[Bug]: Fetching Empty OCI Configs with Artifact Types

[nathan-joslin]

zot version

v2.1.2

Describe the bug

The OCI Image specification includes a section on Guidelines for an Empty Descriptor and Guidelines for Artifact Usage.

From these guidelines, registries should be able to handle manifests that take the following form; which is the same as instance 2 from the Guidelines for Artifact usage but with the optional data field in the config descriptor. When fetching the config of such an artifact, Zot registry returns no content; instead of the expected empty config {}.

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.example+type",
  "config": {
    "mediaType": "application/vnd.oci.empty.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2,
   "data": "e30="
  },
  "layers": [ ...]
}

It's worth noting Zot registry properly handles a similar use case, which does not use a manifest Artifact Type; instead using a custom config mediatype and without the optional data field. This use case is a notation signature:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.cncf.notary.signature",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [ ...]
}

To reproduce

1. Push a manifest that includes an artifactType and an empty descriptor. Similar to:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.example+type",
  "config": {
    "mediaType": "application/vnd.oci.empty.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2,
   "data": "e30="
  },
  "layers": [ ...]
}

2. Fetch the config with oras, i.e. oras manifest fetch-config {ZOT_OCI_REF}.

3. Error: Error: GET "https://{ZOT_OCI_REF}/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a": mismatch Content-Length

NOTE: Other methods of pulling the OCI config may trigger similar errors, for instance oras blob fetch -o - {ZOT_OCI_REF} results in Error: mismatched digest. All of which are related to returning no content rather than the expected empty config {}.

Expected behavior

As mentioned previously, the expected behavior is similar to how Zot registry already handles a similar manifest; which doesn't use a manifest artifactType and instead a custom config mediatype.

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.cncf.notary.signature",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [ ...]
}

Screenshots

No response

Additional context

Adding the --debug flag to oras commands may be helpful.

[andaaron]

Isn't the client supposed skip the pull of sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a? The whole point of application/vnd.oci.empty.v1+json is not to have a separate config file, to include it in the manifest. Why would the client try to download it separately?

This being the config "data": "e30="

[nathan-joslin]

@andaaron I think that is a valid point, and I mostly agree. However, IMHO I do not believe it would be a good practice to assume that all clients do this optimization; especially since this is an optional field which, to my knowledge, the OCI Image and Distribution Specifications do not explicitly require clients to utilize.

In any case, the Distribution spec does not explicitly define how to pull configs - only manifests and blobs. Referring to the blobs section, "A GET request to an existing blob URL MUST provide the expected blob...".

We can see Zot does not provide the content as required per the distribution spec.

With oras --debug we can see an inaccurate Content-Length header.

< Response Status: "200 OK"
< Response headers:
   "Content-Length": "0"
   "Content-Type": ""
   "Docker-Content-Digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
   "Date": "Thu, 20 Feb 2025 14:46:51 GMT"

Similarly, if we hit the blobs endpoint directly with curl we don't get the correct content, but including the output here doesn't achieve much since there is no content.
Edit: I will include the response headers from curl anyhow:

> GET /v2/REDACTED/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a HTTP/2
> Host: REDACTED
> User-Agent: curl/8.12.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< content-length: 0
< content-type: */*
< docker-content-digest: sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
< date: Thu, 20 Feb 2025 17:32:52 GMT
< x-envoy-upstream-service-time: 65
< server: istio-envoy

[andaaron]

The empty config is not stored as a blob. And I assume the client did not push it as a separate blob either (I can check though) if the client had pushed it, it would have been there to be pulled.

Will double check, but in general if the client didn't push the config blob to the /blobs endpoint, we can't expect zot to serve it.

[andaaron]

The empty config is not stored as a blob. And I assume the client did not push it as a separate blob either (I can check though) if the client had pushed it, it would have been there to be pulled.

Will double check, but in general if the client didn't push the config blob, we can't expect zot to serve it.

What client pushed the image/artifact/manifest to zot?

[nathan-joslin]

I've been testing with both the oras cli and our application that utilizes oras-go. It may be the case that the blob wasn't pushed to that specific registry/repository. From my understanding it seems Zot does some optimizations with cross-repository mounting internally, despite us not explicitly asking it to do so. In many cases, Zot will respond with 200 OK if the blob exists elsewhere in the registry. This makes it a bit more difficult for me to confirm.

[rchincha]

@nathan-joslin you could turn off zot dedupe and gc for your testing.

[andaaron]

This is really strange. The issue does not reproduce with the data below:

cat oci/index.json | jq
{
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:a4d2f252e858117bc09a285ed90101b51dfaf62e091a423487454811f5e7ee4a",
      "size": 502,
      "annotations": {
        "org.opencontainers.image.created": "2025-02-23T16:30:28Z",
        "org.opencontainers.image.ref.name": "hello"
      },
      "artifactType": "application/vnd.example+type"
    }
  ]
}

cat oci/blobs/sha256/a4d2f252e858117bc09a285ed90101b51dfaf62e091a423487454811f5e7ee4a | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.example+type",
  "config": {
    "mediaType": "application/vnd.oci.empty.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [
    {
      "mediaType": "application/vnd.example+type",
      "digest": "sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447",
      "size": 12
    }
  ]
}

cat oci/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a | jq
{}

cat oci/blobs/sha256/a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
hello world

skopeo --insecure-policy copy --dest-creds test:test oci:oci:hello docker://redacted:8080/hi:v1 --debug
DEBU[0000] Using registries.d directory /etc/containers/registries.d
DEBU[0000] Returning credentials for redacted:8080/hi from DockerAuthConfig
DEBU[0000]  Lookaside configuration: using "default-docker" configuration
DEBU[0000]   Using "sigstore-staging" file:///var/lib/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/redacted:8080
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000]  Sigstore attachments: using "default-docker" configuration
DEBU[0000] Using blob info cache at /data/hdd/home/andaaron/.local/share/containers/cache/blob-info-cache-v1.boltdb
DEBU[0000] IsRunningImageAllowed for image oci:/data/ssd/zot/tmp/oci
DEBU[0000]  Using default policy section
DEBU[0000]  Requirement 0: allowed
DEBU[0000] Overall: allowed
Getting image source signatures
DEBU[0000] Manifest has MIME type application/vnd.oci.image.manifest.v1+json, ordered candidate list [application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0000] ... will first try using the original manifest unmodified
DEBU[0000] Checking if we can reuse blob sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447: general substitution = true, compression for MIME type "application/vnd.example+type" = false
DEBU[0000] Checking /v2/hi/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] GET https://redacted:8080/v2/
DEBU[0000] Ping https://redacted:8080/v2/ status 401
DEBU[0000] HEAD https://redacted:8080/v2/hi/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] ... already exists
DEBU[0000] Skipping blob sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 (already present):
Copying blob a948904f2f0f skipped: already exists
DEBU[0000] No compression detected
DEBU[0000] Compression change for blob sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a ("application/vnd.oci.empty.v1+json") not supported
DEBU[0000] Using original blob without modification
Copying config 44136fa355 done
DEBU[0000] Checking /v2/hi/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
Copying config 44136fa355 done
DEBU[0000] ... already exists
Writing manifest to image destination
DEBU[0000] PUT https://redacted:8080/v2/hi/manifests/v1
Storing signatures

oras manifest fetch-config redacted:8080/hi:v1 --debug
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi/manifests/v1"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "401 Unauthorized"
DEBU[0000] < Response headers:
DEBU[0000]    "Content-Type": "application/json"
DEBU[0000]    "Www-Authenticate": "Basic realm=\"zot\""
DEBU[0000]    "Content-Length": "253"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 17:02:05 GMT"
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi/manifests/v1"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[0000]    "Authorization": "*****"
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "200 OK"
DEBU[0000] < Response headers:
DEBU[0000]    "Date": "Sun, 23 Feb 2025 17:02:05 GMT"
DEBU[0000]    "Access-Control-Allow-Credentials": "true"
DEBU[0000]    "Access-Control-Allow-Origin": "*"
DEBU[0000]    "Content-Type": "application/vnd.oci.image.manifest.v1+json"
DEBU[0000]    "Docker-Content-Digest": "sha256:a4d2f252e858117bc09a285ed90101b51dfaf62e091a423487454811f5e7ee4a"
DEBU[0000]    "Content-Length": "502"
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000]    "Authorization": "*****"
DEBU[0000] < Response Status: "200 OK"
DEBU[0000] < Response headers:
DEBU[0000]    "Content-Type": ""
DEBU[0000]    "Docker-Content-Digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000]    "Content-Length": "2"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 17:02:05 GMT"
{}

[andaaron]

Working for:

cat oci/blobs/sha256/5d7761d8b0e162c618bceef92cd2c1e542074afa6fb703bd0c68149fbdb5aea3 | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.example+type",
  "config": {
    "mediaType": "application/vnd.oci.empty.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2,
    "data": "e30="
  },
  "layers": [
    {
      "mediaType": "application/vnd.example+type",
      "digest": "sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447",
      "size": 12
    }
  ]
}

cat oci/index.json | jq
{
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:a4d2f252e858117bc09a285ed90101b51dfaf62e091a423487454811f5e7ee4a",
      "size": 502,
      "annotations": {
        "org.opencontainers.image.created": "2025-02-23T16:30:28Z",
        "org.opencontainers.image.ref.name": "hello"
      },
      "artifactType": "application/vnd.example+type"
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:5d7761d8b0e162c618bceef92cd2c1e542074afa6fb703bd0c68149fbdb5aea3",
      "size": 522,
      "annotations": {
        "org.opencontainers.image.created": "2025-02-23T16:30:28Z",
        "org.opencontainers.image.ref.name": "hello2"
      },
      "artifactType": "application/vnd.example+type"
    }
  ]
}

skopeo --insecure-policy copy --dest-creds test:test oci:oci:hello2 docker://redacted:8080/hi2:v1 --debug
DEBU[0000] Using registries.d directory /etc/containers/registries.d
DEBU[0000] Returning credentials for redacted:8080/hi2 from DockerAuthConfig
DEBU[0000]  Lookaside configuration: using "default-docker" configuration
DEBU[0000]   Using "sigstore-staging" file:///var/lib/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/redacted:8080
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000]  Sigstore attachments: using "default-docker" configuration
DEBU[0000] Using blob info cache at /data/hdd/home/andaaron/.local/share/containers/cache/blob-info-cache-v1.boltdb
DEBU[0000] IsRunningImageAllowed for image oci:/data/ssd/zot/tmp/oci
DEBU[0000]  Using default policy section
DEBU[0000]  Requirement 0: allowed
DEBU[0000] Overall: allowed
Getting image source signatures
DEBU[0000] Manifest has MIME type application/vnd.oci.image.manifest.v1+json, ordered candidate list [application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0000] ... will first try using the original manifest unmodified
DEBU[0000] Checking if we can reuse blob sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447: general substitution = true, compression for MIME type "application/vnd.example+type" = false
DEBU[0000] Checking /v2/hi2/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] GET https://redacted:8080/v2/
DEBU[0000] Ping https://redacted:8080/v2/ status 401
DEBU[0000] HEAD https://redacted:8080/v2/hi2/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] ... already exists
DEBU[0000] Skipping blob sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 (already present):
Copying blob a948904f2f0f skipped: already exists
DEBU[0000] No compression detected
DEBU[0000] Compression change for blob sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a ("application/vnd.oci.empty.v1+json") not supported
DEBU[0000] Using original blob without modification
DEBU[0000] Checking /v2/hi2/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
DEBU[0000] HEAD https://redacted:8080/v2/hi2/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
Copying config 44136fa355 done
DEBU[0000] ... already exists
Writing manifest to image destination
DEBU[0000] PUT https://redacted:8080/v2/hi2/manifests/v1
Storing signatures

oras manifest fetch-config redacted:8080/hi2:v1 --debug
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi2/manifests/v1"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "401 Unauthorized"
DEBU[0000] < Response headers:
DEBU[0000]    "Content-Type": "application/json"
DEBU[0000]    "Www-Authenticate": "Basic realm=\"zot\""
DEBU[0000]    "Content-Length": "253"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 17:14:04 GMT"
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi2/manifests/v1"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[0000]    "Authorization": "*****"
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "200 OK"
DEBU[0000] < Response headers:
DEBU[0000]    "Access-Control-Allow-Origin": "*"
DEBU[0000]    "Content-Type": "application/vnd.oci.image.manifest.v1+json"
DEBU[0000]    "Docker-Content-Digest": "sha256:5d7761d8b0e162c618bceef92cd2c1e542074afa6fb703bd0c68149fbdb5aea3"
DEBU[0000]    "Content-Length": "522"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 17:14:04 GMT"
DEBU[0000]    "Access-Control-Allow-Credentials": "true"
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi2/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "Authorization": "*****"
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "200 OK"
DEBU[0000] < Response headers:
DEBU[0000]    "Content-Type": ""
DEBU[0000]    "Docker-Content-Digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000]    "Content-Length": "2"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 17:14:04 GMT"
{}

Tested again, this time with clean storage:

skopeo --insecure-policy copy --dest-creds test:test oci:oci:hello2 docker://redacted:8080/hi2:v1 --debug
DEBU[0000] Using registries.d directory /etc/containers/registries.d
DEBU[0000] Returning credentials for redacted:8080/hi2 from DockerAuthConfig
DEBU[0000]  Lookaside configuration: using "default-docker" configuration
DEBU[0000]   Using "sigstore-staging" file:///var/lib/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/redacted:8080
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000]  Sigstore attachments: using "default-docker" configuration
DEBU[0000] Using blob info cache at /data/hdd/home/andaaron/.local/share/containers/cache/blob-info-cache-v1.boltdb
DEBU[0000] IsRunningImageAllowed for image oci:/data/ssd/zot/tmp/oci
DEBU[0000]  Using default policy section
DEBU[0000]  Requirement 0: allowed
DEBU[0000] Overall: allowed
Getting image source signatures
DEBU[0000] Manifest has MIME type application/vnd.oci.image.manifest.v1+json, ordered candidate list [application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0000] ... will first try using the original manifest unmodified
DEBU[0000] Checking if we can reuse blob sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447: general substitution = true, compression for MIME type "application/vnd.example+type" = false
DEBU[0000] Checking /v2/hi2/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] GET https://redacted:8080/v2/
DEBU[0000] Ping https://redacted:8080/v2/ status 200
DEBU[0000] HEAD https://redacted:8080/v2/hi2/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] ... not present
DEBU[0000] Trying to reuse cached location sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 with no compression in redacted:8080/hi2
DEBU[0000] ... Already tried the primary destination
DEBU[0000] Trying to reuse cached location sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 with no compression in redacted:8080/hi
DEBU[0000] Checking /v2/hi/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] HEAD https://redacted:8080/v2/hi/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] ... not present
DEBU[0000] Trying to reuse cached location sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 with no compression in redacted:8080/hello
DEBU[0000] Checking /v2/hello/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] HEAD https://redacted:8080/v2/hello/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] ... not present
DEBU[0000] No compression detected
DEBU[0000] Compression change for blob sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 ("application/vnd.example+type") not supported
DEBU[0000] Using original blob without modification
DEBU[0000] Checking /v2/hi2/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] HEAD https://redacted:8080/v2/hi2/blobs/sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] ... not present
DEBU[0000] Uploading /v2/hi2/blobs/uploads/
DEBU[0000] POST https://redacted:8080/v2/hi2/blobs/uploads/
DEBU[0000] PATCH https://redacted:8080/v2/hi2/blobs/uploads/fb184109-235b-4749-bf46-51ae6371bd32
Copying blob a948904f2f0f done
DEBU[0000] PUT https://redacted:8080/v2/hi2/blobs/uploads/fb184109-235b-4749-bf46-51ae6371bd32?digest=sha256%3Aa948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
DEBU[0000] Upload of layer sha256:a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 complete
DEBU[0000] No compression detected
DEBU[0000] Compression change for blob sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a ("application/vnd.oci.empty.v1+json") not supported
DEBU[0000] Using original blob without modification
DEBU[0000] Checking /v2/hi2/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
DEBU[0000] HEAD https://redacted:8080/v2/hi2/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
Copying config 44136fa355 done
DEBU[0000] ... not present
DEBU[0000] Uploading /v2/hi2/blobs/uploads/
DEBU[0000] POST https://redacted:8080/v2/hi2/blobs/uploads/
DEBU[0000] PATCH https://redacted:8080/v2/hi2/blobs/uploads/248129f5-90e1-4f9d-92e3-782c92256e88
DEBU[0000] PUT https://redacted:8080/v2/hi2/blobs/uploads/248129f5-90e1-4f9d-92e3-782c92256e88?digest=sha256%3A44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
DEBU[0000] Upload of layer sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a complete
Writing manifest to image destination
DEBU[0000] PUT https://redacted:8080/v2/hi2/manifests/v1
Storing signatures

oras manifest fetch-config redacted:8080/hi2:v1 --debug
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi2/manifests/v1"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "Accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.oci.artifact.manifest.v1+json"
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "200 OK"
DEBU[0000] < Response headers:
DEBU[0000]    "Content-Type": "application/vnd.oci.image.manifest.v1+json"
DEBU[0000]    "Docker-Content-Digest": "sha256:5d7761d8b0e162c618bceef92cd2c1e542074afa6fb703bd0c68149fbdb5aea3"
DEBU[0000]    "Content-Length": "522"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 18:04:31 GMT"
DEBU[0000]    "Access-Control-Allow-Origin": "*"
DEBU[0000] > Request URL: "https://redacted:8080/v2/hi2/blobs/sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000] > Request method: "GET"
DEBU[0000] > Request headers:
DEBU[0000]    "User-Agent": "oras/1.0.0-rc.1"
DEBU[0000] < Response Status: "200 OK"
DEBU[0000] < Response headers:
DEBU[0000]    "Content-Type": ""
DEBU[0000]    "Docker-Content-Digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
DEBU[0000]    "Content-Length": "2"
DEBU[0000]    "Date": "Sun, 23 Feb 2025 18:04:31 GMT"
{}

[andaaron]

@nathan-joslin, what are the exact commands you are using to push the artifact to zot?

[nathan-joslin]

@andaaron One method I've used is oras push --artifact-type application/vnd.example+type OCI_REF file.txt, which indicates it was uploaded (can confirm with --debug). A subsequent oras fetch-config fails.

$ oras version
Version:    1.2.2+Homebrew
Go version: go1.23.4

After attempting the reproduce with a fresh zot instance deployed to a local kind cluster it seems to work fine. Perhaps this is another issue...