Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6380

Quay 3.10 auto prune worker should remove image tag and signature together

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • quay-v3.10.0, quay-v3.11.0
    • quay
    • False
    • None
    • False

      Description:

      Auto-pruning does not treat Sigstore-style artifacts correctly. This issue can be reproduced in Quay 3.10, when auto-pruning is enabled via "FEATURE_AUTO_PRUNE: true", and the configuration of the auto-pruning policy to set keep 1 image tag. After pushing and signing two image tags with cosign, the auto-pruning worker removes both image signatures and also one tag. The result is that a previously signed image is now unsigned.

      Quay: quay-operator-bundle-container-v3.10.0-142

      Steps:

      1. Push image tag A, and sign this image with Cosign using key1
      2. Push image tag B, and sign this image with Cosign using key2
      3. Config the auto-pruning policy for the Quay namespace to keep 1 image tag
      4. Waiting for the auto-pruning worker to remove the image tags

      Expected Results:

      After auto-pruning worker has been running, the newer image tag B and its signature remain in the repository whereas the older image tag B and its signature are garbage collected.

      Actual Results:

      Only image tag B remains, its signature has been removed by auto-pruning.

       

      Expected Behavior:

      The auto pruning worker should treat tags created by sigstore/cosign tooling differently. These tags are created when signing an image or attaching an attestation or SBOM, and follow the naming convention

      • sha256-<sha256-digest>.sig
      • sha256-<sha256-digest>.att
      • sha256-<sha256-digest>.sbom

      See here for an example: https://quay.io/repository/centos-bootc/fedora-bootc?tab=tags

      See the official documentation for more information:

      The auto-pruning worker encounters these type of tags they should not be pruned. Also, when the auto-pruning worker is collecting any tag for pruning, it should look for these tags by resolving its digest and and collect them as well for garbage collection.

       

      Quay 3.10 auto prune worker only removed image signature:

              Unassigned Unassigned
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: