Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image-rs: Panick when pulling image #840

Open
fidencio opened this issue Dec 10, 2024 · 9 comments
Open

image-rs: Panick when pulling image #840

fidencio opened this issue Dec 10, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@fidencio
Copy link
Member

Describe the bug

Dec 10 07:09:08 jorge kata[261242]: time="2024-12-10T07:09:08.725962832Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/c80f9ac981266288f2163ac4777b9ca1f54cbf2790b197b160cdf1c141c9ec18/console.sock name=containerd-shim-v2 pid=261242 sandbox=c80f9ac981266288f2163ac4777b9ca1f54cbf2790b197b160cdf1c141c9ec18 source=virtcontainers subsystem=sandbox vmconsole="thread 'tokio-runtime-worker' panicked at /opt/cargo/git/checkouts/guest-components-1e54b222ad8d9630/075b9a9/image-rs/src/pull.rs:106:21:"
Dec 10 07:09:08 jorge kata[261242]: time="2024-12-10T07:09:08.726008239Z" level=debug msg="reading guest console" console-protocol=unix console-url=/run/vc/vm/c80f9ac981266288f2163ac4777b9ca1f54cbf2790b197b160cdf1c141c9ec18/console.sock name=containerd-shim-v2 pid=261242 sandbox=c80f9ac981266288f2163ac4777b9ca1f54cbf2790b197b160cdf1c141c9ec18 source=virtcontainers subsystem=sandbox vmconsole="index out of bounds: the len is 25 but the index is 25"

How to reproduce

Pull the following encrypted image: quay.io/fidencio/prueba:encrypted
key: /h0vEDaLozthTZ/R6rQ736g7XE7khFd2lNWT8mzCjPQ=

Check kata-containers logs and you'll notice the panic.

CoCo version information

CoCo v0.11.0

What TEE are you seeing the problem on

None

Failing command and relevant log output

No response

@fidencio fidencio added the bug Something isn't working label Dec 10, 2024
@mkulke
Copy link
Contributor

mkulke commented Dec 10, 2024

quay.io/fidencio/prueba:encrypted

{
    "Name": "quay.io/fidencio/prueba",
    "Digest": "sha256:756b10356eacdadb63b00b96cf4b3a4bb9658c424c2fc07c87ce475d256bd87f",
    "RepoTags": [
        "encrypted"
    ],
    "Created": "2024-11-14T11:42:30.649705443+01:00",
    "DockerVersion": "",
    "Labels": {
        "org.opencontainers.image.ref.name": "ubuntu",
        "org.opencontainers.image.version": "20.04"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:31f22864f95092bf7d4819f38d57fdec09d3c8705338350aca47d4ba9a5bc985",
        "sha256:83a2e1265d925cda2bb15b5879009b27f6a5f992780589d41546ef1b1d05ea9e",
        "sha256:22d2039bb59a734c1c8f798dc5ef2f4a7aba418918a1764c6bc67ada4122d513",
        "sha256:cc4f929eb9fd3c92ce974a3a74c5a20a3e20a802b07dc1c191df02dd6b7c6c2c",
        "sha256:01a220713853c33b441f033f4e1dae9c8b3f97be5b171889f4f097de1b5f89b1",
        "sha256:67d8d9cf64db18141e31dead9fc4cf9081241eb2703f56cdd448fbbe1e194489",
        "sha256:962908c56980c5665cf58a3a3e93678f08ea024720836f103994e72f02ad0b57",
        "sha256:d7dcebe9cd5bb545b3d44c705abdf3bf5c916efa040bcaf205047c84feb01f57",
        "sha256:e3f3035d2a5eda2dd7524b7c0bb70457494cad7719898768e0b7485d08b2925d",
        "sha256:1fef000e6267363edea3d1c6cb849746f3573524db588ff0604cf55912acd025",
        "sha256:319767715710ad47373d7cb782d5b208f466983d041836dc587f4e6fd5e1bfea",
        "sha256:3c480b098bb23cff4562303d59ede70739e616206ac32498db009958460f0f34",
        "sha256:4ffbdda4aee7be34266230ca7fc24dd20b542a20503a6d8076c030fcf61ddf0e",
        "sha256:67425764618b6d0ab8b008d282a2136cba455d105fe00d6114b93b1f3dc85014",
        "sha256:7849bb65fe35169b27e931e2e3f5be2c0bb8399e2ae51f9de0a98c2c3e971220",
        "sha256:827410538f988de684cadfe54fd6fac88e4a66e3537599093d675bf380022fb0",
        "sha256:7be58901c78db3ff1dee6831d4fe9d5e1b869f1254fb7bcf169a00ada0f95b7b",
        "sha256:4affc0c4637d7fd6585e7f0c57377a60c5e76609544f3741e0c2f13ead7a76f9",
        "sha256:6ef8077b32bcb6da5d351eb5a490c36c018d63a77b034b1988577c1ff51005f6",
        "sha256:1366ea2e14166d2d5ab39e7186d0e22ad52606dd0987b9e1afc6278dd43b965e",
        "sha256:4e6cda3756b2df77e2cec4bdace6b0eaafc07901c0b186041e59a4d78e1a0dfb",
        "sha256:052f8098decb5b89be4d7dab935ec4a0143b141b3f89f14b4096d551b876e2ef",
        "sha256:07daf092e3261257df8020ba99cf9f1caff3bbeab4975bc804f046f3800476d6",
        "sha256:8c0320b891b9112027874d36bb380762e01ca17fb040bd5006e21ec095587293",
        "sha256:39acfee127ae132b4b2239a20d8f526b048543c2bd57f3f6c7c0ca5e82ac05ce",
        "sha256:67ee1946707dc3d74e32bff15476e0edc68facaffa762db41a4f68b0ba9212f8"
    ],
    "LayersData": [
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:31f22864f95092bf7d4819f38d57fdec09d3c8705338350aca47d4ba9a5bc985",
            "Size": 75190784,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoibTIveC9lRHMyZ2VGWmdybE9uVlZEOFZFMW4wdXVuZEE5alcyUk80UEZzZWhwTWMzOEhXcjczUm9qQ2REdW9HQlhqTlNRT2xnbVM3WmljTjFEekhuMExzdlVqQlE5SVhyQm1jNDFuR21ueENLYWF6TnZYSjcvTWdHZW56K1VqeG1WMUlTbGJqc1lobm1hNFRuaWFsTU5vSEtvMUdnT0Y2N3ZzY1Uxa1ZTQ1hNQnJMREk0VXZ2Y2ZBaDRYRmowbWd4dGtNRTRDRHBUTkNsdlZXZGVSMCtSWUMyS0RWNTU2UmFiVzZncU96Z1pIdkliQ0NwdmRySTZaWG1ZZTE5cjhoTzRFV1JOckV2dnh4eXVldmVHdUtVcUNNPSIsIml2IjoiT056aEwyK3MrYlA1bkdPNSIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiIxOEZaNmNyejVuMFF5R3htNW1XT3JUc3dXa0xDSldnVms4OEpEQ09PeUEwPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:83a2e1265d925cda2bb15b5879009b27f6a5f992780589d41546ef1b1d05ea9e",
            "Size": 54750720,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiWGgzSnhlRVRtYm1yb2NDQ1RtdDVtZE5RSDJncEJvMXREM21wOW10VGlJY0w1d1Fxb0p6SEp4T1dOYXltZ2xtYzZpQ0xRRVJNQlBvOWVUMUhmR3VGamxvR0Z3OUNpcVFhTEwyUHRwejduNGFuNHkzcU14N0xCSEZMSktyYVp1cHBRMUFWaGNRQ3dTUTVUSUJmNFRxU3BFMk52cFhUOUlvaEp5U1JzVXFHeHJXZHBTMUVUbXRjWlFjcWZHRmRyWUFqOEdiYVYyWXBOUDkxeUxVeVdYN0JvVDdKWGR2S0N1R00zK1FlcCtuL1kwcVFVa2RZUWlaRldWcFVLY2tTTkN5THNKQTNnWWYxdW5WQWhXQkwxbDVrZWdFPSIsIml2IjoiSWxUTjNMQXA1SjF5dDhuZyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJNMFVNZU1laE5CMlY5YWNJYkt6SDFrdy9NZXdxa01EZ2g5R0xIRURqUGdVPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:22d2039bb59a734c1c8f798dc5ef2f4a7aba418918a1764c6bc67ada4122d513",
            "Size": 104470528,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiUUVpMDlvVG1JbjBHajZRRjhGY01HWG84Tnp5Qk82c0ovSG5GRittL3ZOYktMUTNQT1V4N2xYLzlBeGJxcmFBWGMxODVoQ253ZDVNMExqdzk5aGpLU2ZQNC9SZXJzaEY5a2VvKzNFckdCWDRkbVdBQ1Y0SkoyMzJqVXpnNU1XR2RHSFJnaGRUQjZyTHNSbVFtdS9ieGdJVHo1bVBuSUIvN0lObWxDRUlwT1ZXY1RYUjE1Z0ZBQm43M3FsOEQwdWVrczNkYTFFcElqMjd0VURZcDZmMmFGNkdUaGk0RXBhTWoxMllyMC9QQTd5bmUwTnIxS3Nja1kxeVNaMlAvTmlIbUl5LzRaSWpSK1lmWXk4NUpZSGxqdDRNPSIsIml2Ijoid2k0Rm1HR2dwVzRQZWZkdyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJBd1BNYnhYaXRpS05WVExDenBlMm1LU096ZTIrT2NZZ2pySUFXQ0QvQWJVPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:cc4f929eb9fd3c92ce974a3a74c5a20a3e20a802b07dc1c191df02dd6b7c6c2c",
            "Size": 1291776,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiTEtzRlVQYXhpdzFqY1VaYVE1RXA1T1BEWFpqZ2oyekFLQXNwdlZUcVIwd3RUcTlTMXJNQ212MCsvSVZGVnU5U1VWOWxIQ3FLejRJL1FURGJHMG8rT3dHaHJSRldVS2d3MVkzYmdzYTZiQnk3bFRXM0tlWS9oRklnaTUxK1Z6NW95d2N1ZzdXMVpNNkFtQnNmYko0RE0ra21kemtYS1AvMjJqVlllOStJK2JBK2M0cU1tUzVnTjVUeEpYZ3Rvak8waTNnMjBraWJ6SFVKNjc3QTIvQjFnUXYrVmNnemlwVGNMcmR6bUE5ZzRnZnRWUUlUcHRsN3MxSWpxYTI2Z281NEVUOGM2Szh4TDZoYUJuQWVvbXhJZ05VPSIsIml2IjoiN1hKcmtZQVVjbjFudnFUMSIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJ2c0ZGMDdqSkRRdXFTS3J3WUtXbkdpOGhZOUovclhDSDdhR1pNQUE0TndnPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:01a220713853c33b441f033f4e1dae9c8b3f97be5b171889f4f097de1b5f89b1",
            "Size": 4376064,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiWHgrZDNEc3NyTlZGV2lnVXk4RkJmOGpzV1htS0V0M2kxWmtQTkNjTEYrMmJDcTRNbGo2MkdON2x6bjJOMHVqVXdzb0hza3dlazVrSzJGVUtmc1J4ZHpYT0E1NGRCZy92dkZ0eHoxVXFtQXlRWXJYZERjQzBCODVEUE5EWTRuZys5UkY3VkQzUGxJUUcyLzRWRTNMVU5pRW8vem4rVitnR0szSjJsd2F6a1M4QXZjRnE0WFlFeFBtL3VmWitXRXovVnM4eWtMUjR4NHRYQzArV3lpYmk2dWpQeXp6OXphc3RrNVpOWnh4cUVRczBJMGQ1OHZsM1NVSEFEcHl6T1Q1R1BHQjZMRXdiRU9aQld3VktIVzUrci9VPSIsIml2IjoidTg0NnF4OFJoM1VqbHVJZCIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiI4RkpOWnNjUjBGbUpwaENUT0g1WHh2dDJyYVhXV2RQU05UdUV5dmp1bVlBPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:67d8d9cf64db18141e31dead9fc4cf9081241eb2703f56cdd448fbbe1e194489",
            "Size": 429912576,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiblhwb2ROeGl0aU1hc0JUK1RMWElUakdSSjFiUHZ6RVA0WjZqQUxndXNZRUlVMUlUZk5wSnNxeEh4S0l1Q0ZSSTR6bmN4L3RvNE4vY3dRTXpITEdqNjMvdXJGOUdkTDVOUTAzV3hPc2ZoVkVMNzZiN2VvNjVtcTBvWi94UmF4bTVDeEtYUU9mcHNHS0t2Q01PdEMzVDVNa3EyMnFjOS84T1V4Q3liaDJZODhnNUpnMzhiWE9RTVZtdjNtcXNxTjRWQkJ5aGdnK0g1UjQ5RERXeU8ya2xSWmxTbTVUbC84T2VGTlZFSU52ZERiZUF5ZTAvMk1EN3VwTTJ4TFZjT2VYeHllQTBvcGRCeUVhMlk2UFlIMHA2YWpFPSIsIml2IjoiMGk0dFVQbDI1NEpYR1lRWiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiIxNFRxNStISjlXN1ZoY3JwUEx4ZEg1c3Z3VytDOS9lKzFrR3U1UXA5UjZjPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:962908c56980c5665cf58a3a3e93678f08ea024720836f103994e72f02ad0b57",
            "Size": 350208,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoidFRmZDBxN3VoSmNIeHI2Yk9MdmZUWE5QMEJScGsvcytnZ3A3aTdsRHdXak5oY05QYUQ3ZUxlVTVOazExWE9vbDJCbktrOVM5L0syaTE3dkFyclVGZTBPZm1EOGJJMTV5MjFQRkkxKzFkTU5xZ2MzZFdBTXcyQjM5SDAwMjhLNUdwOHRmVnc1cEJjV1YySElUazFpdnNLQTRHaUF4bzdjSGUwZHNBZHNDL2pDaTd6ZldnM1A5cnJ4TGFzRXhjOVZsWncvK1FqU1ZRc3VtRXh5MWNNOG9PbFFhdEk1ZDEzQkU0R2ZwbC9GRlo2anRFSWVWelNVMTFzekFqS251NzlMOXNESnJVY0o3VGRjTzdwTTEvSjdwK2MwPSIsIml2IjoidUhHbDh3MHJwekFiSEhpWiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJPM1VZVGtBNDBuNnhzNGFPVGd3R2hya3RzaEJxMnlTS3dCcEtMM3NrWWQ4PSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:d7dcebe9cd5bb545b3d44c705abdf3bf5c916efa040bcaf205047c84feb01f57",
            "Size": 3584,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiMmRjdVN3Zjg0LzR4alZyQVJPRGdYVW96cXNUcC82eWR1QmFPOXU0bU13di9zMUxZcm5oRWpHcUs3OGhCOFkvbHJrZVVTSVpWdVFRYmNDU2lwZkZyN0RYZjM1SS92azB6LzAxQ2NRNTd5ZjNzK0w0STFRcnhUVjFVVCtxSjI5eU8vRVBmN1NMbWlLbWM4OXdjSjRFanczSkZIOGs0TC9ZZGhFMmZZL0I1Yk1mSzdkblFVWHVHNW5oZGtlTzZROXU3SkdNd29HaDNtVGVYcW1xdDI3aytJRlNoRmxmdzFKM1U5N1h4VG9uem15TnlmWFZxSVVBMi96clZSc3ltek14RnFLeUVsdnp6ZDBKenI5d3d5bUJ5K3NjPSIsIml2IjoiSWptOVhFYXdmZ3prTm5naSIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJYYU5SMUJpb3FkclRndEdQQk1waUtERGcwVmRMOUdta2JtbHNJaWFCNlVzPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:e3f3035d2a5eda2dd7524b7c0bb70457494cad7719898768e0b7485d08b2925d",
            "Size": 3072,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoib2E5dExOM0NQc24yUzdvM2hvQ3p6d3R5bElhbThVWStUa1FhVUhFYjBQT0tJbjM0Smx5cm1EVGUvVitZOTByNCs1cWp1MUZTQ1A2VkxZdWxncVFYRlhtdHBDb1dQYnpJRnVUZWVyb1JFUFRvVkJOMkVrREtCWk9Bc003Z1JOenU0WWJCL21sSnBpN0g1a0hXRENpbGdvOE5YQzVzc2g1c25sdENPY284dDBML2ZYR0RFT2NIR1JUMUI2UnRBb01zT2RpOTZKZDZXVnFjY2RzUUpRLyt6QnlUQ2phUXlRUmF4ZmJTWGpLVzRoeVAzZjdwRS9wRFJvSG9HaFdhd2xpL0R4R25PVCsvbU9xakNjSnM2dWpZL1l3PSIsIml2IjoieVV6T214V1hoQVZzT2FQZiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJEN0tIQit1SjJVOHhJVllYY3BpTTJ3SFdacDJ3Tkk4ZnU3aDAzSk9yNXFjPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:1fef000e6267363edea3d1c6cb849746f3573524db588ff0604cf55912acd025",
            "Size": 6144,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiWWt4V0puOTJnbGUzVC9XVVBIMmdZL3RIS3dXWjk3alQyOStzdDlINGpibzJNRHB0NXF1YitYQzNReDBlaWlmbmVydDVVNEQ2WjRCQXdSbkhraTY3Y1N6akVHL3piZkVzbVpnT1V5bXhCZHdkREZWUjBRWlhFVTZtSzAra3hRWnlTZ0l0TjFhYmdUYURaMUR6VHFMeWRydHdZK1Q4RC9sZG9RU3ZSeDFKRWpXdjMwZFM5Tk85LzdiRmlOVTY4M1hIdHdSUHlzaDdoTGt4WlBaU3ZOMEh1YW8yalJPZXlHTHlwU0RVOUlGaTFLT3hzZW8zeEllY09yTWJ4Q2dNQkZ0TkZKM1JxbXFHNGZlbWNLSkNXSG01T1FvPSIsIml2IjoiZXVvWmJ6aFlhNGFkWFVaaCIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJWdDY0eldQeEJBYlhWVURXei9QMEhaWlN5MWJ6QXNjZmtUdlRYS2Ivd1RBPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:319767715710ad47373d7cb782d5b208f466983d041836dc587f4e6fd5e1bfea",
            "Size": 1024,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiVVFMSG9yTUcrRnh3TTd6ejdnZW5KT2xkKzdDOWhzcGxjU2VCcC9lOTF2Q29aZWNjR1RQTEx3dGhFYUpMdisyRnFqMURrNit0TzZaamRrcFNGd3F3VG1SVDk2bDlObjZjay8ra1JCTHhjNm9qK0FGRWVValE5QzVCeng1WTErdXd2M2pYOTRSaFB3Z3JUUHMrSXBXMjRjeXpoeFJ1QndvRlAvS3BsSUhqbnZiSlpPako3L2doeFJBTnFhZFIzbE5ta1lGZnNCNDVLWEpqMFNDcVA0VHhZcS9DS01zdFZTSlJlSVZXUkNpOG5tWWphYyt3WnFOd3hGU2FHZVM3R1lvZ25LL2RReGZOa05LTUI5MUNhTXpKTXdZPSIsIml2IjoiNFVnNmRFbkdxTU9tS2huMiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJ2NGhtb2cyb3U4cjkyT2FPTnk4UWpjanZqVEVOZktuUmVBZTlsOXRWeGIwPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:3c480b098bb23cff4562303d59ede70739e616206ac32498db009958460f0f34",
            "Size": 285534720,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoibFM2VGJ4bHlndmFOSnZ3eDRUMk9WUFJGdk91bE5udndjSzRMNzRsM0pwS25hRDVYaXF4Yjl0SlViL3A4Z1Q5V1B0ckcyUWg0YmtkUGJQL1U0UGRWcVU2YTVGK2dQZUZoMXdsVGcrMHBJSkdwV3hlZElVODlORHdNNWZFVU1VUFBHd0ZIQlpJUVF6S05LUFovZjhOdEFQeXhFNmtHNWhaZVJXTEsvQmVVOVpGNGdWakJxVy85TW9wb2pQdnE0L09qb2oyL0RrWm94SjNsbGxEOWdLd0lmSGlXZ2cvdzFCTEN6aFVLdy81N0kxYjg4a2NDMzBROXlWeWhrZk9IdUNFYkhSUjFBMmlxTy9Ld3Y3UWJ4TGlUQXZnPSIsIml2IjoiLy92WGxjNWhBNk43a0N3MSIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJ6SVVST2ZnSktwTmRrRmFtbmt4ZmVYRnRKT1VBajNnSGVFZWxSVmcxSGtjPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:4ffbdda4aee7be34266230ca7fc24dd20b542a20503a6d8076c030fcf61ddf0e",
            "Size": 9432064,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiRWRhdnlySkNremZMRHhsRjVOenhMY00zNXlaTFVwUVRuSFZ0NTVBNW8rMVk1VHkydG5IL3d3OXg2UVc2dzdkUENGdDc5VnNzMWoxQlMzTUpKT3NwSUFFUk9PenF4RVVzMzllRjBzdWtsMDRWM3lKU1orKzdSN09IOHRDMmZ5QUpIL0FyY3BrVjZxeHY3dThQdUUyaTVqRFVpc2lSSTREU1VBOW9kZnZWR2hYNHNDMUhCM3Frdm9hVkVlTmZPRytiZ2huWGpYTnA4R2FMQU5LWGVnZUFCQVJneURrZkcyTU92MkJMQWJQSGlydFA3WGNQaWFUVHFhaDUwbjh3U2l1ek1HRlU0eHFLdVF5Wjg1OUpKd28wV0M4PSIsIml2IjoibFR5RWdETVErQ0Y1VXY3NiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiIvNFlnZi90Z1M0RWpMK1lNV0ptalc5cVQyRGFncEZua0hrV1dZOE9nK3NvPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:67425764618b6d0ab8b008d282a2136cba455d105fe00d6114b93b1f3dc85014",
            "Size": 101047808,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoibUIzb0U0YVl6bmNhUGVrQk5WbGZmdXorUkxxSCtrQlRlRXJJNlpnNVN6Zk9JcUNEc09PbVpvREFDa3ptVDdOcGhyU0xyWjdoOXRHZU8xRXBXMmY5Z1FmdE1Fd2dKZ1Rnai9Vb3FlVW8xSU1MTHpoZkloSzRqSHpzN0luZkgvMm82MS9wMXVrMVNUSy9vY3VLL1RBUmlKeXR3bGIvNUIzTlE4YnZ5YnZRekFjTThPRWhpcmFGTHBhM2lveDFpZE5SNVlhSk1YUzZuY2JJQnA5TUhMM3ZYRHBuUlhNNG0zSjU0WDlEUWI5SXlHMmN5cCtqQm8ydCtHSGRTQkEzcjQ2eDdYZ2NyUnlLMmhIb1k3VnU4V3F3bER3PSIsIml2IjoiZzFTcGdHbTdNN1VtVS8xdyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJxWG9Od3lNMHFqanRBVTJ2eWVTaXQreEtTT0g5dEtXVnFBdG84azZKRjdVPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:7849bb65fe35169b27e931e2e3f5be2c0bb8399e2ae51f9de0a98c2c3e971220",
            "Size": 84929536,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiSkQyMTNUOVlPbGVRVEpFUER5a1NzZWJmeGtob1Jxei9hM0wzYlAyMEwwYU01M1VKcDF0TXgwUThHQkhYUloyaE42dlR2S04zRzlkOFBLSzFqbk1BZnBNSEZ0TlNNUCtreEd2aGd5YktxajZpdkVYRjNTK0pOV0RSb25GdjduMEhCVmlGbTNOOE0rNHhrdUtNMmdEdGtnRTlYMmlzYmpYZFc5Qk5KSVhtVFlHb0NpVWZQNHlqc204M1dMd3ZDUVk3WGhxSGlCODlDMXZtcVJnSmFWYmk5Q25TWVZWRHR3VWpGYTdWWUJjMW1VUFJwOEZpdHFCeFhSU2s4L1ZsZlpERi8yb0ZZTzZKRTdlamRiVjdmZ09YVmFzPSIsIml2IjoianNkY3JCZ1FickZkQ1VVdyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJwclFMRWpsRkVyU1Q1M3RQS2M2Sk83WTJiQ0xIWUVpTldTcWY2V2V5UXV3PSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:827410538f988de684cadfe54fd6fac88e4a66e3537599093d675bf380022fb0",
            "Size": 1861769216,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiQkRxdFEzVitzS0lqLy9NQjVidVRyZkhnS013T2pldDJxK29ObTNKbWdLamdLaVE3Y3NsWUpycmlKWHA5blFDVi91ZW5ZK2R3eHNHZUJURWNDZERMZTFUWXQ0ZEpyajZsMzFVeHU2eXF6eDNoR2pYd0h1TVBMZk9UWGhUQmZGTkpvdnRDOGNXWkdlcjBqQVEvNlJwT25ydWlSd2srdUdORjdyUlpnWi9nVTJ5Umd1b1E3UGpwNUpjMGFHb3N4Mi9FVUZkdDBLM0VlRnp5MWhMVngzWDRsSVBPS0J5ZFY0QnZqY01FN0hLaEdqSzFNZFd1QmtCNnMxMmNScUFNTGRwcktYWWNaS2doS3NhNkwvYVJuVVlFMU5BPSIsIml2IjoiWmRFdXJZbGhCc2FDN0s4NiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJsaktjdXhaY3B1cVA1WU1FNXlycmdENHpMdTlKNHlBaDhNZDNpSjJGNk1vPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:7be58901c78db3ff1dee6831d4fe9d5e1b869f1254fb7bcf169a00ada0f95b7b",
            "Size": 11919872,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiRUxkcTBVVFJhdW43N0JnWnhoZld3TzhpdXNBYnJrbk5lbVJqZE1OSGp0aVdtd1YxOGJleTIzOXl1SFN2MjFUWHN2clZiQWVISitUd2VZY3RnV21vb3J1K1dKU0YraDc4MmhIWGZmYWVBRENrVVUvUDdCMVczVS9xK3lNYnA2OWRoU1ZRa3ovUlZpd3c0Y202R0Z1QzhCQk5mU2ZxZDA5NUhHdDRrK29ZbVZ4dG9qL3Q1Y3M3RUI1NlpBNU1uTFRqUkE4YkFoeElLZWhuQ09qWjhEYnFKYm1EaksyclFJODNzUzdyVlhqR1BrdFcydTFZbElwRVdMZ1pVUzhtVG9ocGFGU2lvQndXdU9hYlptT1RxOXBmMDk4PSIsIml2IjoiQlZDbEhFWi9xdWtnV0tnVyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJEeGs5cU5rYWJXTVliREkzZnNRTzk2UzVvWkJ3cThGK1RiYkZmQ2JjS080PSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:4affc0c4637d7fd6585e7f0c57377a60c5e76609544f3741e0c2f13ead7a76f9",
            "Size": 3699200,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiZ2prWTRNL2ZvYWIyMHQ0eGtQMTlrRG5zSFAraXUzVjhpb3hWaFJITW93Snc4N2VMR0J0T0JXQXNmUlJnNDZHU2R2d2FJR0dpTUhTZFRuVmdkMEc4WW1OWExLWnZ1cHVkZytRb1pPa1pYZTljcnNjZ0VIUXhHdmlCMWZ2VlBnQktqY2NKSnhPQTVHaitPTHBqdGE4dVYvUVJtMDUyQTZhdzhQb0l1VVBxOVNocFNMTEJGeUlqQU9QVVhkSWozeXpNcmczanQwUTZzaUtzSEhpWVdZQWZiVWNYQS80dEJmRTR3OUZPUFZaWXNPbVhwTXB2TlFPOGpmN3lUc3prUWtMMUowckRiSVNNOWQzWC9iRDREc3BTZ2hjPSIsIml2IjoibGkyd0NGS21HajZCcVVVWCIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJnR3hZKzhSemFlYjNLT3dJVGNJODJvWi94cG5tSThyNlZQS3FwYnAzTzVVPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:6ef8077b32bcb6da5d351eb5a490c36c018d63a77b034b1988577c1ff51005f6",
            "Size": 9433600,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoic2VsOHVRb2xiNFYyODZXVjAzYjlUN0ZBYURXOVR4WVV4K2dqWDk4Skp0dThna1NUSDhxRWlSbVdCNUdJU28xQmx2dGsvV3dlSWdIbHFqa2NtSmllZ3NnTCtaWHlvZ0M2L2hoSE1zSHhQTjRzSzZqY09zWTVjbFNEOEthdWNGTE51Z1FicE5OS2haRmI5eng0Z0gwUDZVcGU2cjZRZTBXM2pMY0ljekY4b1V4c1BXazZRak4yTTdsV1BKQk9zTzlIeW1CSnlpVWxsRGt0VGxHSjBMNHhMUzUzR0VwQWp1cnhzMXZLTk9SSkdKc0RMUGZRaHpqT09aRFcrVGdjUHRpeHRoUERncTZBRkhDSGZuaDB2QU95MnM4PSIsIml2IjoiMnFxZlRVaVFDVHBvc3VwRSIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiIyamlFUlFQZ0NUc096YU9xVC9YZzgyTFNjUnFJWHZSZk9oMGR2LzN5NUcwPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:1366ea2e14166d2d5ab39e7186d0e22ad52606dd0987b9e1afc6278dd43b965e",
            "Size": 14646784,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoid0M4bExmcW5MeldPbFJaanJTMzF5NFkzQUJoRmp2c3ZqcVlHYzBtV2c5K3ZLeUFlYkQ3aFc1bzJsbW5qU1ZCUzhBcHNURXFmdTZUNVBLaVh4clJQa2tja2J6VlZIQ0JQNytTVXlVQWFDZHdlZmdvaHZUTndGUVVCZ0ozcW5WZGswQ0N0dVdncFpHMDJYdHdmc2h0clVnMlhEY0RrZGdDeXJpVHZ5MmRMTlIwcFFpVjhXNXhwZHZOL1JJVlI3TUVUdjVGcVBZS3BqTDFySUlhN1prU0Q0MC8xdVl1V2FzbmJHNGQyWFBSMTgwbDMzQ3ZwbU1CZ1ZzZVgyYTdRdnN3eXR5Qis4bzJZZ3MzV1k1a3Y3aTkySVhZPSIsIml2IjoiajJlSk5IcFZCUFhMdDlNdyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiI4MGVMdEdEdUNiY2NhMm5ZckRrSFZjVW5rNytEQ1pqOWtiTDcxVllUT01vPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:4e6cda3756b2df77e2cec4bdace6b0eaafc07901c0b186041e59a4d78e1a0dfb",
            "Size": 61829632,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiWnF4andHWGpGOHRINzdxRWdwcS8wQVg1VWV1Z3YrMmtSRmtoUFhwTGMyYXJSZWhiWTg0K0ZaWUZOVytMSTZRN2RwWlcrWkI5Z3dQNkFwMVFRVjJaZ3hnNkdSMEQwVlBId1VlQUkwNHRDRS8rV01NbE53ejg4M0JIZzhOWHpXcjV1L21tN1F4OGhwdG5pRGR6Z0Q4ekkrcVh5d0JSTFcrc0VOWnBBOGN5Z0liUzU3d2g3MFo0enpWVFVlUXowTlNOQVBxL3haY0JWWWpiYjFLMEJmMXVNcWVLZ1A2MWZ6aUdsS3dLam9ob3dPejcvRFUrVTZpL2NGQkptNlZyS2VtSG1EL3ErbG1PQks3K0kxNWI3MkFJZVBBPSIsIml2IjoiVjkwd2M1c0xnQTFqOCtKWiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJBNEhEd0k3aFJIeXloMlpVVVdpQkkwejZHUjNIdGFYTW4zdTJaczJWN200PSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:052f8098decb5b89be4d7dab935ec4a0143b141b3f89f14b4096d551b876e2ef",
            "Size": 7168,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiTmZXZHFhRjhIaDM3NmN0MTdZU2xxSWkrbnRLUEJBeWs2MWZPZGM1TW1lT2xCMmxLaHNXY0ViSFp0N2lsTHVERmRYWlhPdlhZVVd1eG52UjdaQ1I5a2ZwSVpmN2hqVEVtWTNXSWJZMXJYSGZzTDZFbU5TaXRmT25qbHQ1YmNIM2w5S05RRHBnZWM2OVVubTRCemVkdHRnVWwzalZaZXVkOVdBd2dMOWJZRXhRMkM0Y0xzQTBsL2hqTlRBYlY1YXFBc2E1eEFpanR1M21VemdZbDNkaXNxa0tTZlNKcEFEMjk5VzVENzgzUzlHZWowcTVJa0NKZmdja1RRN0lUSHhxVU5xaVRSTTV6REY2dUUvWnN1T3pDZThnPSIsIml2IjoiSHFySHN5NHVQR2ZLenRmaSIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiIxMlJPTC9NSUtlT2NBZjNwckVwYjBtWnhGOTNEdkxhOHpYTllvekpqNEtzPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:07daf092e3261257df8020ba99cf9f1caff3bbeab4975bc804f046f3800476d6",
            "Size": 54423552,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoieUU3VENkaGtPc28rZnBLaFJUb1FmTEJCTXB0TFJ2SE4wUHNoMDhVaW5od1d2T2RCZmNvcjExNjVTM25WWGI2TE0xcnd2VnhWeHl2cm8yNzZzU2hHV1NUMitqSmhyeVFudlE5Zk1sVVYyUTRKOHZTdExJRWdrZld1Slo0VEYyNEF1eGtpZldRT2J5QkRvUzVhOXJwOWtMemhMbUhrczcvdjNEaDNybXpDbDhMUGdvSG1NM1hiV3FJTk9HcEVUZXJFNldBaU1VL3Z0bUpOMThZQTArQWoweWx6T3VXek1ndzVyZGpBVGl2dnJOZU9XWHdOWHZpaWMzZ3NobSs0Nll1T21OWjIxbzhBUDJNQlI1aTlhWVc4L2FrPSIsIml2IjoieWo3cGdWOU5JVEV4L1pmdCIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJGY1VoK0RibUFFenZYcUVMSVRDUHhFT0JHbnE2SzhoWUNHZnBWSVZHT3JBPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:8c0320b891b9112027874d36bb380762e01ca17fb040bd5006e21ec095587293",
            "Size": 155714048,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiNEZKMHFKbnRkb2J0U0ZhNWVveGtwTlVQOFd1VE4walZSRFNEY0hVMExVS3YrS25PTHRnOWZLK2tmdzV4dElBbDFjSHZBV2VjcjFvNlhyU2RqMmFmRXdZK09CdXkyNTZaSnJ5aVAwWGlxcUdhcEtscG8zUmo5UEZ0dDBUcVFXNVhwTHozRzhCYUVCSmFxdFNTYTVoK3l0T0NIOTNEQXBsTVV4QldxUS92enpGNUFOazE4QStOaTQ1MFM2Y0lFMzEvaEtHTkdDN0EwUnBIaEcvTy9EdDBVM3JnREFGNXp4dXJXZUplVmhZU0tZWU5PV2FWT0M0cmxZQm5CYVkzOFo4V3htL3hZTEdGSGp2dVhUS1VXc05DdjRZPSIsIml2IjoiOExpQ0VFQkd4c1ZDbDJYYiIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJITTNuVWM5U2FVRTNtNmpkUlY3ZTRDWkNiWk0yNkN4amErV3l5bTF6cEZFPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:39acfee127ae132b4b2239a20d8f526b048543c2bd57f3f6c7c0ca5e82ac05ce",
            "Size": 2560,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoicUkxODE1UTRIR0c1VXR3d2lQVGNpMlB2aFN2R05hTkpyL1RDN0FFbmNzUDRSMHhhTUlFcS9BVi9rUklnYTdsM3I5b29XN0psYU1hZXZtNklBc1JmQ0RtOERKcmROKzEvMHc3Y1FET3o2aVFBMWh6ZzlBTjR3VUpGMS9hbVg0Zm9mV2lQMzJhSFZyQnJHc3NmT2VsL3JleFFHbWdEWWtxa2NHZHVwajRPdlhtOTVLaVdKcHRhazMvRUdtL3R1Wi9vTEo2NFpERFNjTllBdjJ1MjZtY1pJNmVDeWpDanIxTTF3QVduNU02QzEwS2dtS3cyNm5YVlJnby9wd083YktRdFJ4Zm8wNG0wcTZXQjUxOVNEY2RxeXdZPSIsIml2IjoiS2RvSnhJMnhqRmV1MUlJayIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiI4bVM0c2xvOEs2R2ZiaE9sZ25vUUZwUm9OTTFVL2FocDNZSW1XckRwc3BBPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        },
        {
            "MIMEType": "application/vnd.oci.image.layer.v1.tar+encrypted",
            "Digest": "sha256:67ee1946707dc3d74e32bff15476e0edc68facaffa762db41a4f68b0ba9212f8",
            "Size": 1024,
            "Annotations": {
                "org.opencontainers.image.enc.keys.provider.attestation-agent": "eyJraWQiOiJrYnM6Ly8vZGVmYXVsdC9pbWFnZV9rZXkvcHJ1ZWJhIiwid3JhcHBlZF9kYXRhIjoiN003dlM4ZmZvMnJKZDI3T2hVQkVueW1XMTZ2VUo1Yi8vdTZwMUVFc3JRNitoWGdZaEh2RjcwU2VjdU9SOGdJYVFKQjRnV3pMWGtwbjVMS1hmWUVnTytkcVFQSWdhbWNXVStQT09GUjQ3Tlh0dFZWaGc5SXRLWWFOQUEzZlFSa0FUTmZvYThmWkpoNExWbDZFTUhzTDBpRTBvdlAwK0RkQXNmYi9LeWNzOVZpdW1hSU5IRFoxSHFUWUpPK2IzcjR3dENyTCtMcjFWWmtSVXBCZUNNRjdHZXVmNXJqSStzMGp6REg3c01lQ3JqOXJkUmduaVMvaEVxemFBeWl0R0JVRk9Db2t0YmJ5UFNucTlRTzREekUwVUNvPSIsIml2IjoiV0ZmWUVWZDBDOXdSb3ZIRyIsIndyYXBfdHlwZSI6IkEyNTZHQ00ifQ==",
                "org.opencontainers.image.enc.pubopts": "eyJjaXBoZXIiOiJBRVNfMjU2X0NUUl9ITUFDX1NIQTI1NiIsImhtYWMiOiJ4QXI3V21vYldHY1F5M2E4azNrZUdRd0Q5bnc3WStuUCt5MnJBUkpoU0swPSIsImNpcGhlcm9wdGlvbnMiOnt9fQ=="
            }
        }
    ],
    "Env": [
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ]
}

@fidencio
Copy link
Member Author

fidencio commented Dec 10, 2024

The unencrypted image is: jorgealmansa/p4custom-java

{
    "Name": "docker.io/jorgealmansa/p4custom-java",
    "Digest": "sha256:9505cacd5b5b1c54d77c79330eff7648e84e8fc41c858a230119d04ea1a33980",
    "RepoTags": [
        "encrypted",
        "latest",
        "squashed",
        "updated"
    ],
    "Created": "2024-11-14T11:42:30.649705443+01:00",
    "DockerVersion": "",
    "Labels": {
        "org.opencontainers.image.ref.name": "ubuntu",
        "org.opencontainers.image.version": "20.04"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:86e5016c269355b382c9cabab4f6646d56d75914f20d545289970436dae431b1",
        "sha256:f5624a1e5a0d177e6cd4939c2d965d8816e1a7d6271f68054e46333cceca7466",
        "sha256:1ddd891c6e252ff71bdb4ac293d1529fb51f53e90c6e4fa06f35fac71419d56f",
        "sha256:78e7a12619829ccab5455a1e30e8ade5ab0e4715f8332b13d324d3c4579e71a6",
        "sha256:6a04e940a8288c7a00954ca43067faaf98bd4d6fc511c8ef45cd3fd967876b57",
        "sha256:30624295ca86b2627995fcdb428b637634f8f19230742168680f33c093c8eaab",
        "sha256:f827ad14dceff69cb2a61911b46d122dae6920d383cc92e56a72c0fe54375472",
        "sha256:c9bab1269b59c4a2a2c8876cc4d0c1f71477ad1d25eba677ced8476b23c2add6",
        "sha256:a446919e5835ef987fc4a57ac78632dedc6c8e7e17d8ca11e2074c01a083378a",
        "sha256:4e04b0744be8e3412fa8f55478681a5b078263ca5176780f003caecfb74e0bad",
        "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
        "sha256:c57b3d5ac982cdb7068392698bab10a98b2a6f6549ad20d821275e019b16a17f",
        "sha256:b269c153082c0e9dede0f994dbee4517eb194c1ea5451eebf3a7124efb5e9572",
        "sha256:db45d35a1e5c0ea8e24fb5d36037cd10f6b38505210ef7a0fc8444bd17dace7a",
        "sha256:72790640b4680fea7eb8c186d1517a65bd43e5b32f1ea1689cc760481caf4f9a",
        "sha256:3e578c3f8ebe2696a67e3dabeb30c3deec43b6ca1bfb8c63b186944be31d28b2",
        "sha256:1e6d81e64b6bd7c1df545a8e71a748b9518245bfbf5f72868d95470b80070ba6",
        "sha256:605d49a00e44ab2aa7a86a3dd90c4c163a5cdf094875006f31dc720bd6c14e02",
        "sha256:7be0cded7839b60c338b6a8739444140d7bac67194f1f0c41f71aaf4368cb72d",
        "sha256:d886ee5b0f76b939c867eebde8186c61b33b56a9f8b97d66c2fdd33f7caae19f",
        "sha256:97f2a1d25e3ffc87fdba2b36bf6c551a25e97bfe8758eb9b87724cfdf4706862",
        "sha256:548af75948aee6057f466ff2152b9a972813065eae291aca7a7a145eff99c474",
        "sha256:4d192c684eca1f6fe6f1f8192138b2a8c86b2edb259bbcab802c4862c27425a9",
        "sha256:ccc23bb4865e3bcdbacf5a8f3f7efb83f5d65c67b70128dcb738a90121e3d63a",
        "sha256:bf84c1250fbdc9d0367070e9ac2cb453e67be6c869ef158bf1a021b5ad3115cb",
        "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
    ],
    "LayersData": [
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:86e5016c269355b382c9cabab4f6646d56d75914f20d545289970436dae431b1",
            "Size": 28583948,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:f5624a1e5a0d177e6cd4939c2d965d8816e1a7d6271f68054e46333cceca7466",
            "Size": 37517135,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:1ddd891c6e252ff71bdb4ac293d1529fb51f53e90c6e4fa06f35fac71419d56f",
            "Size": 37578660,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:78e7a12619829ccab5455a1e30e8ade5ab0e4715f8332b13d324d3c4579e71a6",
            "Size": 1289985,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:6a04e940a8288c7a00954ca43067faaf98bd4d6fc511c8ef45cd3fd967876b57",
            "Size": 1598784,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:30624295ca86b2627995fcdb428b637634f8f19230742168680f33c093c8eaab",
            "Size": 193521214,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:f827ad14dceff69cb2a61911b46d122dae6920d383cc92e56a72c0fe54375472",
            "Size": 4362,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:c9bab1269b59c4a2a2c8876cc4d0c1f71477ad1d25eba677ced8476b23c2add6",
            "Size": 392,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:a446919e5835ef987fc4a57ac78632dedc6c8e7e17d8ca11e2074c01a083378a",
            "Size": 532,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:4e04b0744be8e3412fa8f55478681a5b078263ca5176780f003caecfb74e0bad",
            "Size": 1644,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
            "Size": 32,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:c57b3d5ac982cdb7068392698bab10a98b2a6f6549ad20d821275e019b16a17f",
            "Size": 84643105,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:b269c153082c0e9dede0f994dbee4517eb194c1ea5451eebf3a7124efb5e9572",
            "Size": 3777617,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:db45d35a1e5c0ea8e24fb5d36037cd10f6b38505210ef7a0fc8444bd17dace7a",
            "Size": 34802450,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:72790640b4680fea7eb8c186d1517a65bd43e5b32f1ea1689cc760481caf4f9a",
            "Size": 40160252,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:3e578c3f8ebe2696a67e3dabeb30c3deec43b6ca1bfb8c63b186944be31d28b2",
            "Size": 478799623,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:1e6d81e64b6bd7c1df545a8e71a748b9518245bfbf5f72868d95470b80070ba6",
            "Size": 4944012,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:605d49a00e44ab2aa7a86a3dd90c4c163a5cdf094875006f31dc720bd6c14e02",
            "Size": 1643817,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:7be0cded7839b60c338b6a8739444140d7bac67194f1f0c41f71aaf4368cb72d",
            "Size": 4111742,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:d886ee5b0f76b939c867eebde8186c61b33b56a9f8b97d66c2fdd33f7caae19f",
            "Size": 8086554,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:97f2a1d25e3ffc87fdba2b36bf6c551a25e97bfe8758eb9b87724cfdf4706862",
            "Size": 57194994,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:548af75948aee6057f466ff2152b9a972813065eae291aca7a7a145eff99c474",
            "Size": 333,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:4d192c684eca1f6fe6f1f8192138b2a8c86b2edb259bbcab802c4862c27425a9",
            "Size": 54201810,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:ccc23bb4865e3bcdbacf5a8f3f7efb83f5d65c67b70128dcb738a90121e3d63a",
            "Size": 55145890,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:bf84c1250fbdc9d0367070e9ac2cb453e67be6c869ef158bf1a021b5ad3115cb",
            "Size": 138,
            "Annotations": null
        },
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
            "Size": 32,
            "Annotations": null
        }
    ],
    "Env": [
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ]
}

@mkulke
Copy link
Contributor

mkulke commented Dec 10, 2024

it's odd that LayersData is missing in your output? older skopeo version?

@Xynnn007
Copy link
Member

Xynnn007 commented Dec 10, 2024

Seems that there are difference between unique_layers and unique_diff_ids here. I am looking inside to figure out.

@fidencio
Copy link
Member Author

it's odd that LayersData is missing in your output? older skopeo version?

I was using docker image inspect, updated the comment with the output of skopeo inspect ...

@fidencio
Copy link
Member Author

For what it's worth it, I was able to reproduce the same issue with guest-components' main

@mkulke
Copy link
Contributor

mkulke commented Dec 10, 2024

nb: the plain image has an oddity with the layer's digests, which might be related to the issue:

image

@Xynnn007
Copy link
Member

Xynnn007 commented Dec 10, 2024

nb: the plain image has an oddity with the layer's digests, which might be related to the issue:

I am afraid that it was the reason. The rootfs.diff_ids I got from the image-config is
image

Note that there are two same items.

But the image layers are explicit different ones posted here. none of them are same.

Pay attention to layer with size 1024 in the encrypted image. I am afraid that the symmetric key to encrypt the same layer is different so the encrypted layer is different but the sizes are same.

The logic in image-rs will de-duplicate the rootfs.diff_ids of image-config and layer digests. Thus the rootfs.diff_ids will decrease by 1 while layer digests will not. I am afraid that this behavior is related to skopeo who only encrypts the layer without changing items inside the image-config.

@mkulke
Copy link
Contributor

mkulke commented Dec 10, 2024

yeah, I suspected this. it would be interesting to understand how the golang image/ocicrypt are dealing with this.

Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Dec 11, 2024
Before this commit, when we pull images who have two encrypted layers
whose corresponding plaintext layers are same like
`quay.io/fidencio/prueba:encrypted`, ther will be an error like

```
index out of bounds: the len is 25 but the index is 25
```

This is caused by the deduplication logic inside image pull logic. On
one hand, it will delete duplicated layers recorded inside image
manifest, who reflectes the encrypted layers/blobs. On the other hand,
it will delete duplicated layers recorded inside the config.json, who
reflects the plaintext of the layers.

The image encryption logic will generate a random symmetric key for each
layer. Thus even the same plaintext layer would be encrypted into
different blobs/layers. Thus after deduplication, we might have more
layers for image manifest.

This patch changes the deduplicating logic, by only check the layer
digests inside image manifest, s.t. even if there are two same plaintext
layers, we will pull and decrypt both of them. It's ok to do some
optimization later if a fully analyzation is token.

Fies confidential-containers#840

Signed-off-by: Xynnn007 <[email protected]>
fidencio pushed a commit to fidencio/guest-components that referenced this issue Dec 11, 2024
Before this commit, when we pull images who have two encrypted layers
whose corresponding plaintext layers are same like
`quay.io/fidencio/prueba:encrypted`, ther will be an error like

```
index out of bounds: the len is 25 but the index is 25
```

This is caused by the deduplication logic inside image pull logic. On
one hand, it will delete duplicated layers recorded inside image
manifest, who reflectes the encrypted layers/blobs. On the other hand,
it will delete duplicated layers recorded inside the config.json, who
reflects the plaintext of the layers.

The image encryption logic will generate a random symmetric key for each
layer. Thus even the same plaintext layer would be encrypted into
different blobs/layers. Thus after deduplication, we might have more
layers for image manifest.

This patch changes the deduplicating logic, by only check the layer
digests inside image manifest, s.t. even if there are two same plaintext
layers, we will pull and decrypt both of them. It's ok to do some
optimization later if a fully analyzation is token.

Fies confidential-containers#840

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Dec 11, 2024
Before this commit, when we pull images who have two encrypted layers
whose corresponding plaintext layers are same like
`quay.io/fidencio/prueba:encrypted`, ther will be an error like

```
index out of bounds: the len is 25 but the index is 25
```

This is caused by the deduplication logic inside image pull logic. On
one hand, it will delete duplicated layers recorded inside image
manifest, who reflectes the encrypted layers/blobs. On the other hand,
it will delete duplicated layers recorded inside the config.json, who
reflects the plaintext of the layers.

The image encryption logic will generate a random symmetric key for each
layer. Thus even the same plaintext layer would be encrypted into
different blobs/layers. Thus after deduplication, we might have more
layers for image manifest.

This patch changes the deduplicating logic, by only check the layer
digests inside image manifest, s.t. even if there are two same plaintext
layers, we will pull and decrypt both of them. It's ok to do some
optimization later if a fully analyzation is token.

Fies confidential-containers#840

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Dec 12, 2024
Before this commit, when we pull images who have two encrypted layers
whose corresponding plaintext layers are same like
`quay.io/fidencio/prueba:encrypted`, ther will be an error like

```
index out of bounds: the len is 25 but the index is 25
```

This is caused by the deduplication logic inside image pull logic. On
one hand, it will delete duplicated layers recorded inside image
manifest, who reflectes the encrypted layers/blobs. On the other hand,
it will delete duplicated layers recorded inside the config.json, who
reflects the plaintext of the layers.

The image encryption logic will generate a random symmetric key for each
layer. Thus even the same plaintext layer would be encrypted into
different blobs/layers. Thus after deduplication, we might have more
layers for image manifest.

This patch changes the deduplicating logic, by only check the layer
digests inside image manifest, s.t. even if there are two same plaintext
layers, we will pull and decrypt both of them. It's ok to do some
optimization later if a fully analyzation is token.

Fies confidential-containers#840

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit that referenced this issue Dec 12, 2024
Before this commit, when we pull images who have two encrypted layers
whose corresponding plaintext layers are same like
`quay.io/fidencio/prueba:encrypted`, ther will be an error like

```
index out of bounds: the len is 25 but the index is 25
```

This is caused by the deduplication logic inside image pull logic. On
one hand, it will delete duplicated layers recorded inside image
manifest, who reflectes the encrypted layers/blobs. On the other hand,
it will delete duplicated layers recorded inside the config.json, who
reflects the plaintext of the layers.

The image encryption logic will generate a random symmetric key for each
layer. Thus even the same plaintext layer would be encrypted into
different blobs/layers. Thus after deduplication, we might have more
layers for image manifest.

This patch changes the deduplicating logic, by only check the layer
digests inside image manifest, s.t. even if there are two same plaintext
layers, we will pull and decrypt both of them. It's ok to do some
optimization later if a fully analyzation is token.

Fies #840

Signed-off-by: Xynnn007 <[email protected]>
Xynnn007 added a commit to Xynnn007/guest-components that referenced this issue Dec 12, 2024
Before this commit, when we pull images who have two encrypted layers
whose corresponding plaintext layers are same like
`quay.io/fidencio/prueba:encrypted`, ther will be an error like

```
index out of bounds: the len is 25 but the index is 25
```

This is caused by the deduplication logic inside image pull logic. On
one hand, it will delete duplicated layers recorded inside image
manifest, who reflectes the encrypted layers/blobs. On the other hand,
it will delete duplicated layers recorded inside the config.json, who
reflects the plaintext of the layers.

The image encryption logic will generate a random symmetric key for each
layer. Thus even the same plaintext layer would be encrypted into
different blobs/layers. Thus after deduplication, we might have more
layers for image manifest.

This patch changes the deduplicating logic, by only check the layer
digests inside image manifest, s.t. even if there are two same plaintext
layers, we will pull and decrypt both of them. It's ok to do some
optimization later if a fully analyzation is token.

Fies confidential-containers#840

Signed-off-by: Xynnn007 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants