Skip to content

Fix duplicate .att/.sig OCI layers for same digest type hints#1601

Open
ab-ghosh wants to merge 1 commit intotektoncd:mainfrom
ab-ghosh:fix-duplicate-oci-layers-1596
Open

Fix duplicate .att/.sig OCI layers for same digest type hints#1601
ab-ghosh wants to merge 1 commit intotektoncd:mainfrom
ab-ghosh:fix-duplicate-oci-layers-1596

Conversation

@ab-ghosh
Copy link
Copy Markdown
Member

@ab-ghosh ab-ghosh commented Mar 28, 2026

Changes

When a Task declares the same OCI image through multiple type-hint formats, produces duplicate layers in the .att and/or .sig manifests.

This fixes the issue at two levels:

  1. Extraction-level dedup — Added a seen map in ExtractOCIImagesFromResults to skip already-extracted digests across all type-hint parsing loops.
  2. Storage-level dedup — Before appending a new layer in AttestationStorer.Store and SimpleStorer.Store, check if a layer with the same content digest already exists. This handles the case where independent signable types (TaskRunArtifact and OCIArtifact) both store to the same .att/.sig tag.

Fixes #1596

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 28, 2026
@ab-ghosh ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch from 84b9ba9 to 0151950 Compare March 28, 2026 18:58
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented Apr 1, 2026

/approve

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 1, 2026
@anithapriyanatarajan anithapriyanatarajan removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 1, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented Apr 1, 2026

/kind bug

@tekton-robot tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 1, 2026
@ab-ghosh
Copy link
Copy Markdown
Member Author

ab-ghosh commented Apr 1, 2026

/cc @jkhelil

infernus01
infernus01 approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@infernus01 infernus01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small NIT.

pkg/artifacts/signable.go
continue
}
if seen[dgst.DigestStr()] {
continue
Copy link
Copy Markdown
Member

@infernus01 infernus01 Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT - Adding a log line for eg. logger.Debugf("Skipping duplicate digest %s", dgst.DigestStr()) would help people understand why an image wasn't processed.

Copy link
Copy Markdown
Member Author

@ab-ghosh ab-ghosh Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion, addressed.

pkg/artifacts/signable.go
continue
}
if seen[dgst.DigestStr()] {
continue
Copy link
Copy Markdown
Member

@infernus01 infernus01 Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same NIT here.

@tekton-robot
Copy link
Copy Markdown

tekton-robot commented Apr 2, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan, infernus01

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 2, 2026
@ab-ghosh ab-ghosh mentioned this pull request Apr 2, 2026
Open
6 tasks
@ab-ghosh
Fix duplicate .att/.sig OCI layers for same-digest type hints
7d970c4 
  When a Task declares the same OCI image through multiple type-hint
  formats (IMAGE_URL/IMAGE_DIGEST and IMAGES), Chains produces duplicate
  layers in cosign .att/.sig manifests. This adds dedup at two levels:

  1. Extraction: track seen digests in ExtractOCIImagesFromResults to
     avoid returning the same digest from different type-hint formats
  2. Storage: check existing layers in AttestationStorer and SimpleStorer
     before appending, preventing duplicates from independent signable
     types (TaskRunArtifact + OCIArtifact) storing to the same tag

  Also adds debug logging when existing layer checks fail instead of
  silently swallowing errors.

  Fixes tektoncd#1596
@ab-ghosh ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch from 0151950 to 7d970c4 Compare April 2, 2026 08:27
@infernus01
Copy link
Copy Markdown
Member

infernus01 commented Apr 2, 2026

/lgtm

@tekton-robot
Copy link
Copy Markdown

tekton-robot commented Apr 2, 2026

@infernus01: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkhelil jkhelil Awaiting requested review from jkhelil

@PuneetPunamiya PuneetPunamiya Awaiting requested review from PuneetPunamiya

1 more reviewer

@infernus01 infernus01 infernus01 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Duplicate .att / .sig layers when multiple type hints resolve to the same digest

4 participants

@ab-ghosh @anithapriyanatarajan @tekton-robot @infernus01