From 2bb5166c80c6e315646ad77042d5f6637743d165 Mon Sep 17 00:00:00 2001 From: MinerYang Date: Wed, 10 Apr 2024 13:46:00 +0800 Subject: [PATCH] adopt cosign with oci-spec 1.1 (#20245) Signed-off-by: yminer add comment for cosign middlware --- src/server/middleware/cosign/cosign.go | 32 ++++++++++++++++++++++++ src/server/middleware/subject/subject.go | 5 ++++ 2 files changed, 37 insertions(+) diff --git a/src/server/middleware/cosign/cosign.go b/src/server/middleware/cosign/cosign.go index 13021cb10..53fcdc7ed 100644 --- a/src/server/middleware/cosign/cosign.go +++ b/src/server/middleware/cosign/cosign.go @@ -65,6 +65,38 @@ var ( } ] } +*/ +// cosign adopt oci-spec 1.1 will have request and manifest like below +// It will skip this middleware since not using cosignRe for subject artifact reference +// use Subject Middleware indtead +/* +PUT /v2/library/goharbor/harbor-db/manifests/sha256:aabea2bdd5a6fb79c13837b88c7b158f4aa57a621194ee21959d0b520eda412f +{ + "schemaVersion": 2, + "mediaType": "application/vnd.oci.image.manifest.v1+json", + "config": { + "mediaType": "application/vnd.dev.cosign.artifact.sig.v1+json", + "size": 233, + "digest": "sha256:c025e9532dbc880534be96dbbb86a6bf63a272faced7f07bb8b4ceb45ca938d1" + }, + "layers": [ + { + "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", + "size": 257, + "digest": "sha256:38d07d81bf1d026da6420295113115d999ad6da90073b5e67147f978626423e6", + "annotations": { + "dev.cosignproject.cosign/signature": "MEUCIDOQc6I4MSd4/s8Bc8S7LXHCOnm4MGimpQdeCInLzM0VAiEAhWWYxmwEmYrFJ8xYNE3ow7PS4zeGe1R4RUbXRIawKJ4=", + "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEUCIC5DSFQx3nZhPFquF4NAdfetjqLR6qAa9i04cEtAg7VjAiEAzG2DUxqH+MdFSPih/EL/Vvsn3L1xCJUlOmRZeUYZaG0=\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzOGQwN2Q4MWJmMWQwMjZkYTY0MjAyOTUxMTMxMTVkOTk5YWQ2ZGE5MDA3M2I1ZTY3MTQ3Zjk3ODYyNjQyM2U2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRE9RYzZJNE1TZDQvczhCYzhTN0xYSENPbm00TUdpbXBRZGVDSW5Mek0wVkFpRUFoV1dZeG13RW1ZckZKOHhZTkUzb3c3UFM0emVHZTFSNFJVYlhSSWF3S0o0PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712651102,\"logIndex\":84313668,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}" + } + } + ], + "subject": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "size": 2621, + "digest": "sha256:e50f88df1b11f94627e35bed9f34214392363508a2b07146d0a94516da97e4c0" + } +} + */ func SignatureMiddleware() func(http.Handler) http.Handler { return middleware.AfterResponse(func(w http.ResponseWriter, r *http.Request, statusCode int) error { diff --git a/src/server/middleware/subject/subject.go b/src/server/middleware/subject/subject.go index 4c1c47315..7995703e2 100644 --- a/src/server/middleware/subject/subject.go +++ b/src/server/middleware/subject/subject.go @@ -39,6 +39,9 @@ var ( // the media type of notation signature layer mediaTypeNotationLayer = "application/vnd.cncf.notary.signature" + // cosign media type in config layer, which would support in oci-spec1.1 + mediaTypeCosignConfig = "application/vnd.dev.cosign.artifact.sig.v1+json" + // annotation of nydus image layerAnnotationNydusBootstrap = "containerd.io/snapshot/nydus-bootstrap" @@ -152,6 +155,8 @@ func Middleware() func(http.Handler) http.Handler { } case mediaTypeNotationLayer: accData.Type = model.TypeNotationSignature + case mediaTypeCosignConfig: + accData.Type = model.TypeCosignSignature case mediaTypeHarborSBOM: accData.Type = model.TypeHarborSBOM }