Use OCI Image Manifest v1

Signed-off-by: Jake Sanders <jsand@google.com>
sigstore · May 4, 2021 · 254fe7f · 254fe7f
1 parent c6163b7
commit 254fe7f
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 10 deletions.
diff --git a/SPEC.md b/SPEC.md
@@ -156,11 +156,12 @@ Implementations MAY store signatures objects in the same OCI repository as the t
 This section describes the way the properties from above are embedded into OCI objects that can be stored in a registry.
 Implementations MUST support storing signatures in at least the following object types:
 
-* [Image Manifest V2 Schema 2](https://docs.docker.com/registry/spec/manifest-v2-2/)
+* [OCI Image Manifest V1](#oci-image-manifest-v1)
 
-#### Image Manifest V2 Schema 2
+#### OCI Image Manifest V1
 
-This section describes the way the mandatory and optional signature properties are embedded into an Image Manifest V2 Schema 2 object.
+This section describes the way the mandatory and optional signature properties are embedded into an
+[OCI Image Manifest V1](https://github.com/opencontainers/image-spec/blob/master/manifest.md) object.
 
 Only one image manifest is created for every signed object.
 Multiple signatures can be embedded in one image manifest.
@@ -177,8 +178,8 @@ Example `payload`:
 ```
 {
   "schemaVersion": 2,
-  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
+    "mediaType": "application/vnd.oci.image.config.v1+json",
     <omitted for brevity>
   },
   "layers": [

diff --git a/pkg/cosign/remote.go b/pkg/cosign/remote.go
@@ -52,15 +52,23 @@ func Descriptors(ref name.Reference) ([]v1.Descriptor, error) {
 	return m.Layers, nil
 }
 
-// SignatureImage
+// SignatureImage returns the existing destination image, or a new, empty one.
 func SignatureImage(dstTag name.Reference, opts ...remote.Option) (v1.Image, error) {
 	base, err := remote.Image(dstTag, opts...)
 	if err != nil {
 		if te, ok := err.(*transport.Error); ok {
 			if te.StatusCode != http.StatusNotFound {
 				return nil, te
 			}
-			base = empty.Image
+			if !LegacyMediaType() {
+				base = mutate.MediaType(empty.Image, types.OCIManifestSchema1)
+				m, err := base.Manifest()
+				if err != nil {
+					// should never happen...?
+					return nil, err
+				}
+				m.Config.MediaType = types.OCIConfigJSON
+			}
 		} else {
 			return nil, err
 		}

diff --git a/pkg/cosign/upload.go b/pkg/cosign/upload.go
@@ -34,10 +34,11 @@ import (
 )
 
 const (
-	ExperimentalEnv = "COSIGN_EXPERIMENTAL"
-	repoEnv         = "COSIGN_REPOSITORY"
-	ServerEnv       = "REKOR_SERVER"
-	rekorServer     = "https://api.rekor.dev"
+	ExperimentalEnv    = "COSIGN_EXPERIMENTAL"
+	repoEnv            = "COSIGN_REPOSITORY"
+	LegacyMediaTypeEnv = "COSIGN_LEGACY_MEDIA_TYPE"
+	ServerEnv          = "REKOR_SERVER"
+	rekorServer        = "https://api.rekor.dev"
 )
 
 func Experimental() bool {
@@ -47,6 +48,13 @@ func Experimental() bool {
 	return false
 }
 
+func LegacyMediaType() bool {
+	if b, err := strconv.ParseBool(os.Getenv(LegacyMediaTypeEnv)); err == nil {
+		return b
+	}
+	return false
+}
+
 func DestinationRef(ref name.Reference, img *remote.Descriptor) (name.Reference, error) {
 	dstTag := ref.Context().Tag(Munge(img.Descriptor))
 	wantRepo := os.Getenv(repoEnv)