From e0e9e8a106e6f6914a6b36e1572af4e655d0947e Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Thu, 12 Sep 2024 14:46:25 -0400 Subject: [PATCH] Add OCI functions fort signing --- oci.jq | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/oci.jq b/oci.jq index e991975..cd79095 100644 --- a/oci.jq +++ b/oci.jq @@ -87,3 +87,52 @@ def sort_manifests: sort_by(.platform | sort_split_platform) | sort_attestations ; + +def index_type: + if .mediaType != "application/vnd.oci.image.index.v1+json" and .mediaType then # TODO drop the second half of this validation: https://github.com/moby/buildkit/issues/4595 + error("unsupported index mediaType: " + .mediaType) + else . end +; + +def validate_index_type: + if .schemaVersion != 2 then + error("unsupported schemaVersion: " + .schemaVersion) + else . end + | index_type +; + +# jq -s 'include "oci"; validate_oci_basic' dir/oci-layout dir/index.json +def validate_oci_basic: + if length != 2 then + error("Unexpected oci-layout. Expecting 'oci-layout' and 'index.json'") + else . end + | .[0] |= ( + if .imageLayoutVersion != "1.0.0" then + error("unsupported imageLayoutVersion: " + .imageLayoutVersion) + else . end + ) + | .[1] |= ( + . | validate_index_type + | if .manifests | length != 1 then + error("expected only one manifests entry, not " + (.manifests | length | tostring)) + else . end + + | .manifests[0] |= ( + index_type + # TODO validate .digest somehow (`crane validate`?) - would also be good to validate all descriptors recursively + | if .size < 0 then + error("invalid descriptor size: " + .size) + else . end + ) + ) +; + +def imageDigest($os; $arch): + if length != 1 then + error("unexpected image index document count: " + (length | tostring)) + else .[0] end + | validate_index_type + | .manifests[] + | select(.platform.os == $os and .platform.architecture == $arch) + | .digest +;