exporter: force enabling inline attestations for image export

Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit e55f8b6)
moby · Jan 6, 2023 · 0901e93 · 0901e93
1 parent dc43f74
commit 0901e93
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 17 deletions.
diff --git a/exporter/containerimage/export.go b/exporter/containerimage/export.go
@@ -78,7 +78,8 @@ func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exp
 			RefCfg: cacheconfig.RefConfig{
 				Compression: compression.New(compression.Default),
 			},
-			BuildInfo: true,
+			BuildInfo:               true,
+			ForceInlineAttestations: true,
 		},
 		store: true,
 	}

diff --git a/exporter/containerimage/opts.go b/exporter/containerimage/opts.go
@@ -34,6 +34,8 @@ type ImageCommitOpts struct {
 	BuildInfoAttrs bool
 	Annotations    AnnotationsGroup
 	Epoch          *time.Time
+
+	ForceInlineAttestations bool // force inline attestations to be attached
 }
 
 func (c *ImageCommitOpts) Load(opt map[string]string) (map[string]string, error) {

diff --git a/exporter/containerimage/writer.go b/exporter/containerimage/writer.go
@@ -69,22 +69,24 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 		return nil, err
 	}
 
-	requiredAttestations := false
-	for _, p := range ps.Platforms {
-		if atts, ok := inp.Attestations[p.ID]; ok {
-			atts = attestation.Filter(atts, nil, map[string][]byte{
-				result.AttestationInlineOnlyKey: []byte(strconv.FormatBool(true)),
-			})
-			if len(atts) > 0 {
-				requiredAttestations = true
-				break
+	if !isMap {
+		// enable index if we need to include attestations
+		for _, p := range ps.Platforms {
+			if atts, ok := inp.Attestations[p.ID]; ok {
+				if !opts.ForceInlineAttestations {
+					// if we don't need force inline attestations (for oci
+					// exporter), filter them out
+					atts = attestation.Filter(atts, nil, map[string][]byte{
+						result.AttestationInlineOnlyKey: []byte(strconv.FormatBool(true)),
+					})
+				}
+				if len(atts) > 0 {
+					isMap = true
+					break
+				}
 			}
 		}
 	}
-	if requiredAttestations {
-		isMap = true
-	}
-
 	if opts.Epoch == nil {
 		if tm, ok, err := epoch.ParseSource(inp); err != nil {
 			return nil, err
@@ -108,9 +110,6 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 		if len(ps.Platforms) > 1 {
 			return nil, errors.Errorf("cannot export multiple platforms without multi-platform enabled")
 		}
-		if requiredAttestations {
-			return nil, errors.Errorf("cannot export attestations without multi-platform enabled")
-		}
 
 		var ref cache.ImmutableRef
 		var p exptypes.Platform