Skip to content

skopeo fails to copy with signature COSIGN_DOCKER_MEDIA_TYPES=1 #2599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mesaglio opened this issue May 10, 2025 · 3 comments
Open

skopeo fails to copy with signature COSIGN_DOCKER_MEDIA_TYPES=1 #2599

mesaglio opened this issue May 10, 2025 · 3 comments
Labels
kind/feature A request for, or a PR adding, new functionality

Comments

@mesaglio
Copy link

Description

When attempting to copy a Docker image along with its signature between registries using skopeo, the operation fails if the signature was created with cosign while the COSIGN_DOCKER_MEDIA_TYPES=1 environment variable was set.

Steps to Reproduce

echo "FROM alpine" > Dockerfile
docker build -t ttl.sh/juani/skope-issue:latest .
docker push ttl.sh/juani/skope-issue:latest
cosign generate-key-pair
COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key --tlog-upload=false ttl.sh/juani/skope-issue:latest
mkdir -p /etc/containers/registries.d
echo "docker:
    ttl.sh:
        use-sigstore-attachments: true" > /etc/containers/registries.d/ttl.yaml
skopeo --insecure-policy copy "docker://ttl.sh/juani/skope-issue:latest" "docker://ttl.sh/juani/skope-issue-2:latest"

Error Message

reading signatures: unexpected MIME type for sigstore attachment manifest 
ttl.sh/juani-test:sha256-334de4f644f4ee219359f27ca2989a78434d75711790215294839b1c71e720d0.sig: 
"application/vnd.docker.distribution.manifest.v2+json

Expected Behavior

Skopeo should successfully copy both the image and its signature to the target registry.

Actual Behavior

Skopeo fails with an error about unexpected MIME type for the signature manifest.

Environment

  • Cosign version: v2.5.0
  • Skopeo version: 1.18.0
  • OS: linux

Additional Information

The COSIGN_DOCKER_MEDIA_TYPES=1 environment variable causes Cosign to use application/vnd.docker.distribution.manifest.v2+json as the mediaType for the signature manifest, which Skopeo apparently doesn't expect or can't handle.

Proposed Fix

In docker_client.go, around line 1024, modify the condition to accept both manifest types:

if mimeType != imgspecv1.MediaTypeImageManifest && mimeType != manifest.DockerV2Schema2MediaType

If you agree with this, I can collaborate with the pr a image
@mtrmac
Copy link
Contributor

mtrmac commented May 12, 2025
edited
Loading

Thanks for your report.

This is tracked in containers/image#2058 , and doing it correctly would be a rather more work — if it is even possible to do this “correctly”, when Docker schema2 outright does not have the annotation field (to the extent past practice and https://distribution.github.io/distribution/spec/manifest-v2-2/ is authoritative). Compare containers/image#2734 .

@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label May 12, 2025
@mesaglio
Copy link
Author

Do you know if containers/image#2734 is still in development? If not, could I resume it?

@mtrmac
Copy link
Contributor

mtrmac commented May 13, 2025

I haven’t seen anything about that work, other than that PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature A request for, or a PR adding, new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtrmac @mesaglio