DNM: treat 403 as non-fatal when checking for manifests#2972
Closed
dmitris wants to merge 1 commit intosigstore:mainfrom
Closed
DNM: treat 403 as non-fatal when checking for manifests#2972dmitris wants to merge 1 commit intosigstore:mainfrom
dmitris wants to merge 1 commit intosigstore:mainfrom
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2972 +/- ##
=======================================
Coverage 30.26% 30.27%
=======================================
Files 151 151
Lines 9469 9470 +1
=======================================
+ Hits 2866 2867 +1
Misses 6158 6158
Partials 445 445
|
dmitris
force-pushed
the
jfrog-403
branch
3 times, most recently
from
3ec2a44 to
040672d
Compare
Some Docker registries (ex.JFrog Artifactory) return 403 instead of 404 for a non-existent tag if that tag starts with 'sha256' - which results in a fatal error and inability to use `cosign sign`. This change treats 403 the same way as 404 to overcome this. It is similar and related to google/go-containerregistry#1691 "Make 403 non-fatal for manifest existence checks". Closes sigstore#2973. Signed-off-by: Dmitry S <[email protected]>
hectorj2f
approved these changes
May 15, 2023
dmitris
changed the title
Contributor
Author
|
done in #2990 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update
NB - please Do Not Merge = PR on-hold, likely will close once google/go-containerregistry#1701 is merged and released.
Summary
As described in #2973, some Docker registries (ex.JFrog Artifactory) return 403 instead of 404 for a non-existent tag if that tag starts with 'sha256' - which results in a fatal error and inability to use
cosign sign. This is a recent change - the breakage started after #2929 ("last known good" commit bdf1c76) and is related to or caused by upgrade of thegithub.com/google/go-containerregistrydependency.Details
This change treats 403 the same way as 404 to overcome this.
It is similar and related to
google/go-containerregistry#1691 "Make 403 non-fatal for manifest existence checks".
Testing
cosign signworks again with the JFrog Artifactory registryTODO / Followup
Release Note
Documentation
no changes