enable OCI artifact for attestation manifest by default

crazy-max · crazy-max · commit bcc1482a6550 · 2026-02-17T15:45:59.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -284,7 +284,7 @@ Keys supported by image output:
 * `push-by-digest=true`: push unnamed image
 * `registry.insecure=true`: push to insecure HTTP registry
 * `oci-mediatypes=true`: use OCI mediatypes in configuration JSON instead of Docker's
-* `oci-artifact=false`: use OCI artifact format for attestations
+* `oci-artifact=true`: use OCI artifact format for attestations
 * `unpack=true`: unpack image after creation (for use with containerd)
 * `dangling-name-prefix=<value>`: name image with `prefix@<digest>`, used for anonymous images
 * `name-canonical=true`: add additional canonical name `name@<digest>`
diff --git a/client/client_test.go b/client/client_test.go
@@ -1300,7 +1300,7 @@ func testPushByDigest(t *testing.T, sb integration.Sandbox) {
 	require.NoError(t, err)
 
 	require.Equal(t, resp.ExporterResponse[exptypes.ExporterImageDigestKey], desc.Digest.String())
-	require.Equal(t, images.MediaTypeDockerSchema2Manifest, desc.MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageManifest, desc.MediaType)
 	require.Greater(t, desc.Size, int64(0))
 }
 
@@ -3848,7 +3848,7 @@ func testMultipleExporters(t *testing.T, sb integration.Sandbox) {
 		} else {
 			require.Len(t, ev.Record.Result.Results, 2)
 			require.Len(t, ev.Record.Exporters, 6)
-			require.Equal(t, images.MediaTypeDockerSchema2Manifest, ev.Record.Result.Results[0].MediaType)
+			require.Equal(t, ocispecs.MediaTypeImageManifest, ev.Record.Result.Results[0].MediaType)
 			require.Equal(t, ocispecs.MediaTypeImageManifest, ev.Record.Result.Results[1].MediaType)
 		}
 		require.Equal(t, ev.Record.Result.Results[0], ev.Record.Result.ResultDeprecated)
@@ -4874,9 +4874,9 @@ func testBuildExportWithForeignLayer(t *testing.T, sb integration.Sandbox) {
 		require.NoError(t, err)
 
 		require.Equal(t, 2, len(mfst.Layers))
-		require.Equal(t, images.MediaTypeDockerSchema2LayerForeign, mfst.Layers[0].MediaType)
+		require.Equal(t, ocispecs.MediaTypeImageLayerNonDistributableGzip, mfst.Layers[0].MediaType)
 		require.Len(t, mfst.Layers[0].URLs, 1)
-		require.Equal(t, images.MediaTypeDockerSchema2Layer, mfst.Layers[1].MediaType)
+		require.Equal(t, ocispecs.MediaTypeImageLayer, mfst.Layers[1].MediaType)
 
 		rc, err := fetcher.Fetch(ctx, ocispecs.Descriptor{Digest: mfst.Layers[0].Digest, Size: mfst.Layers[0].Size})
 		require.NoError(t, err)
@@ -4921,9 +4921,9 @@ func testBuildExportWithForeignLayer(t *testing.T, sb integration.Sandbox) {
 		require.NoError(t, err)
 
 		require.Equal(t, 2, len(mfst.Layers))
-		require.Equal(t, images.MediaTypeDockerSchema2Layer, mfst.Layers[0].MediaType)
+		require.Equal(t, ocispecs.MediaTypeImageLayer, mfst.Layers[0].MediaType)
 		require.Len(t, mfst.Layers[0].URLs, 0)
-		require.Equal(t, images.MediaTypeDockerSchema2Layer, mfst.Layers[1].MediaType)
+		require.Equal(t, ocispecs.MediaTypeImageLayer, mfst.Layers[1].MediaType)
 
 		rc, err := fetcher.Fetch(ctx, ocispecs.Descriptor{Digest: mfst.Layers[0].Digest, Size: mfst.Layers[0].Size})
 		require.NoError(t, err)
@@ -4988,7 +4988,7 @@ func testBuildExportWithUncompressed(t *testing.T, sb integration.Sandbox) {
 		mfst, err := images.Manifest(ctx, client.ContentStore(), img.Target(), nil)
 		require.NoError(t, err)
 		require.Equal(t, 1, len(mfst.Layers))
-		require.Equal(t, images.MediaTypeDockerSchema2Layer, mfst.Layers[0].MediaType)
+		require.Equal(t, ocispecs.MediaTypeImageLayer, mfst.Layers[0].MediaType)
 	}
 
 	// new layer with gzip compression
@@ -5057,8 +5057,8 @@ func testBuildExportWithUncompressed(t *testing.T, sb integration.Sandbox) {
 	err = json.Unmarshal(dt, &mfst)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(mfst.Layers))
-	require.Equal(t, images.MediaTypeDockerSchema2Layer, mfst.Layers[0].MediaType)
-	require.Equal(t, images.MediaTypeDockerSchema2LayerGzip, mfst.Layers[1].MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageLayer, mfst.Layers[0].MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageLayerGzip, mfst.Layers[1].MediaType)
 
 	dt, err = content.ReadBlob(ctx, img.ContentStore(), ocispecs.Descriptor{Digest: mfst.Layers[0].Digest})
 	require.NoError(t, err)
@@ -5102,8 +5102,8 @@ func testBuildExportWithUncompressed(t *testing.T, sb integration.Sandbox) {
 	err = json.Unmarshal(dt, &mfst)
 	require.NoError(t, err)
 	require.Equal(t, 2, len(mfst.Layers))
-	require.Equal(t, images.MediaTypeDockerSchema2LayerGzip, mfst.Layers[0].MediaType)
-	require.Equal(t, images.MediaTypeDockerSchema2LayerGzip, mfst.Layers[1].MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageLayerGzip, mfst.Layers[0].MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageLayerGzip, mfst.Layers[1].MediaType)
 
 	dt, err = content.ReadBlob(ctx, img.ContentStore(), ocispecs.Descriptor{Digest: mfst.Layers[0].Digest})
 	require.NoError(t, err)
@@ -5464,10 +5464,10 @@ func testBuildPushAndValidate(t *testing.T, sb integration.Sandbox) {
 	err = json.Unmarshal(dt, &mfst)
 	require.NoError(t, err)
 
-	require.Equal(t, images.MediaTypeDockerSchema2Manifest, mfst.MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageManifest, mfst.MediaType)
 	require.Equal(t, 3, len(mfst.Layers))
-	require.Equal(t, images.MediaTypeDockerSchema2LayerGzip, mfst.Layers[0].MediaType)
-	require.Equal(t, images.MediaTypeDockerSchema2LayerGzip, mfst.Layers[1].MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageLayerGzip, mfst.Layers[0].MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageLayerGzip, mfst.Layers[1].MediaType)
 
 	dt, err = content.ReadBlob(ctx, img.ContentStore(), ocispecs.Descriptor{Digest: mfst.Layers[0].Digest})
 	require.NoError(t, err)
@@ -9838,7 +9838,7 @@ func testExportAnnotationsMediaTypes(t *testing.T, sb integration.Sandbox) {
 	require.Equal(t, "b", imgs.Images[0].Manifest.Annotations["a"])
 	require.Equal(t, "d", imgs2.Index.Annotations["c"])
 
-	require.Equal(t, images.MediaTypeDockerSchema2ManifestList, imgs.Index.MediaType)
+	require.Equal(t, ocispecs.MediaTypeImageIndex, imgs.Index.MediaType)
 	require.Equal(t, ocispecs.MediaTypeImageIndex, imgs2.Index.MediaType)
 }
 
diff --git a/exporter/containerimage/export.go b/exporter/containerimage/export.go
@@ -77,6 +77,7 @@ func (e *imageExporter) Resolve(ctx context.Context, id int, opt map[string]stri
 			RefCfg: cacheconfig.RefConfig{
 				Compression: compression.New(compression.Default),
 			},
+			OCIArtifact:             true,
 			ForceInlineAttestations: true,
 		},
 		store: true,
diff --git a/exporter/containerimage/export_test.go b/exporter/containerimage/export_test.go
@@ -0,0 +1,37 @@
+package containerimage
+
+import (
+	"context"
+	"testing"
+
+	"github.com/moby/buildkit/exporter/containerimage/exptypes"
+	"github.com/stretchr/testify/require"
+)
+
+func TestResolveDefaultsOCIArtifactEnabled(t *testing.T) {
+	exp, err := New(Opt{})
+	require.NoError(t, err)
+
+	instAny, err := exp.Resolve(context.Background(), 0, map[string]string{})
+	require.NoError(t, err)
+
+	inst, ok := instAny.(*imageExporterInstance)
+	require.True(t, ok)
+	require.True(t, inst.opts.OCIArtifact)
+	require.True(t, inst.opts.ForceInlineAttestations)
+}
+
+func TestResolveAllowsDisablingOCIArtifact(t *testing.T) {
+	exp, err := New(Opt{})
+	require.NoError(t, err)
+
+	instAny, err := exp.Resolve(context.Background(), 0, map[string]string{
+		string(exptypes.OptKeyOCIArtifact): "false",
+	})
+	require.NoError(t, err)
+
+	inst, ok := instAny.(*imageExporterInstance)
+	require.True(t, ok)
+	require.False(t, inst.opts.OCIArtifact)
+}
+
diff --git a/exporter/oci/export.go b/exporter/oci/export.go
@@ -70,7 +70,8 @@ func (e *imageExporter) Resolve(ctx context.Context, id int, opt map[string]stri
 			RefCfg: cacheconfig.RefConfig{
 				Compression: compression.New(compression.Default),
 			},
-			OCITypes: e.opt.Variant == VariantOCI,
+			OCIArtifact: true,
+			OCITypes:    e.opt.Variant == VariantOCI,
 		},
 	}
 
diff --git a/exporter/oci/export_test.go b/exporter/oci/export_test.go
@@ -0,0 +1,38 @@
+package oci
+
+import (
+	"context"
+	"testing"
+
+	"github.com/moby/buildkit/exporter/containerimage/exptypes"
+	"github.com/stretchr/testify/require"
+)
+
+func TestResolveDefaultsOCIArtifactEnabled(t *testing.T) {
+	for _, variant := range []ExporterVariant{VariantOCI, VariantDocker} {
+		exp, err := New(Opt{Variant: variant})
+		require.NoError(t, err)
+
+		instAny, err := exp.Resolve(context.Background(), 0, map[string]string{})
+		require.NoError(t, err)
+
+		inst, ok := instAny.(*imageExporterInstance)
+		require.True(t, ok)
+		require.True(t, inst.opts.OCIArtifact)
+	}
+}
+
+func TestResolveAllowsDisablingOCIArtifact(t *testing.T) {
+	exp, err := New(Opt{Variant: VariantDocker})
+	require.NoError(t, err)
+
+	instAny, err := exp.Resolve(context.Background(), 0, map[string]string{
+		string(exptypes.OptKeyOCIArtifact): "false",
+	})
+	require.NoError(t, err)
+
+	inst, ok := instAny.(*imageExporterInstance)
+	require.True(t, ok)
+	require.False(t, inst.opts.OCIArtifact)
+}
+

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,8 @@ func (e *imageExporter) Resolve(ctx context.Context, id int, opt map[string]stri`
`70`	`70`	`RefCfg: cacheconfig.RefConfig{`
`71`	`71`	`Compression: compression.New(compression.Default),`
`72`	`72`	`},`
`73`		`- OCITypes: e.opt.Variant == VariantOCI,`
	`73`	`+ OCIArtifact: true,`
	`74`	`+ OCITypes: e.opt.Variant == VariantOCI,`
`74`	`75`	`},`
`75`	`76`	`}`
`76`	`77`