Do not use Windows-reserved ':' in sigstore file names

i.e. use …/busybox@sha256=… instead of ../busybox@sha256:… . See containers/image#187 for more discussion. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Manuel-Suarez-Abascal80n9y · Sep 8, 2026 · a11a128 · a11a128
1 parent d4ffcdf
commit a11a128
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/docker/lookaside.go b/docker/lookaside.go
@@ -195,6 +195,6 @@ func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest
 		return nil
 	}
 	url := *base
-	url.Path = fmt.Sprintf("%s@%s/signature-%d", url.Path, manifestDigest.String(), index+1)
+	url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1)
 	return &url
 }
diff --git a/docker/lookaside_test.go b/docker/lookaside_test.go
@@ -252,26 +252,27 @@ func TestRegistryNamespaceSignatureTopLevel(t *testing.T) {
 }
 
 func TestSignatureStorageBaseSignatureStorageURL(t *testing.T) {
-	const md = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	const mdInput = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	const mdMapped = "sha256=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
 
-	assert.True(t, signatureStorageURL(nil, md, 0) == nil)
+	assert.True(t, signatureStorageURL(nil, mdInput, 0) == nil)
 	for _, c := range []struct {
 		base     string
 		index    int
 		expected string
 	}{
-		{"file:///tmp", 0, "file:///tmp@" + md + "/signature-1"},
-		{"file:///tmp", 1, "file:///tmp@" + md + "/signature-2"},
-		{"https://localhost:5555/root", 0, "https://localhost:5555/root@" + md + "/signature-1"},
-		{"https://localhost:5555/root", 1, "https://localhost:5555/root@" + md + "/signature-2"},
-		{"http://localhost:5555/root", 0, "http://localhost:5555/root@" + md + "/signature-1"},
-		{"http://localhost:5555/root", 1, "http://localhost:5555/root@" + md + "/signature-2"},
+		{"file:///tmp", 0, "file:///tmp@" + mdMapped + "/signature-1"},
+		{"file:///tmp", 1, "file:///tmp@" + mdMapped + "/signature-2"},
+		{"https://localhost:5555/root", 0, "https://localhost:5555/root@" + mdMapped + "/signature-1"},
+		{"https://localhost:5555/root", 1, "https://localhost:5555/root@" + mdMapped + "/signature-2"},
+		{"http://localhost:5555/root", 0, "http://localhost:5555/root@" + mdMapped + "/signature-1"},
+		{"http://localhost:5555/root", 1, "http://localhost:5555/root@" + mdMapped + "/signature-2"},
 	} {
 		url, err := url.Parse(c.base)
 		require.NoError(t, err)
 		expectedURL, err := url.Parse(c.expected)
 		require.NoError(t, err)
-		res := signatureStorageURL(url, md, c.index)
+		res := signatureStorageURL(url, mdInput, c.index)
 		assert.Equal(t, expectedURL, res, c.expected)
 	}
 }