From fe84c5f40fe54068a5c9614600b3c75b9b151d21 Mon Sep 17 00:00:00 2001
From: Mikalai Radchuk <509198+m1kola@users.noreply.github.com>
Date: Mon, 14 Oct 2024 14:13:36 +0200
Subject: [PATCH] Fix pulling signed images (#1369)

This fixes "pushing signatures for OCI images is not supported" error
when working with signed source images.

If policy context requires signature validation for a registry
we will still be performing it on pull, but we will be removing
source signatures when copying into a temporary OCI layout
for unpacking.

Signed-off-by: Mikalai Radchuk <mradchuk@redhat.com>
---
 internal/rukpak/source/containers_image.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/rukpak/source/containers_image.go b/internal/rukpak/source/containers_image.go
index 132f6fcd3..76c5812c8 100644
--- a/internal/rukpak/source/containers_image.go
+++ b/internal/rukpak/source/containers_image.go
@@ -123,6 +123,12 @@ func (i *ContainersImageRegistry) Unpack(ctx context.Context, bundle *BundleSour
 	//////////////////////////////////////////////////////
 	if _, err := copy.Image(ctx, policyContext, layoutRef, dockerRef, &copy.Options{
 		SourceCtx: srcCtx,
+		// We use the OCI layout as a temporary storage and
+		// pushing signatures for OCI images is not supported
+		// so we remove the source signatures when copying.
+		// Signature validation will still be performed
+		// accordingly to a provided policy context.
+		RemoveSignatures: true,
 	}); err != nil {
 		return nil, fmt.Errorf("error copying image: %w", err)
 	}