You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
skopeo copy --all docker://$src@$digest docker://$dest@$digest does not set canModifyManifestList to false, so the copy will try to send a modified manifest to the registry.
This is easiest to reproduce by adding --format {oci,v2s2} (one of the values, to trigger conversion).
Typically, the registry rejects that with digest invalid or something similar, because the manifest list we send does not match the digest reference used for the upload, so, this does not fail silently; still, we should recognize this case and either fail explicitly, or (to be consistent with the single-image copy case) ignore the --format option and preserve the original manifest — probably some combination of both, e.g. with ImageListSelection: CopySpecificImages.
Separately, the code in copyOneImage for enforcing destination digest references handles corner cases badly:
skopeo copy --all docker://$src@$digest docker://$dest@$differentDigest actually fails when copying the first architecture-specific image, because the destination $differentDigest matches neither the architecture-specific image nor the $digest of the manifest list
skopeo copy docker://$src@$digest docker://$dest$digest on a multi-arch image (i.e. writing only the current-architecture image to the destination, not a manifest list, with $digest a digest of the manifest list) is accepted by that check, and only rejected by the registry with digest invalid later.
The text was updated successfully, but these errors were encountered:
skopeo copy --all docker://$src@$digest docker://$dest@$digest does not set canModifyManifestList to false, so the copy will try to send a modified manifest to the registry.
This is easiest to reproduce by adding --format {oci,v2s2} (one of the values, to trigger conversion).
skopeo copy --all docker://$src@$digest docker://$dest@$differentDigest actually fails when copying the first architecture-specific image, because the destination $differentDigest matches neither the architecture-specific image nor the $digest of the manifest list
This was fixed in #1413, $differentDigest must match the source image, or the copies immediately rejected.
skopeo copy docker://$src@$digest docker://$dest$digest on a multi-arch image (i.e. writing only the current-architecture image to the destination, not a manifest list, with $digest a digest of the manifest list) is accepted by that check, and only rejected by the registry with digest invalid later.
This is still outstanding, but directly changing that would probably break digested pulls to c/storage .
skopeo copy --all docker://$src@$digest docker://$dest@$digest
does not setcanModifyManifestList
tofalse
, so the copy will try to send a modified manifest to the registry.This is easiest to reproduce by adding
--format {oci,v2s2}
(one of the values, to trigger conversion).Typically, the registry rejects that with
digest invalid
or something similar, because the manifest list we send does not match the digest reference used for the upload, so, this does not fail silently; still, we should recognize this case and either fail explicitly, or (to be consistent with the single-image copy case) ignore the--format
option and preserve the original manifest — probably some combination of both, e.g. withImageListSelection: CopySpecificImages
.Separately, the code in
copyOneImage
for enforcing destination digest references handles corner cases badly:skopeo copy --all docker://$src@$digest docker://$dest@$differentDigest
actually fails when copying the first architecture-specific image, because the destination $differentDigest matches neither the architecture-specific image nor the $digest of the manifest listskopeo copy docker://$src@$digest docker://$dest$digest
on a multi-arch image (i.e. writing only the current-architecture image to the destination, not a manifest list, with $digest a digest of the manifest list) is accepted by that check, and only rejected by the registry withdigest invalid
later.The text was updated successfully, but these errors were encountered: