From 6afb2f75c297178c3b8f5262b770b643cf66c25e Mon Sep 17 00:00:00 2001 From: git-hyagi <45576767+git-hyagi@users.noreply.github.com> Date: Mon, 2 Sep 2024 10:56:05 -0300 Subject: [PATCH] Fix a sync filtered cosign without sigstore issue fixes: #1759 --- CHANGES/1759.bugfix | 2 ++ pulp_container/app/tasks/sync_stages.py | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 CHANGES/1759.bugfix diff --git a/CHANGES/1759.bugfix b/CHANGES/1759.bugfix new file mode 100644 index 000000000..33db8854b --- /dev/null +++ b/CHANGES/1759.bugfix @@ -0,0 +1,2 @@ +Fixed an issue where trying to sync a filtered content with cosign signature, from a remote +without sigstore, and defined as `signed_only: true` could fail sometimes. diff --git a/pulp_container/app/tasks/sync_stages.py b/pulp_container/app/tasks/sync_stages.py index 4660fea95..15ade2596 100644 --- a/pulp_container/app/tasks/sync_stages.py +++ b/pulp_container/app/tasks/sync_stages.py @@ -147,13 +147,14 @@ async def run(self): content_data, raw_text_data, response = await artifact digest = calculate_digest(raw_text_data) + tag_name = response.url.split("/")[-1] # Look for cosign signatures # cosign signature has a tag convention 'sha256-1234.sig' if self.signed_only and not signature_source: if ( not (tag_name.endswith(".sig") and tag_name.startswith("sha256-")) - and f"sha256-{digest}.sig" not in tag_list + and f"sha256-{digest.removeprefix('sha256:')}.sig" not in tag_list ): # skip this tag, there is no corresponding signature log.info( @@ -168,7 +169,6 @@ async def run(self): media_type = determine_media_type(content_data, response) validate_manifest(content_data, media_type, digest) - tag_name = response.url.split("/")[-1] tag_dc = DeclarativeContent(Tag(name=tag_name)) if media_type in (MEDIA_TYPE.MANIFEST_LIST, MEDIA_TYPE.INDEX_OCI):