Skip to content

image: move image source resolver away from old interface #6330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 5, 2025
Merged

image: move image source resolver away from old interface #6330

merged 3 commits into from
Nov 5, 2025

Conversation

@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Nov 5, 2025
edited
Loading

ResolveImageConfig was changed to ResolveSourceMetadata long time
ago for cross-source implementation but the worker implementation
was still using old method name with conversions.

Additionally, move Platform from main Opt struct to ImageOpt and OCIOpt structures as it is only meaningful for these types and keeping them in main struct would mean whole struct needs to be passed to the underlying source implementation.

@tonistiigi tonistiigi force-pushed the image-source-metadata branch 4 times, most recently from 320bc6b to 15cdfac Compare November 5, 2025 17:52
@tonistiigi tonistiigi added this to the v0.26.0 milestone Nov 5, 2025
@tonistiigi
Copy link
Member Author

tonistiigi commented Nov 5, 2025

Added support for resolving attestationchain into the same PR as it already leaked to the previous commit. In extra commit, I removed reporting the bytes for image manifest. It is a bit inconsistent like this as other blobs report their content, but image manifest data is not really needed to verify the signed attestation chain.

@tonistiigi tonistiigi requested a review from crazy-max November 5, 2025 18:11
@tonistiigi tonistiigi marked this pull request as ready for review November 5, 2025 18:11
crazy-max
crazy-max approved these changes Nov 5, 2025
View reviewed changes
@tonistiigi
image: move image source resolver away from old interface
b1118d8 
ResolveImageConfig was changed to ResolveSourceMetadata long time
ago for cross-source implementation but the worker implementation
was still using old method name with conversions.

Signed-off-by: Tonis Tiigi <[email protected]>
@tonistiigi
image: add attestationchain resolving to resolvesourcemeta
a13afb5 
Attestation chain can be used by the client to verify
signature identity of the image.

Signed-off-by: Tonis Tiigi <[email protected]>
@tonistiigi
image: remove image manifest content from attestation chain
2fc7854 
Image manifest content is not needed for signature verification as
the verification is against the top index root. Still report
image manifest digest for more info about the reported attestation
subject but clients need to re-resolve it from the root manifest
for signature verification.

Signed-off-by: Tonis Tiigi <[email protected]>
@tonistiigi tonistiigi force-pushed the image-source-metadata branch from bb22687 to 2fc7854 Compare November 5, 2025 22:16
@tonistiigi tonistiigi merged commit 4ab3e37 into moby:master Nov 5, 2025
122 of 131 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees

@tonistiigi tonistiigi

Labels

area/client area/dependencies Pull requests that update a dependency file area/dockerfile area/frontend area/llb area/solver area/source area/testing area/util area/worker

Projects

None yet

Milestone

v0.26.0

Development

Successfully merging this pull request may close these issues.

2 participants

@tonistiigi @crazy-max