Skip to content

Commit dded690

Browse files
committed
Improve sigstore tag validation with strings.CutSuffix
Refactor `digestPart` validation by replacing `Validate` with `Parse` for clarity and correctness Use signDesc MediaType to validate signature MIMEType. Signed-off-by: Ayato Tokubi <[email protected]>
1 parent ffcc126 commit dded690

File tree

1 file changed

+9
-8
lines changed

1 file changed

+9
-8
lines changed

image/oci/layout/oci_transport.go

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -354,6 +354,10 @@ func (ref ociReference) getSigstoreAttachmentManifest(d digest.Digest, idx *imgs
354354
// No signature found
355355
return nil, nil
356356
}
357+
if signDesc.MediaType != imgspecv1.MediaTypeImageManifest {
358+
return nil, fmt.Errorf("unexpected MIME type for sigstore attachment manifest %s: %q",
359+
signTag, signDesc.MediaType)
360+
}
357361
blobReader, _, err := ref.getBlob(signDesc.Digest, sharedBlobDir)
358362
if err != nil {
359363
return nil, fmt.Errorf("failed to get Blob %s: %w", signTag, err)
@@ -363,11 +367,6 @@ func (ref ociReference) getSigstoreAttachmentManifest(d digest.Digest, idx *imgs
363367
if err != nil {
364368
return nil, fmt.Errorf("failed to read blob: %w", err)
365369
}
366-
mimeType := manifest.GuessMIMEType(signBlob)
367-
if mimeType != imgspecv1.MediaTypeImageManifest {
368-
return nil, fmt.Errorf("unexpected MIME type for sigstore attachment manifest %s: %q",
369-
signTag, mimeType)
370-
}
371370
res, err := manifest.OCI1FromManifest(signBlob)
372371
if err != nil {
373372
return nil, fmt.Errorf("parsing manifest %s: %w", signDesc.Digest, err)
@@ -387,6 +386,7 @@ func (ref ociReference) getBlob(d digest.Digest, sharedBlobDir string) (io.ReadC
387386
}
388387
fi, err := r.Stat()
389388
if err != nil {
389+
_ = r.Close() // Avoid leak r.
390390
return nil, 0, err
391391
}
392392
return r, fi.Size(), nil
@@ -419,10 +419,11 @@ func (ref ociReference) getOCIDescriptorContents(desc imgspecv1.Descriptor, maxS
419419

420420
// isSigstoreTag returns true if the tag is sigstore signature tag.
421421
func isSigstoreTag(tag string) bool {
422-
if !strings.HasSuffix(tag, ".sig") {
422+
digestPart, found := strings.CutSuffix(tag, ".sig")
423+
if !found {
423424
return false
424425
}
425-
digestPart := strings.TrimSuffix(tag, ".sig")
426426
digestPart = strings.Replace(digestPart, "-", ":", 1)
427-
return digest.Digest(digestPart).Validate() == nil
427+
_, err := digest.Parse(digestPart)
428+
return err == nil
428429
}

0 commit comments

Comments
 (0)