harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Replication doesn't not replicate signatures along with artifac

Open brackend opened this issue 2 years ago • 6 comments

Local replication did not replicate the cosign signatures from another local repository

Created a pull replication from one repo to another repo on the same Harbor registry. The source had several cosign signatures. Replication worked fine for replicating the image into the new repository. Problem is the destination repo doesn't see the signatures. That is the new repo replicates the images but not the signatures

For replication I used "ALL" and also "image". But same result. Flatten and not flattened - not that it would matter but you never know.

Version

Version v2.5.0-98e1b82f

Documentation: A key feature of using Cosign with Harbor is the ability use Harbor’s replication capabilities to replicate signatures with their associated signed artifact. This means that if a replication rule applies to a signed artifact, Harbor will apply the replication rule to the signature in the same way it applies it to the signed artifact.

When replicating between Harbor instances, the target Harbor instance will maintain the link between the signed artifact and its associated signatures. You will be able to see the relationship between the two artifacts in the target Harbor interface, in the same way that you do in the source registry.

When replicating from Harbor to another target registry type, the target registry will not manage the link between the signed artifact and any associated signatures. You will see the subject manifest and signatures as coordinating artifacts under the same repository.

brackend avatar Jun 30 '22 15:06 brackend

Hi Can anyone help with this. I realize that it's looping back to the same registry - my current environment doesn't let me reach out to other registries right now. But it should still work.

brackend avatar Jul 02 '22 11:07 brackend

can you share the screen shot of you replication rule?

wy65701436 avatar Jul 03 '22 19:07 wy65701436

image

brackend avatar Jul 20 '22 12:07 brackend

Sorry for slow response got sidetracked onto something else. I've just tired it with wild card in place of "latest" and it works. But how do I just say pull "latest" image along with sig. I don't necessarily want to pull all tags. For this test it was pulled from another deployment of harbor.

brackend avatar Jul 20 '22 15:07 brackend

Hi @wy65701436, would you mind taking a look? Is it right to assume that it should pull the sig along with the image without specifying the sig? Particular in the case of one harbor instance to another.

brackend avatar Jul 21 '22 20:07 brackend

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Sep 20 '22 09:09 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Oct 20 '22 09:10 github-actions[bot]

For people having the same issue, the following tag filter works as expected with cosign signature: {latest,*.sig}.

ctrlaltdel avatar Jan 10 '23 14:01 ctrlaltdel