Support OCI artifacts

[mtrmac]

This broadly follows the plan from #1408 (comment) :

• Reject image-specific operations (like inspect, image ID) on OCI artifacts
• Don’t change compression of artifact layers
• FIXME: Should we also reject encryption/decryption operations?

See the individual commits for details.

FIXME: At this point I’m rather unhappy about the CanChangeLayerCompression API. It’s good enough for internal use for now, exposing it in c/image/manifest is not great. OTOH I’d rather not spend time investigating the more general which-image-formats-can-support-which-compression-and-what-to-do-if-they-don’t problem space.

At this point absolutely untested apart from unit tests (which don’t cover most of the copy code); this will be the first run against Skopeo’s integration test and a real artifact.

See individual commit messages for details. Quite a lot of the refactoring could be split into a separate PR… if an existing OCI artifact didn’t break CI right now. Something to consider later.

[mtrmac]

Note to self: See whether this resolves all of #1150, #1370, #1408 .

[mtrmac]

Parts of this have now been split into #1576 and #1577.

[vrothberg]

LGTM, nice work

[vrothberg]

Note that it's non-trivial to figure out whether an image is an artifact or not. An artifact may have a custom config and/or custom layers.

[vrothberg]

Maybe we can help callers in figuring that out.

[mtrmac]

https://github.com/opencontainers/artifacts/blob/main/artifact-authors.md#visualizing-artifacts explicitly says that the config.mediaType is how they are supposed to be differentiated.

But then both the primary motivations for this work are not compliant: #1408 wants to use images with custom layers, and the https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md explicitly defines the signature to use an image MIME type.

In the cases where this PR adds this failure mode, we really care about the thing being an image (e.g. we inspect the config or even convert the config’s format). In cases of abuse of that MIME type, it seems … technically correct… to complain about an “invalid image” more than about an “unexpected artifact”.

But you’re completely right, in practice it might be much more practical to detect the major violators and provide good error messages for them. That’s actually a pretty good reason not to expose the mimeType value of the error (which I was quite on the fence about) until we can provide something useful to callers.

[mtrmac]

• Fixes squashfs: passthrough squashfs compressed layers #1408 : Layers in non-image OCI artifacts, and layers in images with unknown MIME types, are now never compressed or decompressed, and we don’t update their MIME types even if we detect a specific compression format.
• Fixes Generic OCI artifact transport? #1150: (Parts of that report are an artifact-like object with v2s2 schema, which is invalid.) Same as the above, the copy was failing on trying to compress the layers, and that’s now handled correctly.
• Support other OCI artifact types #1370 is unclear. (WRT the conversation in that issue, this PR correctly refuses conversions from OCI artifacts to other non-artifact image types, and fails on attempts to query image data on non-image artifacts.) But the original request was for oci/layout to somehow support directories where the top level is nether an OCI index nor an OCI manifest — those are not OCI artifacts and this PR doesn’t add support.

[mtrmac]

OK, I’m done with this.

One of the intermediate versions (motivating #1579 ) added a SourcedImage method to check whether the current manifest format supports the chosen compression algorithm. That’s incorrect, because we can convert v2s2 to OCI and compress using Zstd (not supported in v2s2) in one step, i.e. that depends on the destination manifest format, not on the source one. Extending the logic for that is certainly possible in principle (ideally already in determineManifestConversion?), but that’s really a different feature from “don’t break when syncing repos with OCI artifacts”, and a rather lower-priority one.

So, this PR does not handle that any more — and now we need only a single new SourcedImage method instead of three in the last prototype, which simpler and less baggage to carry around if we ended up needing a completely different design.

---

This also updates the CI image to a newer registry that can accept OCI artifacts, although we don’t currently test with any.

Then, containers/skopeo#1680 re-enables tests of syncing the repo with a Cosign signature; see that for at least a smoke test of this PR.

[mtrmac]

This also updates the CI image to a newer registry that can accept OCI artifacts, although we don’t currently test with any.

Oh, actually, that requires containers/skopeo#1679 . Dropping that commit again.

So I think the merging order should be:

• This PR, and Use an updated CI image with OCI-capable registry skopeo#1679 , in either order.
• After both are in, the revert part of Add OCI artifact support, test syncing Cosign signatures again skopeo#1680 .

[vrothberg]

LGTM

[mtrmac]

So I think the merging order should be:

• This PR, and Use an updated CI image with OCI-capable registry skopeo#1679 , in either order.

Here, c/image needs to switch to the updated CI image here as well, or c/image CI is going to break: #1581 .

• After both are in, the revert part of DO NOT MERGE: Add OCI artifact support, test syncing Cosign signatures again skopeo#1680 .