fix: add --oci-layout flag for ocm download resource

<!-- markdownlint-disable MD041 -->
This change adds an optional --oci-layout flag to the
`ocm download artifacts` command to store blobs at
blobs/<algorithm>/<encoded> per OCI Image Layout Specification
instead of the default blobs/<algorithm>.<encoded> format.

This enables compatibility with tools that expect OCI-compliant
blob paths.

<!--
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->
Fixes #1668

Signed-off-by: Piotr Janik <piotr.janik@sap.com>

Author: piotrjanik

api/oci/extensions/repositories/artifactset/ctf_roundtrip_test.go

@@ -0,0 +1,192 @@
+//go:build integration
+
+package artifactset_test
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/mandelsoft/vfs/pkg/osfs"
+	"oras.land/oras-go/v2/content/oci"
+
+	envhelper "ocm.software/ocm/api/helper/env"
+	. "ocm.software/ocm/cmds/ocm/testhelper"
+)
+
+const (
+	componentName    = "example.com/hello"
+	componentVersion = "1.0.0"
+	resourceName     = "hello-image"
+	resourceVersion  = "1.0.0"
+	imageReference   = "hello-world:linux"
+)
+
+// This test verifies the CTF-based workflow with --oci-layout flag:
+//  1. Create a CTF archive with an OCI image resource
+//  2. Transfer CTF to new CTF with --copy-resources
+//  3. Verify components and resources in target CTF
+//  4. Download resource with --oci-layout flag:
+//     - Creates OCI Image Layout directory (index.json, oci-layout, blobs/sha256/...)
+//     - Verifies layout structure is OCI-compliant
+//     - Resolves artifact by resource version using ORAS
+//  5. Download resource without --oci-layout:
+//     - Creates OCM artifact set format (not OCI-compliant)
+//     - Verifies layout structure check fails
+var _ = Describe("CTF to CTF-with-resource to OCI roundtrip", Ordered, func() {
+	var (
+		tempDir         string
+		sourceCTF       string
+		targetCTF       string
+		resourcesOciDir string
+		resourcesOcmDir string
+		env             *TestEnv
+	)
+
+	BeforeAll(func() {
+
+		var err error
+		tempDir, err = os.MkdirTemp("", "ocm-ctf-oci-layout-*")
+		Expect(err).To(Succeed())
+
+		env = NewTestEnv(envhelper.FileSystem(osfs.New()))
+	})
+
+	AfterAll(func() {
+		if env != nil {
+			env.Cleanup()
+		}
+	})
+
+	It("creates CTF using stable OCM release", func() {
+		sourceCTF = filepath.Join(tempDir, "ctf-source")
+		constructorFile := filepath.Join(tempDir, "component-constructor.yaml")
+		constructorContent := `components:
+  - name: ` + componentName + `
+    version: ` + componentVersion + `
+    provider:
+      name: example.com
+    resources:
+      - name: ` + resourceName + `
+        type: ociImage
+        version: ` + resourceVersion + `
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ` + imageReference + `
+`
+		err := os.WriteFile(constructorFile, []byte(constructorContent), 0644)
+		Expect(err).To(Succeed(), "MUST create constructor file")
+
+		// Create CTF directory
+		err = os.MkdirAll(sourceCTF, 0755)
+		Expect(err).To(Succeed(), "MUST create CTF directory")
+
+		// Use the current OCM version to create the CTF
+		GinkgoWriter.Printf("Creating CTF using current OCM version\n")
+
+		buf := bytes.NewBuffer(nil)
+		err = env.CatchOutput(buf).Execute(
+			"add", "componentversions",
+			"--create",
+			"--file", sourceCTF,
+			constructorFile,
+		)
+		GinkgoWriter.Printf("OCM output: %s\n", buf.String())
+		Expect(err).To(Succeed(), "OCM MUST create CTF: %s", buf.String())
+	})
+
+	It("transfers CTF to new CTF with --copy-resources", func() {
+		targetCTF = filepath.Join(tempDir, "ctf-target")
+		buf := bytes.NewBuffer(nil)
+		GinkgoWriter.Printf(" #### transfer componentversions " + sourceCTF + " " + targetCTF + "--copy-resources")
+		Expect(env.CatchOutput(buf).Execute(
+			"transfer", "componentversions", sourceCTF, targetCTF, "--copy-resources")).To(Succeed())
+		GinkgoWriter.Printf("Transfer output: %s\n", buf.String())
+	})
+
+	It("verifies components and resources in target CTF", func() {
+		buf := bytes.NewBuffer(nil)
+		Expect(env.CatchOutput(buf).Execute("get", "componentversions", targetCTF)).To(Succeed())
+		GinkgoWriter.Printf("Components: %s\n", buf.String())
+		Expect(buf.String()).To(ContainSubstring(componentName))
+
+		// List resources
+		buf.Reset()
+		Expect(env.CatchOutput(buf).Execute(
+			"get", "resources",
+			targetCTF+"//"+componentName+":"+componentVersion,
+		)).To(Succeed())
+		GinkgoWriter.Printf("Resources: %s\n", buf.String())
+		Expect(buf.String()).To(ContainSubstring(resourceName))
+	})
+
+	It("downloads resource from target CTF with --oci-layout", func() {
+		resourcesOciDir = filepath.Join(tempDir, "resource-oci-layout")
+
+		buf := bytes.NewBuffer(nil)
+		Expect(env.CatchOutput(buf).Execute(
+			"download", "resources",
+			"--oci-layout",
+			"-O", resourcesOciDir,
+			targetCTF+"//"+componentName+":"+componentVersion,
+			resourceName,
+		)).To(Succeed())
+		Expect(verifyOCILayoutStructure(resourcesOciDir)).To(Succeed())
+		store, err := oci.New(resourcesOciDir)
+		Expect(err).To(Succeed(), "ORAS failed to open OCI layout: %w", err)
+
+		srcDesc, err := store.Resolve(context.Background(), resourceVersion)
+		Expect(err).To(Succeed(), "resource MUST be OCI compliant")
+		GinkgoWriter.Printf("Successfully verified OCI layout with ORAS: digest=%s\n", srcDesc.Digest)
+
+	})
+
+	It("downloads resource from target CTF without --oci-layout", func() {
+		resourcesOcmDir = filepath.Join(tempDir, "resource-ocm-layout")
+
+		buf := bytes.NewBuffer(nil)
+		Expect(env.CatchOutput(buf).Execute(
+			"download", "resources",
+			"-O", resourcesOcmDir,
+			targetCTF+"//"+componentName+":"+componentVersion,
+			resourceName,
+		)).To(Succeed())
+		Expect(verifyOCILayoutStructure(resourcesOcmDir)).ToNot(Succeed())
+		GinkgoWriter.Printf("Resource download output: %s\n", buf.String())
+	})
+})
+
+// verifyOCILayoutStructure checks that the OCI layout has the expected structure.
+// Returns an error if any required file or directory is missing.
+func verifyOCILayoutStructure(ociDir string) error {
+	// Check oci-layout file exists
+	ociLayoutPath := filepath.Join(ociDir, "oci-layout")
+	if _, err := os.Stat(ociLayoutPath); err != nil {
+		return fmt.Errorf("oci-layout file MUST exist: %w", err)
+	}
+
+	// Check index.json exists
+	indexPath := filepath.Join(ociDir, "index.json")
+	if _, err := os.Stat(indexPath); err != nil {
+		return fmt.Errorf("index.json MUST exist: %w", err)
+	}
+
+	// Check blobs directory exists
+	blobsDir := filepath.Join(ociDir, "blobs")
+	info, err := os.Stat(blobsDir)
+	if err != nil {
+		return fmt.Errorf("blobs directory MUST exist: %w", err)
+	}
+	if !info.IsDir() {
+		return fmt.Errorf("blobs MUST be a directory, got file")
+	}
+
+	GinkgoWriter.Printf("OCI layout structure verified: oci-layout, index.json, blobs/\n")
+	return nil
+}

api/ocm/extensions/download/handlers/init.go

@@ -6,5 +6,6 @@ import (
 	_ "ocm.software/ocm/api/ocm/extensions/download/handlers/dirtree"
 	_ "ocm.software/ocm/api/ocm/extensions/download/handlers/executable"
 	_ "ocm.software/ocm/api/ocm/extensions/download/handlers/helm"
+	_ "ocm.software/ocm/api/ocm/extensions/download/handlers/ocilayout"
 	_ "ocm.software/ocm/api/ocm/extensions/download/handlers/ocirepo"
 )

api/ocm/extensions/download/handlers/ocilayout/handler.go

@@ -0,0 +1,131 @@
+package ocilayout
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/mandelsoft/goutils/errors"
+	"github.com/mandelsoft/goutils/finalizer"
+	"github.com/mandelsoft/vfs/pkg/vfs"
+
+	"ocm.software/ocm/api/oci/artdesc"
+	"ocm.software/ocm/api/oci/extensions/repositories/artifactset"
+	"ocm.software/ocm/api/ocm/cpi"
+	"ocm.software/ocm/api/ocm/extensions/download"
+	"ocm.software/ocm/api/utils/accessio"
+	"ocm.software/ocm/api/utils/accessobj"
+	"ocm.software/ocm/api/utils/logging"
+	common "ocm.software/ocm/api/utils/misc"
+)
+
+const PRIORITY = 200
+
+type Handler struct{}
+
+func New() download.Handler {
+	return &Handler{}
+}
+
+func (h *Handler) Download(p common.Printer, racc cpi.ResourceAccess, path string, fs vfs.FileSystem) (ok bool, _ string, err error) {
+	var finalize finalizer.Finalizer
+	defer finalize.FinalizeWithErrorPropagation(&err)
+
+	// Step 1: Get access method to read resource content
+	m, err := racc.AccessMethod()
+	if err != nil {
+		return false, "", err
+	}
+	finalize.Close(m)
+
+	// Step 2: Check MIME type - only handle OCI artifacts (tar/tar+gzip)
+	if !isOCIArtifact(m.MimeType()) {
+		logging.Logger().Debug("skipping non-OCI artifact", "mime", m.MimeType())
+		return false, "", nil
+	}
+
+	if path == "" {
+		path = racc.Meta().GetName()
+	}
+
+	// Step 3: Open resource blob as artifact set (contains OCI image)
+	src, err := artifactset.OpenFromDataAccess(accessobj.ACC_READONLY, m.MimeType(), m)
+	if err != nil {
+		return true, "", errors.Wrapf(err, "open artifact set")
+	}
+	finalize.Close(src)
+
+	// Step 4: Get the main artifact from the set
+	art, err := src.GetArtifact(src.GetMain().String())
+	if err != nil {
+		return true, "", errors.Wrapf(err, "get artifact")
+	}
+	finalize.Close(art)
+
+	// Step 5: Create target directory with OCI format (index.json + oci-layout)
+	target, err := artifactset.Create(accessobj.ACC_CREATE, path, 0o755,
+		accessio.PathFileSystem(fs),
+		accessobj.FormatDirectory,
+		artifactset.StructureFormat(artifactset.FORMAT_OCI),
+	)
+	if err != nil {
+		return true, "", errors.Wrapf(err, "create OCI layout")
+	}
+
+	// Step 6: Transfer all manifests and blobs to target with resource version as tag
+	version := racc.Meta().GetVersion()
+	if err := artifactset.TransferArtifact(art, target, version); err != nil {
+		target.Close()
+		return true, "", errors.Wrapf(err, "transfer artifact")
+	}
+
+	if err := target.Close(); err != nil {
+		return true, "", errors.Wrapf(err, "close target")
+	}
+
+	// Step 7: Convert blob paths from sha256.DIGEST to sha256/DIGEST
+	if err := convertBlobPaths(fs, path); err != nil {
+		return true, "", err
+	}
+
+	p.Printf("%s: downloaded to OCI layout\n", path)
+	return true, path, nil
+}
+
+func isOCIArtifact(mime string) bool {
+	return artdesc.IsOCIMediaType(mime) &&
+		(strings.HasSuffix(mime, "+tar") || strings.HasSuffix(mime, "+tar+gzip"))
+}
+
+// convertBlobPaths converts blob paths from artifactset format (sha256.DIGEST)
+// to OCI Image Layout format (sha256/DIGEST).
+//
+// This is needed because artifactset uses DigestToFileName which always produces
+// "sha256.DIGEST" format. The FORMAT_OCI option only controls the descriptor file
+// (index.json) and oci-layout file creation, not the blob path structure.
+//
+// Call trace where DigestToFileName is invoked:
+//
+//	TransferArtifact() -> TransferManifest() -> set.AddBlob()
+//	  -> accessobj.FileSystemBlobAccess.AddBlob()
+//	    -> path := a.DigestPath(blob.Digest())
+//	      -> common.DigestToFileName(digest)  // returns "sha256.DIGEST"
+func convertBlobPaths(fs vfs.FileSystem, dir string) error {
+	blobsDir := filepath.Join(dir, "blobs")
+	entries, err := vfs.ReadDir(fs, blobsDir)
+	if err != nil {
+		return err
+	}
+
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		if algo, dig, ok := strings.Cut(name, "."); ok {
+			algoDir := filepath.Join(blobsDir, algo)
+			fs.MkdirAll(algoDir, 0o755)
+			fs.Rename(filepath.Join(blobsDir, name), filepath.Join(algoDir, dig))
+		}
+	}
+	return nil
+}

cmds/ocm/commands/ocmcmds/resources/download/action.go

@@ -12,6 +12,7 @@ import (
 	"ocm.software/ocm/api/ocm"
 	v1 "ocm.software/ocm/api/ocm/compdesc/meta/v1"
 	"ocm.software/ocm/api/ocm/extensions/download"
+	ocilayouthdlr "ocm.software/ocm/api/ocm/extensions/download/handlers/ocilayout"
 	"ocm.software/ocm/api/ocm/tools/signing"
 	"ocm.software/ocm/api/utils/blobaccess"
 	common2 "ocm.software/ocm/api/utils/misc"
@@ -33,7 +34,14 @@ type Action struct {
 }
 
 func NewAction(ctx ocm.ContextProvider, opts *output.Options) *Action {
-	return &Action{downloaders: download.For(ctx), opts: opts}
+	downloaders := download.For(ctx).Copy()
+
+	local := From(opts)
+	if local.OCILayout {
+		downloaders.Register(ocilayouthdlr.New(), download.ForArtifactType(download.ALL), download.WithPrio(ocilayouthdlr.PRIORITY))
+	}
+
+	return &Action{downloaders: downloaders, opts: opts}
 }
 
 func (d *Action) AddOptions(opts ...options.Options) {

cmds/ocm/commands/ocmcmds/resources/download/options.go

@@ -21,6 +21,7 @@ type Option struct {
 	SilentOption bool
 	UseHandlers  bool
 	Verify       bool
+	OCILayout    bool
 }
 
 func (o *Option) SetUseHandlers(ok ...bool) *Option {
@@ -33,6 +34,7 @@ func (o *Option) AddFlags(fs *pflag.FlagSet) {
 		fs.BoolVarP(&o.UseHandlers, "download-handlers", "d", false, "use download handler if possible")
 	}
 	fs.BoolVarP(&o.Verify, "verify", "", false, "verify downloads")
+	fs.BoolVarP(&o.OCILayout, "oci-layout", "", false, "download OCI artifacts in OCI Image Layout format (blobs/<algorithm>/<encoded>)")
 }
 
 func (o *Option) Usage() string {