Explicitly fail encryption/decryption if we can't change the manifest

We would fail with an internal error anyway, this fails explicitly. Signed-off-by: Miloslav Trmač <[email protected]>
containers · Apr 25, 2023 · cd5d287 · cd5d287
1 parent 9008597
commit cd5d287
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/copy/encryption.go b/copy/encryption.go
@@ -40,6 +40,10 @@ func (ic *imageCopier) blobPipelineDecryptionStep(stream *sourceStream, srcInfo
 		}, nil
 	}
 
+	if ic.cannotModifyManifestReason != "" {
+		return nil, fmt.Errorf("layer %s should be decrypted, but we can’t modify the manifest: %s", srcInfo.Digest, ic.cannotModifyManifestReason)
+	}
+
 	desc := imgspecv1.Descriptor{
 		Annotations: stream.info.Annotations,
 	}
@@ -83,6 +87,10 @@ func (ic *imageCopier) blobPipelineEncryptionStep(stream *sourceStream, toEncryp
 		}, nil
 	}
 
+	if ic.cannotModifyManifestReason != "" {
+		return nil, fmt.Errorf("layer %s should be encrypted, but we can’t modify the manifest: %s", srcInfo.Digest, ic.cannotModifyManifestReason)
+	}
+
 	var annotations map[string]string
 	if !decryptionStep.decrypting {
 		annotations = srcInfo.Annotations