You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// If we can parse the digest from the header, and it's a signed schema 1
// manifest, let's use that for the digest to appease older registries.
digest=contentDigest
}
It looks like answering a DockerManifestSchema1Signed could be abused by the remote repo to bypass the digest verification ?
I might be missing something tho
The text was updated successfully, but these errors were encountered:
Hey Folks,
I am trying to understand if this library, when asked to grab an image by digest of its manifest/index in the following way:
would, even if the registry answering is malicious, properly check that:
The following piece of code makes me doubt:
go-containerregistry/pkg/v1/remote/fetcher.go
Lines 151 to 155 in 8dadbe7
It looks like answering a
DockerManifestSchema1Signed
could be abused by the remote repo to bypass the digest verification ?I might be missing something tho
The text was updated successfully, but these errors were encountered: