When a multi-arch index descriptor is provided to the imgcrypt's CheckAuthorization func (e.g. via image.Target()), the library iterates over the manifests it refers to with the cryptoOpUnwrapOnly option set to true to perform a check only. That causes the cycle to stop on the first manifest in the collection as the condition here will always be evaluated to true error-regardless. Additionally, if reading any of the referred manifest's children returns an errdefs.IsNotFound(err), the cycle will exit with a nil error, thus, the authorization check passes incorrectly.
Let's take for example the case where the cycle checks the first manifest in the collection (e.g. for amd64) on an arm/arm64 machine, the children of this manifest are not found since this is not the target platform and they are not pulled -> the authorization check passes incorrectly. This issue is rarely reproducible on an amd64 machine as usually, this is the first manifest in the index descriptor.
When a multi-arch index descriptor is provided to the imgcrypt's CheckAuthorization func (e.g. via image.Target()), the library iterates over the manifests it refers to with the cryptoOpUnwrapOnly option set to true to perform a check only. That causes the cycle to stop on the first manifest in the collection as the condition here will always be evaluated to true error-regardless. Additionally, if reading any of the referred manifest's children returns an errdefs.IsNotFound(err), the cycle will exit with a nil error, thus, the authorization check passes incorrectly.
Let's take for example the case where the cycle checks the first manifest in the collection (e.g. for amd64) on an arm/arm64 machine, the children of this manifest are not found since this is not the target platform and they are not pulled -> the authorization check passes incorrectly. This issue is rarely reproducible on an amd64 machine as usually, this is the first manifest in the index descriptor.