diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go index 1bdd53575..ec941a1fd 100644 --- a/internal/controller/ocirepository_controller.go +++ b/internal/controller/ocirepository_controller.go @@ -442,7 +442,6 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch } // Get the upstream revision from the artifact digest - // TODO: getRevision resolves the digest, which may change before image is fetched, so it should probaly update ref revision, err := r.getRevision(ref, opts) if err != nil { e := serror.NewGeneric( @@ -455,6 +454,8 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch metaArtifact := &meta.Artifact{Revision: revision} metaArtifact.DeepCopyInto(metadata) + digestRef := ref.Context().Digest(r.digestFromRevision(revision)) + // Mark observations about the revision on the object defer func() { if !obj.GetArtifact().HasRevision(revision) { @@ -481,7 +482,7 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation || conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) { - result, err := r.verifySignature(ctx, obj, ref, keychain, authenticator, transport, opts...) + result, err := r.verifySignature(ctx, obj, digestRef, keychain, authenticator, transport, opts...) if err != nil { provider := obj.Spec.Verify.Provider if obj.Spec.Verify.SecretRef == nil && obj.Spec.Verify.Provider == "cosign" { @@ -508,7 +509,7 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch } // Pull artifact from the remote container registry - img, err := remote.Image(ref, opts...) + img, err := remote.Image(digestRef, opts...) if err != nil { e := serror.NewGeneric( fmt.Errorf("failed to pull artifact from '%s': %w", obj.Spec.URL, err), diff --git a/internal/controller/ocirepository_controller_test.go b/internal/controller/ocirepository_controller_test.go index 7c4dc7a01..e5ed391af 100644 --- a/internal/controller/ocirepository_controller_test.go +++ b/internal/controller/ocirepository_controller_test.go @@ -2046,12 +2046,12 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignatureCosign(t *testing Tag: "6.1.5", }, wantErr: true, - wantErrMsg: "failed to verify the signature using provider 'cosign': no matching signatures were found for ''", + wantErrMsg: "failed to verify the signature using provider 'cosign': no matching signatures were found for ''", want: sreconcile.ResultEmpty, assertConditions: []metav1.Condition{ *conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new revision '' for ''"), *conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new revision '' for ''"), - *conditions.FalseCondition(sourcev1.SourceVerifiedCondition, sourcev1.VerificationError, "failed to verify the signature using provider '': no matching signatures were found for ''"), + *conditions.FalseCondition(sourcev1.SourceVerifiedCondition, sourcev1.VerificationError, "failed to verify the signature using provider '': no matching signatures were found for ''"), }, }, { @@ -2248,9 +2248,11 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignatureCosign(t *testing } image := podinfoVersions[tt.reference.Tag] + digestURL := artifactRef.Context().Digest(image.digest.String()).String() assertConditions := tt.assertConditions for k := range assertConditions { assertConditions[k].Message = strings.ReplaceAll(assertConditions[k].Message, "", fmt.Sprintf("%s@%s", tt.reference.Tag, image.digest.String())) + assertConditions[k].Message = strings.ReplaceAll(assertConditions[k].Message, "", digestURL) assertConditions[k].Message = strings.ReplaceAll(assertConditions[k].Message, "", artifactRef.String()) assertConditions[k].Message = strings.ReplaceAll(assertConditions[k].Message, "", "cosign") } @@ -2269,6 +2271,7 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignatureCosign(t *testing artifact := &meta.Artifact{} got, err := r.reconcileSource(ctx, sp, obj, artifact, tmpDir) if tt.wantErr { + tt.wantErrMsg = strings.ReplaceAll(tt.wantErrMsg, "", digestURL) tt.wantErrMsg = strings.ReplaceAll(tt.wantErrMsg, "", artifactRef.String()) g.Expect(err).ToNot(BeNil()) g.Expect(err.Error()).To(ContainSubstring(tt.wantErrMsg))