Skip to content

Keep manifest list digest in meta.json and use in cosa sign #4306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 10, 2025
Merged

Keep manifest list digest in meta.json and use in cosa sign #4306

merged 2 commits into from
Sep 10, 2025

Conversation

jlebon
Copy link
Member

@jlebon jlebon commented Sep 10, 2025

schema: also keep the manifest list digest in meta.json

Add a new manifest-list-digest to the OCI image objects we publish
in meta.json for our pushed images containing a backreference to
the digest of the manifest list. Otherwise, that digest is not really
captured anywhere in our metadata.

This could be used down the line to also add the manifest list digest
to release metadata, which would be more appropriate as the aggregation
point of metadata across all the arches. But the more immediate want for
it is for use in cosa sign.

cmd-sign: use manifest-list-digest in meta.json if available

Now that we put the manifest list digest in meta.json, we can just use
that and not have to pass it through awkwardly via another switch.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a good improvement by storing the manifest list digest in meta.json and using it in cosa sign. This simplifies the signing process by removing the need for an explicit command-line argument. The changes to the Go schema and Python scripts are logical and follow the stated goal.

I've found a few issues in src/cosalib/container_manifest.py related to temporary file handling and type hinting. Specifically, there's a resource leak where temporary files are not being cleaned up, and an invalid type hint is used. I've provided suggestions to fix these issues for improved robustness and correctness.

dustymabe
dustymabe reviewed Sep 10, 2025
View reviewed changes
src/cmd-sign
# For the manifest list digest, reuse the tags from the x86_64 build. As
# mentioned above, it's the same tags on all arches.
if args.manifest_list_digest:
if manifest_list_digest:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to come up with a situation where manifest_list_digest would ever be a false value here. Is the if condition needed or should this block just be unconditional?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is to be nice to older metadata that one wants to cosa sign.

dustymabe
dustymabe previously approved these changes Sep 10, 2025
View reviewed changes
@jlebon jlebon mentioned this pull request Sep 10, 2025
Merged
@jlebon
schema: also keep the manifest list digest in meta.json
fe430e2 
Add a new `manifest-list-digest` to the OCI image objects we publish
in `meta.json` for our pushed images containing a backreference to
the digest of the manifest list. Otherwise, that digest is not really
captured anywhere in our metadata.

This could be used down the line to also add the manifest list digest
to release metadata, which would be more appropriate as the aggregation
point of metadata across all the arches. But the more immediate want for
it is for use in `cosa sign`.
@jlebon
cmd-sign: use manifest-list-digest in meta.json if available
b88d821 
Now that we put the manifest list digest in `meta.json`, we can just use
that and not have to pass it through awkwardly via another switch.
@jlebon jlebon force-pushed the pr/manifest-list-digest branch from 0157ba9 to b88d821 Compare September 10, 2025 13:34
@jlebon
Copy link
Member Author

jlebon commented Sep 10, 2025

Updated for comments!

@dustymabe
Copy link
Member

Updated for comments!

wow. the new code looks much easier to follow!

dustymabe
dustymabe approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jlebon jlebon merged commit c0d3310 into coreos:main Sep 10, 2025
3 of 6 checks passed
@jlebon jlebon deleted the pr/manifest-list-digest branch September 10, 2025 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe dustymabe approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jlebon @dustymabe