Registry Support
dlorenc opened this issue · comments
Our primary goal is broad registry support. Right now we're unsure of where we are:
- GCR (tested, mostly works)
- Google Artifact Registry (works)
- Quay - works in latest version, not in hosted service yet
- Dockerhub?
- Azure Container Registry?
- Amazon Container Registry?
- Others?
We have some options we can try to increase support, but they're kind of ugly. I'd first like to understand how much support we have vs. how much we would gain by doing terrible things with media types.
cc @jonjohnsonjr @font
(slack here: https://github.com/google/go-containerregistry/blob/93228a70849651ba98cdee6f0654f623d7cdcbdb/pkg/v1/manifest.go#L27)
I just tested on DockerHub and things appear to work.
Would be interested in any support for Harbor
@fubarhouse is there an easy for me to try it out? It probably will "just work", but I'd need to check to be sure.
@dlorenc I might give it a try later - would be great if it would already be supported. I don't really know of any public registries I could test on...
@dlorenc I might give it a try later - would be great if it would already be supported. I don't really know of any public registries I could test on...
should you do so, please open a separate issue so we can track, cheers
Any technical reasons why cosign would not work with JFrog's container registry?
Any technical reasons why cosign would not work with JFrog's container registry?
Nope! The only registry we've tried that it hasn't worked on so far is Quay. It works on the newest versions, but not the one running in the hosted service so far.
BTW, if anyone has access to these repos and can provide test credentials I'd love to get some CI setup...
Feel free to email me privately and we can figure out a way to handle the credentials.
hey! I just tested JFrog's Artifactory registry with cosign (signing and signature verification) and it works without any issues! Thought you'd like to know :)
Just tested AWS Elastic Container Registry (ECR) and all seems fine there.
@rosstimson amazing! Do you want to send a PR to add it to the list here: https://github.com/sigstore/cosign#registry-support?
I'm happy to take it if you don't have the time :)
@dlorenc could you specify in since which quay version cosign is supported? Tried with a v3.3.0 installation and got this error:
MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: u'application/vnd.dev.cosign.simplesigning.v1+json' is not one of ['application/vnd.docker.image.rootfs.diff.tar.gzip', 'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip']
Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
{'description': 'The MIME type of the referenced object. This should generally be application/vnd.docker.image.rootfs.diff.tar.gzip. Layers of type application/vnd.docker.image.rootfs.foreign.diff.tar.gzip may be pulled from a remote location but they should never be pushed.',
'enum': ['application/vnd.docker.image.rootfs.diff.tar.gzip',
'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip'],
'type': 'string'}
On instance['layers'][0]['mediaType']:
u'application/vnd.dev.cosign.simplesigning.v1+json']
Hm, we've upgraded a test environment to Quay 3.4.3 but still get this error:
MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'application/vnd.dev.cosign.simplesigning.v1+json' is not one of ['application/vnd.docker.image.rootfs.diff.tar.gzip', 'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip']
Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
{'description': 'The MIME type of the referenced object. This should '
'generally be '
'application/vnd.docker.image.rootfs.diff.tar.gzip. '
'Layers of type '
'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip '
'may be pulled from a remote location but they should '
'never be pushed.',
'enum': ['application/vnd.docker.image.rootfs.diff.tar.gzip',
'application/vnd.docker.image.rootfs.foreign.diff.tar.gzip'],
'type': 'string'}
On instance['layers'][0]['mediaType']:
'application/vnd.dev.cosign.simplesigning.v1+json']
Could this be related to another issue? Will try to upgrade Quay 3.5.1 later.
EDIT: updated to 3.5.1, but we still facing this issue
Quay Issue: https://issues.redhat.com/browse/PROJQUAY-1933
Probably need some adjustments here: https://github.com/quay/quay/tree/master/image/docker/schema2
Or I've missed a feature flag.
@spielkind @dlorenc Apologies for the delay! While Quay 3.4 added support for OCI Artifacts, it's only for pre-defined mime types. Quay will actually not support custom mime types until 3.6. Once 3.6 is available, quay.io support will follow. See https://issues.redhat.com/browse/PROJQUAY-1032 for more details.
Hi, small correction here: Quay will support custom mime types in 3.6, not 4.6. We are also updating our default configurations in the documentation and the config-app to include the required mime type for cosign to work as of the 3.6 release.
Quay will support custom mime types in 3.6
This has been shipped as per https://cloud.redhat.com/blog/red-hat-quay-3.6-is-generally-available
Though, updates to quay.io would be pending for a while I guess.
I think GitHub Package registry should be included as well.
Given that the doc says it supports Docker Manifest V2 and OCI specs I would expect it to work.
I think GitHub Package registry should be included as well.
Given that the doc says it supports Docker Manifest V2 and OCI specs I would expect it to work.
That's already listed as "GitHub Container Registry"
I think that confusingly, GitHub Packages Container Registry might not be the same as GitHub Container Registry. We could list both. The docs seem to indicate there are two systems:
Though, updates to quay.io would be pending for a while I guess.
@sabre1041 - you know the roadmap here? Is there any way to introspect what version quay.io is?
I'm going to close this one - we have pretty good support now :)