From f5b63963beca6b735fa5db5dcfdca777d6e3e33a Mon Sep 17 00:00:00 2001 From: Alexei Dodon Date: Wed, 6 Sep 2023 19:58:00 +0300 Subject: [PATCH] refactor: Reduce binary size of zot-minimal; Added CI check for binary size (#1758) Signed-off-by: Alexei Dodon --- .github/workflows/branch-cov.yml | 8 +- .github/workflows/ci-cd.yml | 4 +- .github/workflows/golangci-lint.yaml | 1 - .github/workflows/tls.yaml | 11 +-- .github/workflows/zot-minimal-size.yml | 40 ++++++++++ go.mod | 3 +- go.sum | 2 - pkg/api/config/config.go | 17 +++- pkg/api/config/config_test.go | 16 ++++ pkg/cli/client.go | 3 +- pkg/common/common.go | 3 + pkg/common/common_test.go | 5 ++ pkg/debug/swagger/swagger_disabled.go | 2 - pkg/extensions/search/search_test.go | 84 ++++++++++---------- pkg/extensions/sync/references/references.go | 3 +- pkg/storage/common/common.go | 3 +- pkg/storage/storage.go | 9 +-- pkg/test/oci-layout/oci_layout.go | 3 +- 18 files changed, 134 insertions(+), 83 deletions(-) create mode 100644 .github/workflows/zot-minimal-size.yml diff --git a/.github/workflows/branch-cov.yml b/.github/workflows/branch-cov.yml index 7047578e..6f706e71 100644 --- a/.github/workflows/branch-cov.yml +++ b/.github/workflows/branch-cov.yml @@ -12,10 +12,6 @@ permissions: read-all jobs: branch-cov: runs-on: ubuntu-latest - strategy: - matrix: - os: [linux] - arch: [amd64] name: coverage steps: - uses: actions/checkout@v4 @@ -42,6 +38,4 @@ jobs: gobco -test '-tags=sync,search,scrub,metrics,containers_image_openpgp' $i; gobco -test '-tags=minimal,containers_image_openpgp' $i; done - env: - OS: ${{ matrix.os }} - ARCH: ${{ matrix.arch }} + diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index f48bce17..8f3545c0 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -113,10 +113,10 @@ jobs: echo "Building for $OS:$ARCH" cd $GITHUB_WORKSPACE if [[ $OS == "linux" && $ARCH == "amd64" ]]; then - make OS=$OS ARCH=$ARCH + make sudo env "PATH=$PATH" make privileged-test else - make OS=$OS ARCH=$ARCH binary binary-minimal binary-debug cli bench exporter-minimal + make binary binary-minimal binary-debug cli bench exporter-minimal fi env: S3MOCK_ENDPOINT: localhost:4566 diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 91cf6967..add68051 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -4,7 +4,6 @@ on: tags: - v* branches: - - master - main pull_request: permissions: diff --git a/.github/workflows/tls.yaml b/.github/workflows/tls.yaml index 273dc9f3..478fa036 100644 --- a/.github/workflows/tls.yaml +++ b/.github/workflows/tls.yaml @@ -12,10 +12,6 @@ permissions: read-all jobs: tls-check: runs-on: ubuntu-latest - strategy: - matrix: - os: [linux] - arch: [amd64] name: TLS check steps: - uses: actions/checkout@v4 @@ -36,8 +32,8 @@ jobs: continue-on-error: true run: | cd $GITHUB_WORKSPACE - make OS=$OS ARCH=$ARCH binary - bin/zot-$OS-$ARCH serve examples/config-tls.json & + make binary + bin/zot-linux-amd64 serve examples/config-tls.json & sleep 5 curl -kv --tls-max 1.0 -0 https://localhost:8080/v2/ if [[ "$?" -eq 0 ]]; then echo "TLSv1.0 detected"; exit 1; fi @@ -45,6 +41,3 @@ jobs: if [[ "$?" -eq 0 ]]; then echo "TLSv1.1 detected"; exit 1; fi curl -kv --tls-max 1.2 -0 https://localhost:8080/v2/ if [[ "$?" -ne 0 ]]; then echo "TLSv1.2 missing"; exit 1; fi - env: - OS: ${{ matrix.os }} - ARCH: ${{ matrix.arch }} diff --git a/.github/workflows/zot-minimal-size.yml b/.github/workflows/zot-minimal-size.yml new file mode 100644 index 00000000..0c5ff892 --- /dev/null +++ b/.github/workflows/zot-minimal-size.yml @@ -0,0 +1,40 @@ +name: "zot minimal binary size" +on: + pull_request: + branches: [main] + +permissions: read-all + +jobs: + zot-minimal-size: + runs-on: ubuntu-latest + name: compare-binary-size + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v4 + with: + cache: false + go-version: 1.20.x + - name: Check if zot-minimal binary increased with more than 1% + run: | + echo "Building zot-minimal and check size" + cd $GITHUB_WORKSPACE + make binary-minimal + BINSIZE=$(stat -c%s "bin/zot-linux-amd64-minimal") + + echo "Building zot-minimal on main branch and check size" + mkdir -p zot_main + git clone https://github.com/project-zot/zot zot_main/ + cd zot_main + make binary-minimal + BINSIZE_MAIN=$(stat -c%s "bin/zot-linux-amd64-minimal") + cd $GITHUB_WORKSPACE && rm -rf zot_main + + [[ $BINSIZE -gt $BINSIZE_MAIN ]] || exit 0 + echo "PR changes increased size of zot-minimal binary" + echo "PR binary size: $BINSIZE Bytes" + echo "main branch binary size: $BINSIZE_MAIN Bytes" + + PERCENTACE=$(echo "scale=2; (($BINSIZE-$BINSIZE_MAIN)*100)/$BINSIZE_MAIN" | bc) + if ((`bc <<< "$PERCENTACE>=1.0"`)); then echo "zot minimal binary increased by $PERCENTACE% comparing with main"; exit 1; fi + diff --git a/go.mod b/go.mod index 976b2da2..294764aa 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,6 @@ require ( github.com/docker/distribution v2.8.2+incompatible github.com/dustin/go-humanize v1.0.1 github.com/fsnotify/fsnotify v1.6.0 - github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a github.com/go-ldap/ldap/v3 v3.4.5 github.com/gofrs/uuid v4.4.0+incompatible github.com/google/go-containerregistry v0.16.1 @@ -50,7 +49,6 @@ require ( github.com/aquasecurity/trivy v0.44.1 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.21.5 github.com/containers/image/v5 v5.27.0 - github.com/gobwas/glob v0.2.3 github.com/google/go-github/v52 v52.0.0 github.com/gorilla/handlers v1.5.1 github.com/gorilla/securecookie v1.1.1 @@ -121,6 +119,7 @@ require ( github.com/go-gorp/gorp/v3 v3.0.5 // indirect github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect + github.com/gobwas/glob v0.2.3 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-github/v53 v53.0.0 // indirect github.com/google/licenseclassifier/v2 v2.0.0 // indirect diff --git a/go.sum b/go.sum index deefcde4..191d2fc9 100644 --- a/go.sum +++ b/go.sum @@ -698,8 +698,6 @@ github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbS github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU= github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA= -github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a h1:yU/FENpkHYISWsQrbr3pcZOBj0EuRjPzNc1+dTCLu44= -github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a/go.mod h1:AEugkNu3BjBxyz958nJ5holD9PRjta6iprcoUauDbU4= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4= diff --git a/pkg/api/config/config.go b/pkg/api/config/config.go index 920a2058..e7985884 100644 --- a/pkg/api/config/config.go +++ b/pkg/api/config/config.go @@ -1,10 +1,10 @@ package config import ( + "encoding/json" "os" "time" - "github.com/getlantern/deepcopy" distspec "github.com/opencontainers/distribution-spec/specs-go" extconf "zotregistry.io/zot/pkg/extensions/config" @@ -221,17 +221,28 @@ func SameFile(str1, str2 string) (bool, error) { return os.SameFile(sFile, tFile), nil } +func DeepCopy(src, dst interface{}) error { + bytes, err := json.Marshal(src) + if err != nil { + return err + } + err = json.Unmarshal(bytes, dst) + + return err +} + // Sanitize makes a sanitized copy of the config removing any secrets. func (c *Config) Sanitize() *Config { sanitizedConfig := &Config{} - if err := deepcopy.Copy(sanitizedConfig, c); err != nil { + + if err := DeepCopy(c, sanitizedConfig); err != nil { panic(err) } if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.BindPassword != "" { sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{} - if err := deepcopy.Copy(sanitizedConfig.HTTP.Auth.LDAP, c.HTTP.Auth.LDAP); err != nil { + if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil { panic(err) } diff --git a/pkg/api/config/config_test.go b/pkg/api/config/config_test.go index b40d14a2..9d23e0ce 100644 --- a/pkg/api/config/config_test.go +++ b/pkg/api/config/config_test.go @@ -65,4 +65,20 @@ func TestConfig(t *testing.T) { So(err, ShouldBeNil) So(isSame, ShouldBeTrue) }) + Convey("Test DeepCopy() & Sanitize()", t, func() { + conf := config.New() + So(conf, ShouldNotBeNil) + authConfig := &config.AuthConfig{LDAP: &config.LDAPConfig{BindPassword: "oina"}} + conf.HTTP.Auth = authConfig + So(func() { conf.Sanitize() }, ShouldNotPanic) + conf = conf.Sanitize() + So(conf.HTTP.Auth.LDAP.BindPassword, ShouldEqual, "******") + + // negative + obj := make(chan int) + err := config.DeepCopy(conf, obj) + So(err, ShouldNotBeNil) + err = config.DeepCopy(obj, conf) + So(err, ShouldNotBeNil) + }) } diff --git a/pkg/cli/client.go b/pkg/cli/client.go index 3acd546b..969d067a 100644 --- a/pkg/cli/client.go +++ b/pkg/cli/client.go @@ -16,7 +16,6 @@ import ( "sync" "time" - notreg "github.com/notaryproject/notation-go/registry" ispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/sigstore/cosign/v2/pkg/oci/remote" @@ -482,7 +481,7 @@ func isNotationSigned(ctx context.Context, repo, digestStr string, searchConf se var referrers ispec.Index URL := fmt.Sprintf("%s/v2/%s/referrers/%s?artifactType=%s", - *searchConf.servURL, repo, digestStr, notreg.ArtifactTypeNotation) + *searchConf.servURL, repo, digestStr, common.ArtifactTypeNotation) _, err := makeGETRequest(ctx, URL, username, password, *searchConf.verifyTLS, *searchConf.debug, &referrers, searchConf.resultWriter) diff --git a/pkg/common/common.go b/pkg/common/common.go index 76635a4f..1aa354a4 100644 --- a/pkg/common/common.go +++ b/pkg/common/common.go @@ -23,6 +23,9 @@ const ( CosignSignature = "cosign" CosignSigKey = "dev.cosignproject.cosign/signature" NotationSignature = "notation" + // same value as github.com/notaryproject/notation-go/registry.ArtifactTypeNotation (assert by internal test). + // reason used: to reduce zot minimal binary size (otherwise adds oras.land/oras-go/v2 deps). + ArtifactTypeNotation = "application/vnd.cncf.notary.signature" ) func Contains[T comparable](elems []T, v T) bool { diff --git a/pkg/common/common_test.go b/pkg/common/common_test.go index 1df1dec9..dbe9102f 100644 --- a/pkg/common/common_test.go +++ b/pkg/common/common_test.go @@ -5,6 +5,7 @@ import ( "path" "testing" + notreg "github.com/notaryproject/notation-go/registry" . "github.com/smartystreets/goconvey/convey" "zotregistry.io/zot/pkg/api/config" @@ -56,4 +57,8 @@ func TestCommon(t *testing.T) { So(common.Index([]string{"a", "b"}, "b"), ShouldEqual, 1) So(common.Index([]string{"a", "b"}, "c"), ShouldEqual, -1) }) + + Convey("Test ArtifactTypeNotation const has same value as in notaryproject", t, func() { + So(common.ArtifactTypeNotation, ShouldEqual, notreg.ArtifactTypeNotation) + }) } diff --git a/pkg/debug/swagger/swagger_disabled.go b/pkg/debug/swagger/swagger_disabled.go index 36206a96..96612790 100644 --- a/pkg/debug/swagger/swagger_disabled.go +++ b/pkg/debug/swagger/swagger_disabled.go @@ -12,13 +12,11 @@ import ( "zotregistry.io/zot/pkg/api/config" "zotregistry.io/zot/pkg/log" - _ "zotregistry.io/zot/swagger" ) func SetupSwaggerRoutes(conf *config.Config, router *mux.Router, authFunc mux.MiddlewareFunc, log log.Logger, ) { - // swagger "/swagger/v2/index.html" log.Warn().Msg("skipping enabling swagger because given zot binary " + "doesn't include this feature, please build a binary that does so") } diff --git a/pkg/extensions/search/search_test.go b/pkg/extensions/search/search_test.go index f1feec88..2bdf1b3b 100644 --- a/pkg/extensions/search/search_test.go +++ b/pkg/extensions/search/search_test.go @@ -13,13 +13,13 @@ import ( "net/url" "os" "path" + "regexp" "strconv" "strings" "testing" "time" dbTypes "github.com/aquasecurity/trivy-db/pkg/types" - "github.com/gobwas/glob" regTypes "github.com/google/go-containerregistry/pkg/v1/types" notreg "github.com/notaryproject/notation-go/registry" godigest "github.com/opencontainers/go-digest" @@ -1245,9 +1245,9 @@ func TestExpandedRepoInfo(t *testing.T) { ExpandedRepoInfo(repo:"test1"){ Summary { Name LastUpdated Size - Platforms {Os Arch} + Platforms {Os Arch} Vendors - } + } Images { Tag Manifests { @@ -1341,7 +1341,7 @@ func TestExpandedRepoInfo(t *testing.T) { query := `{ ExpandedRepoInfo(repo:"zot-cve-test"){ Summary { - Name LastUpdated Size + Name LastUpdated Size } } }` @@ -1363,7 +1363,7 @@ func TestExpandedRepoInfo(t *testing.T) { Images { Tag Manifests { - Digest + Digest Layers {Size Digest} } IsSigned @@ -1437,7 +1437,7 @@ func TestExpandedRepoInfo(t *testing.T) { ExpandedRepoInfo(repo:"zot-test"){ Images { RepoName - Tag IsSigned + Tag IsSigned Manifests{ Digest Layers {Size Digest} @@ -1548,10 +1548,10 @@ func TestExpandedRepoInfo(t *testing.T) { { ExpandedRepoInfo(repo:"repo"){ Images { - RepoName - Tag + RepoName + Tag Manifests { - Digest + Digest Layers {Size Digest} } } @@ -1633,10 +1633,10 @@ func TestExpandedRepoInfo(t *testing.T) { { ExpandedRepoInfo(repo:"test-repo"){ Images { - RepoName - Tag + RepoName + Tag Manifests { - Digest + Digest Layers {Size Digest} } } @@ -1743,10 +1743,10 @@ func TestExpandedRepoInfo(t *testing.T) { { ExpandedRepoInfo(repo:"repo"){ Images { - RepoName - Tag + RepoName + Tag Manifests { - Digest + Digest Layers {Size Digest} } } @@ -3306,7 +3306,7 @@ func TestGlobalSearch(t *testing.T) { Images { RepoName Tag LastUpdated Size Manifests { - LastUpdated Size + LastUpdated Size Platform { Os Arch } History { Layer { Size Digest } @@ -3322,7 +3322,7 @@ func TestGlobalSearch(t *testing.T) { NewestImage { RepoName Tag LastUpdated Size Manifests { - LastUpdated Size + LastUpdated Size Platform { Os Arch } History { Layer { Size Digest } @@ -3535,7 +3535,7 @@ func TestGlobalSearch(t *testing.T) { Images { RepoName Tag LastUpdated Size Manifests { - LastUpdated Size + LastUpdated Size Platform { Os Arch } History { Layer { Size Digest } @@ -3551,7 +3551,7 @@ func TestGlobalSearch(t *testing.T) { NewestImage { RepoName Tag LastUpdated Size Manifests { - LastUpdated Size + LastUpdated Size Platform { Os Arch } History { Layer { Size Digest } @@ -3625,7 +3625,7 @@ func TestGlobalSearch(t *testing.T) { Images { RepoName Tag LastUpdated Size Manifests { - LastUpdated Size + LastUpdated Size Platform { Os Arch } History { Layer { Size Digest } @@ -3641,7 +3641,7 @@ func TestGlobalSearch(t *testing.T) { NewestImage { RepoName Tag LastUpdated Size Manifests { - LastUpdated Size + LastUpdated Size Platform { Os Arch } History { Layer { Size Digest } @@ -4335,7 +4335,7 @@ func TestMetaDBWhenSigningImages(t *testing.T) { Images { RepoName Tag LastUpdated Size IsSigned Manifests{ - LastUpdated Size + LastUpdated Size } } } @@ -5349,7 +5349,7 @@ func TestMetaDBWhenDeletingImages(t *testing.T) { RepoName Tag LastUpdated Size IsSigned Manifests{ Platform { Os Arch } - LastUpdated Size + LastUpdated Size } } } @@ -5399,7 +5399,7 @@ func TestMetaDBWhenDeletingImages(t *testing.T) { RepoName Tag LastUpdated Size IsSigned Manifests{ Platform { Os Arch } - LastUpdated Size + LastUpdated Size } } } @@ -5436,9 +5436,9 @@ func TestMetaDBWhenDeletingImages(t *testing.T) { for _, manifest := range indexContent.Manifests { tag := manifest.Annotations[ispec.AnnotationRefName] - cosignTagRule := glob.MustCompile("sha256-*.sig") + cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`) - if cosignTagRule.Match(tag) { + if cosignTagRule.MatchString(tag) { signatureTag = tag } } @@ -5472,10 +5472,10 @@ func TestMetaDBWhenDeletingImages(t *testing.T) { { GlobalSearch(query:"repo1:1.0.1"){ Images { - RepoName Tag LastUpdated Size IsSigned + RepoName Tag LastUpdated Size IsSigned Manifests{ Platform { Os Arch } - LastUpdated Size + LastUpdated Size } } } @@ -5786,15 +5786,15 @@ func TestSearchSize(t *testing.T) { query := ` { GlobalSearch(query:"testrepo:"){ - Images { + Images { RepoName Tag LastUpdated Size Vendor Manifests{ Platform { Os Arch } - LastUpdated Size + LastUpdated Size } } Repos { - Name LastUpdated Size + Name LastUpdated Size NewestImage { Manifests{ Platform { Os Arch } @@ -5823,15 +5823,15 @@ func TestSearchSize(t *testing.T) { query = ` { GlobalSearch(query:"testrepo"){ - Images { - RepoName Tag LastUpdated Size + Images { + RepoName Tag LastUpdated Size Manifests{ Platform { Os Arch } LastUpdated Size } } Repos { - Name LastUpdated Size + Name LastUpdated Size NewestImage { Manifests{ Platform { Os Arch } @@ -5869,19 +5869,19 @@ func TestSearchSize(t *testing.T) { query = ` { GlobalSearch(query:"testrepo:"){ - Images { - RepoName Tag LastUpdated Size + Images { + RepoName Tag LastUpdated Size Manifests{ Platform { Os Arch } - LastUpdated Size + LastUpdated Size } } Repos { - Name LastUpdated Size + Name LastUpdated Size NewestImage { Manifests{ Platform { Os Arch } - LastUpdated Size + LastUpdated Size } } } @@ -5905,14 +5905,14 @@ func TestSearchSize(t *testing.T) { { GlobalSearch(query:"testrepo"){ Images { - RepoName Tag LastUpdated Size + RepoName Tag LastUpdated Size Manifests{ Platform { Os Arch } LastUpdated Size - } + } } Repos { - Name LastUpdated Size + Name LastUpdated Size NewestImage { Manifests{ Platform { Os Arch } diff --git a/pkg/extensions/sync/references/references.go b/pkg/extensions/sync/references/references.go index 7dcee283..cd2b0171 100644 --- a/pkg/extensions/sync/references/references.go +++ b/pkg/extensions/sync/references/references.go @@ -9,7 +9,6 @@ import ( "fmt" "net/http" - notreg "github.com/notaryproject/notation-go/registry" godigest "github.com/opencontainers/go-digest" ispec "github.com/opencontainers/image-spec/specs-go/v1" artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1" @@ -209,7 +208,7 @@ func getNotationManifestsFromOCIRefs(ociRefs ispec.Index) []ispec.Descriptor { notaryManifests := []ispec.Descriptor{} for _, ref := range ociRefs.Manifests { - if ref.ArtifactType == notreg.ArtifactTypeNotation { + if ref.ArtifactType == common.ArtifactTypeNotation { notaryManifests = append(notaryManifests, ref) } } diff --git a/pkg/storage/common/common.go b/pkg/storage/common/common.go index 1f819c63..84dd30b1 100644 --- a/pkg/storage/common/common.go +++ b/pkg/storage/common/common.go @@ -12,7 +12,6 @@ import ( "time" "github.com/docker/distribution/registry/storage/driver" - notreg "github.com/notaryproject/notation-go/registry" godigest "github.com/opencontainers/go-digest" "github.com/opencontainers/image-spec/schema" imeta "github.com/opencontainers/image-spec/specs-go" @@ -714,7 +713,7 @@ func IsSignature(descriptor ispec.Descriptor) bool { } // is notation signature - if descriptor.ArtifactType == notreg.ArtifactTypeNotation { + if descriptor.ArtifactType == zcommon.ArtifactTypeNotation { return true } default: diff --git a/pkg/storage/storage.go b/pkg/storage/storage.go index 4ecc7c09..408059da 100644 --- a/pkg/storage/storage.go +++ b/pkg/storage/storage.go @@ -3,11 +3,10 @@ package storage import ( "encoding/json" "fmt" + "regexp" "strings" "github.com/docker/distribution/registry/storage/driver/factory" - "github.com/gobwas/glob" - notreg "github.com/notaryproject/notation-go/registry" godigest "github.com/opencontainers/go-digest" ispec "github.com/opencontainers/image-spec/specs-go/v1" @@ -232,14 +231,14 @@ func CheckIsImageSignature(repoName string, manifestBlob []byte, reference strin manifestArtifactType := zcommon.GetManifestArtifactType(manifestContent) // check notation signature - if manifestArtifactType == notreg.ArtifactTypeNotation && manifestContent.Subject != nil { + if manifestArtifactType == zcommon.ArtifactTypeNotation && manifestContent.Subject != nil { return true, NotationType, manifestContent.Subject.Digest, nil } // check cosign - cosignTagRule := glob.MustCompile("sha256-*.sig") + cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`) - if tag := reference; cosignTagRule.Match(reference) { + if tag := reference; cosignTagRule.MatchString(reference) { prefixLen := len("sha256-") digestLen := 64 signedImageManifestDigestEncoded := tag[prefixLen : prefixLen+digestLen] diff --git a/pkg/test/oci-layout/oci_layout.go b/pkg/test/oci-layout/oci_layout.go index 31ec17a4..dd2dfcbc 100644 --- a/pkg/test/oci-layout/oci_layout.go +++ b/pkg/test/oci-layout/oci_layout.go @@ -13,7 +13,6 @@ import ( "strings" "time" - notreg "github.com/notaryproject/notation-go/registry" godigest "github.com/opencontainers/go-digest" ispec "github.com/opencontainers/image-spec/specs-go/v1" @@ -233,7 +232,7 @@ func (olu BaseOciLayoutUtils) GetImageTagsWithTimestamp(repo string) ([]cvemodel // check notary signature corresponding to repo name, manifest digest and mediatype. func (olu BaseOciLayoutUtils) checkNotarySignature(name string, digest godigest.Digest) bool { imageStore := olu.StoreController.GetImageStore(name) - mediaType := notreg.ArtifactTypeNotation + mediaType := common.ArtifactTypeNotation referrers, err := imageStore.GetReferrers(name, digest, []string{mediaType}) if err != nil {