mirror of
https://github.com/moby/moby.git
synced 2026-06-24 08:48:23 +00:00
a0b6dbc2fc
Add a new Engine API endpoint that returns the in-toto attestation
statements attached to an image for a given platform. The endpoint
locates the attestation manifest(s) referencing the requested platform's
image manifest, enumerates the statement layers, and returns each
layer's OCI descriptor (including media type, digest, size, and
annotations) together with its in-toto predicate type.
Query parameters:
- platform: JSON-encoded OCI platform; defaults to the daemon's host
platform if omitted.
- type: comma-separated list of in-toto predicate type URIs; if
omitted, all statements are returned.
- statement: boolean, defaults to false. When true, the daemon reads
each matching statement blob and includes the verbatim in-toto JSON
in the response. When false (or omitted), statement blobs are not
read and the Statement field is absent from each entry.
The manifest-chain walk (locating the platform image manifest and its
associated attestation manifest) is delegated to policy-helpers'
image.ResolveSignatureChain so that moby and BuildKit agree on how to
interpret the attestation storage format. The statement-layer iteration
and blob reading is inlined: when statement bodies are requested it
fails fast on the first unreadable blob and reads matching blobs
eagerly into memory; otherwise statement-layer blobs are never read
from the content store.
The endpoint is implemented for the containerd image store. The legacy
graphdriver store returns errdefs.NotImplemented (HTTP 501).
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>