Unable to pull docker images with an SBOM layer

[hidde-jan]

Actual Behavior

When trying to pull an image with an SBOM layer (for instance rekor-server), the pull command results in an error

Steps to Reproduce

Run the Following

docker pull ghcr.io/sigstore/rekor/rekor-server:sha256-b3d4c3b930f29a2fafd7274041e13414d68856a070f7d5380ea2a9f083037da3.sbom

Result

The error below is shown:

unsupported media type text/spdx+json

Expected Behavior

Successful pulling of the image.

Additional Information

It seems that the sbom experimental plugin for docker might be needed to install images with an sbom layer. It is unclear how this can be achieved if using the rancher-supplied docker binary.

Rancher Desktop Version

1.13.1

Rancher Desktop K8s Version

No k8s

Which container engine are you using?

moby (docker cli)

What operating system are you using?

Windows

Operating System / Build Version

Windows 10 Enterprise

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response

[mook-as]

You can install the upstream sbom CLI plugin (drop the executable in ~/.docker/cli-plugins). However, as far as I can tell that doesn't actually do anything with ghcr.io/sigstore/rekor/rekor-server:sha256-b3d4c3b930f29a2fafd7274041e13414d68856a070f7d5380ea2a9f083037da3.sbom; that seems to generate a manifest instead.

I could not get upstream docker to interact with it at all (and docker pull as specified seems to produce the same error).

As far as I can tell, that might be related to cosign (from the same GitHub org as rekor, so that makes sense); however, I could not get it to verify.

[hidde-jan]

Thanks for the response. I'll try to have a look if this works with the latest version of docker-cli.

[mook-as]

Given the above, I don't see how any version of docker-cli would make a difference — that appears to be something for external tooling.