Skip to content

fix(registry): return raw bytes from manifest cache for policy evaluation#58

Merged
jmgilman merged 1 commit into
masterfrom
fix/manifest-cache-raw-bytes
Jan 25, 2026
Merged

fix(registry): return raw bytes from manifest cache for policy evaluation#58
jmgilman merged 1 commit into
masterfrom
fix/manifest-cache-raw-bytes

Conversation

@jmgilman
Copy link
Copy Markdown
Contributor

@jmgilman jmgilman commented Jan 25, 2026

Summary

  • Fix bug where manifest cache returned nil raw bytes, causing policy verification to fail
  • Modify ManifestCache.GetManifest() interface to return both parsed manifest and raw bytes
  • Add regression test to verify cache hits provide raw bytes for policy evaluation

Problem

When manifests were retrieved from the disk cache, the raw bytes were not returned. This caused subject.Size to be set to 0 in policy evaluation, leading to sigstore verification failures due to Content-Length mismatch.

The bug was intermittent because it only triggered when the manifest cache was populated (e.g., inspect followed by verify in the same workflow).

Changes

File Change
registry/cache/cache.go Updated ManifestCache interface to return (manifest, raw, ok)
registry/cache/disk/cache.go Updated implementation to return raw bytes
registry/fetch.go Use cached raw bytes for policy evaluation
registry/fetch_test.go Added regression test + updated mocks
registry/bench_oci_flow_test.go Updated mock
registry/cache/disk/cache_test.go Updated tests to verify raw bytes

Test plan

  • All existing tests pass
  • New regression test TestClient_Fetch_CacheHitReturnsRawBytes verifies fix
  • CI passes (just ci)

🤖 Generated with Claude Code

@jmgilman @claude
fix(registry): return raw bytes from manifest cache for policy evalua…
564f0f2 
…tion

When manifests were retrieved from the disk cache, the raw bytes were
not returned, causing policy verification to fail. The subject.Size
was set to 0 because raw was nil, and sigstore verification detected
a Content-Length mismatch.

This fix modifies the ManifestCache interface to return both the parsed
manifest and raw bytes from GetManifest(). The raw bytes are needed for
policy evaluation which requires exact original bytes for size
calculations.

The bug was intermittent because it only triggered when the manifest
cache was populated (e.g., inspect followed by verify in the same
workflow).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Jan 25, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 blob 564f0f2 Commit Preview URL

Branch Preview URL		 Jan 25 2026, 02:10 AM

@jmgilman jmgilman merged commit fcf8c0a into master Jan 25, 2026
10 checks passed
@jmgilman jmgilman deleted the fix/manifest-cache-raw-bytes branch January 25, 2026 02:13
@github-actions github-actions Bot mentioned this pull request Jan 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmgilman