ko: SBOM can't be pushed to quay.io

$ ko version
v0.9.4-0.20211208142815-ad0607f0a1eb

$ KO_DOCKER_REPO=quay.io/imjasonh ko build ./
2021/12/13 14:45:40 Using base golang:1.17 for github.com/google/ko
2021/12/13 14:45:41 Building github.com/google/ko for linux/amd64
2021/12/13 14:46:56 Publishing quay.io/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e:latest
2021/12/13 14:46:57 pushed blob: sha256:e4a33f5890d928895f7523a8d66d79aa990509a633e6b81d0e0006a55725f13f
2021/12/13 14:46:59 pushed blob: sha256:1ce30adc04063fdbfb60f34e83f3ec62e91c03e4b310586239902c782f4eac7c
Error: failed to publish images: error publishing ko://github.com/google/ko: writing sbom: PUT https://quay.io/v2/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e/manifests/sha256-7c4c064d8ca7880b4a98674201b2c5e7c6df7fb536b5f4a470acce1a9f75f14b.sbom: MANIFEST_INVALID: manifest invalid; map[message:manifest schema version not supported]
2021/12/13 14:46:59 error during command execution:failed to publish images: error publishing ko://github.com/google/ko: writing sbom: PUT https://quay.io/v2/imjasonh/ko-98b8c7facdad74510a7cae0cd368eb4e/manifests/sha256-7c4c064d8ca7880b4a98674201b2c5e7c6df7fb536b5f4a470acce1a9f75f14b.sbom: MANIFEST_INVALID: manifest invalid; map[message:manifest schema version not supported]

If SBOM publishing was opt-in I’d say this is WAI and fine, but it’s going to be a pretty bad experience for happy ko users who push to Quay (and other similar registries) when they upgrade to the next release.

Should we log-and-continue if SBOM publishing fails?

@mattmoor

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 24 (9 by maintainers)

Most upvoted comments

@imjasonh sounds good. Yes, we are looking to enable the full list from SigStore.

+7
dmesser on Oct 11, 2022

This is a known issue, add --sbom=none in the meantime until Quay.io is updated to accept these types by default. 🤷‍♂️

+3
imjasonh on Mar 17, 2022

FYI https://twitter.com/quayio/status/1580121221080891392

+1
dmesser on Oct 13, 2022

@avinal SPDX and CycloneDX themselves are known formats. The OCI type which is used to ship those SBOMs as an OCI artifact however is not standardized, it depends on the client that is used. SigStore seems to use these here: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md#mediatypes

We are looking to enabling these shortly. Hence the question if ko aligns with that or has separate type expectations. OCI types are basically mediaType properties that need to conform to RFC 6838. There is no finite and standard list of distinct values though.

+1
dmesser on Oct 11, 2022

I’m going to close this issue, since I’m not sure there’s a lot we can do until quay.io supports these types.

+1
imjasonh on Sep 22, 2022

Encountered this issue yesterday.

error: no objects passed to apply
Error: error processing import paths in "-": error resolving image references: writing sbom: PUT https://quay.io/v2/avinkuma/proxy-webhook-f8f95c9cea9508fe8915ae3d012d15fb/manifests/sha256-6e8f5b94738b4728ab479fad482ebbfaa2ac080b7feca17d5e28e4b2d15615b2.sbom: MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'spdx+json' is not one of ['application/vnd.oci.image.layer.v1.tar', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+zstd', 'application/vnd.oci.image.layer.nondistributable.v1.tar', 'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip', 'application/vnd.dev.cosign.simplesigning.v1+json', 'application/vnd.dsse.envelope.v1+json', 'application/tar+gzip', 'application/vnd.cncf.helm.chart.content.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+gzip']
Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
    {'description': 'The MIME type of the referenced manifest',
     'enum': ['application/vnd.oci.image.layer.v1.tar',
              'application/vnd.oci.image.layer.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+zstd',
              'application/vnd.oci.image.layer.nondistributable.v1.tar',
              'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip',
              'application/vnd.dev.cosign.simplesigning.v1+json',
              'application/vnd.dsse.envelope.v1+json',
              'application/tar+gzip',
              'application/vnd.cncf.helm.chart.content.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+gzip'],
     'type': 'string'}
On instance['layers'][0]['mediaType']:
    'spdx+json']
2022/09/21 12:56:31 error during command execution:error processing import paths in "-": error resolving image references: writing sbom: PUT https://quay.io/v2/avinkuma/proxy-webhook-f8f95c9cea9508fe8915ae3d012d15fb/manifests/sha256-6e8f5b94738b4728ab479fad482ebbfaa2ac080b7feca17d5e28e4b2d15615b2.sbom: MANIFEST_INVALID: manifest invalid; map[message:failed to parse manifest: manifest data does not match schema: 'spdx+json' is not one of ['application/vnd.oci.image.layer.v1.tar', 'application/vnd.oci.image.layer.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+zstd', 'application/vnd.oci.image.layer.nondistributable.v1.tar', 'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip', 'application/vnd.dev.cosign.simplesigning.v1+json', 'application/vnd.dsse.envelope.v1+json', 'application/tar+gzip', 'application/vnd.cncf.helm.chart.content.v1.tar+gzip', 'application/vnd.oci.image.layer.v1.tar+gzip']
Failed validating 'enum' in schema['properties']['layers']['items']['properties']['mediaType']:
    {'description': 'The MIME type of the referenced manifest',
     'enum': ['application/vnd.oci.image.layer.v1.tar',
              'application/vnd.oci.image.layer.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+zstd',
              'application/vnd.oci.image.layer.nondistributable.v1.tar',
              'application/vnd.oci.image.layer.nondistributable.v1.tar+gzip',
              'application/vnd.dev.cosign.simplesigning.v1+json',
              'application/vnd.dsse.envelope.v1+json',
              'application/tar+gzip',
              'application/vnd.cncf.helm.chart.content.v1.tar+gzip',
              'application/vnd.oci.image.layer.v1.tar+gzip'],
     'type': 'string'}
On instance['layers'][0]['mediaType']:
    'spdx+json']
make: *** [Makefile:111: apply] Error 1

Adding --sbom=none works.

+1
avinal on Sep 22, 2022

still failing for me :

image
+1
chmouel on Jun 21, 2022

Yeah, this should be a release blocker. Perhaps we should use legacy media types until they get their act together?

cc @dlorenc is this the upstream guidance or what?

+1
mattmoor on Dec 13, 2021
Read more comments on GitHub
← ko: ko stops building containers after Golang updates
compress: Default Brotli compression level is too slow →