Multi-arch image vouching fails: failed to load manifest with status 404 Not Found
kimbilida opened this issue · comments
Kim Bilida commented
I'm trying to vouch for a multi-arch image and getting this response:
failed to load manifest with status 404 Not Found:
"{"errors":[{
"code":"MANIFEST_UNKNOWN",
"message":"Manifest with digest 'sha256:XXX' has media type
'application/vnd.docker.distribution.manifest.list.v2+json',
but client accepts 'application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws'."}]}"
the request is:
http.post(
'https://voucher.acme.com/diy',
headers: {
'Authorization' => "Basic #{basic_authentication}",
'Content-Type' => 'application/json',
},
max_attempts: 4,
body: {
image_url: canonical_image_url,
}.to_json
and the manifest is:
{
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"schemaVersion": 2,
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:1512682275109406d73565ec11b8bd3aeaf53bfac83e8e12202a3effd0ae8ea4",
"size": 528,
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:f587207cab008ab273d77a3b1c9f9c983888fa659a46e1284c1984272e4dc208",
"size": 528,
"platform": {
"architecture": "arm64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:fbb75455e35366f89fe310e88420a1a35a15ee54bc86aeef36fd561de68ce5ae",
"size": 528,
"platform": {
"architecture": "amd64",
"os": "linux"
}
}
]
}
Pete Wagner commented
In Shopify#4 , I'm proposing a quick and naive solution: only vouch the linux/amd64
platform image.
This shouldn't be a surprise to users: image registries do the same thing when clients don't Accept: application/vnd.docker.distribution.manifest.list.v2+json
This issue should be closed by adding a foreach
: iterate every manifest in the list and attest individually. As such, I won't send the above PR to this repo - but it's there if anyone else wants it.