juani/skope-issue-2:latest"

Error Message

reading signatures: unexpected MIME type for sigstore attachment manifest 
ttl.sh/juani-test:sha256-334de4f644f4ee219359f27ca2989a78434d75711790215294839b1c71e720d0.sig: 
"application/vnd.docker.distribution.manifest.v2+json

Expected Behavior

Skopeo should successfully copy both the image and its signature to the target registry.

Actual Behavior

Skopeo fails with an error about unexpected MIME type for the signature manifest.

Environment

  • Cosign version: v2.5.0
  • Skopeo version: 1.18.0
  • OS: linux

Additional Information

The COSIGN_DOCKER_MEDIA_TYPES=1 environment variable causes Cosign to use application/vnd.docker.distribution.manifest.v2+json as the mediaType for the signature manifest, which Skopeo apparently doesn't expect or can't handle.

Proposed Fix

In docker_client.go, around line 1024, modify the condition to accept both manifest types:

if mimeType != imgspecv1.MediaTypeImageManifest && mimeType != manifest.DockerV2Schema2MediaType

If you agree with this, I can collaborate with the pr a image

mesaglio avatar May 10 '25 12:05 mesaglio

Thanks for your report.

This is tracked in https://github.com/containers/container-libs/issues/212 , and doing it correctly would be a rather more work — if it is even possible to do this “correctly”, when Docker schema2 outright does not have the annotation field (to the extent past practice and https://distribution.github.io/distribution/spec/manifest-v2-2/ is authoritative). Compare https://github.com/containers/image/pull/2734 .

mtrmac avatar May 12 '25 17:05 mtrmac

Do you know if https://github.com/containers/image/pull/2734 is still in development? If not, could I resume it?

mesaglio avatar May 13 '25 13:05 mesaglio

I haven’t seen anything about that work, other than that PR.

mtrmac avatar May 13 '25 13:05 mtrmac

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Jun 15 '25 00:06 github-actions[bot]