Protobuf bundle support for subcommand clean

cmd/cosign/cli/clean.go

@@ -62,32 +62,76 @@ func CleanCmd(ctx context.Context, regOpts options.RegistryOptions, cleanType op
 	}
 
 	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
+	ociRemoteOpts := ociremote.WithRemoteOptions(remoteOpts...)
 
-	sigRef, err := ociremote.SignatureTag(ref, ociremote.WithRemoteOptions(remoteOpts...))
+	sigRef, err := ociremote.SignatureTag(ref, ociRemoteOpts)
 	if err != nil {
 		return err
 	}
 
-	attRef, err := ociremote.AttestationTag(ref, ociremote.WithRemoteOptions(remoteOpts...))
+	attRef, err := ociremote.AttestationTag(ref, ociRemoteOpts)
 	if err != nil {
 		return err
 	}
 
-	sbomRef, err := ociremote.SBOMTag(ref, ociremote.WithRemoteOptions(remoteOpts...))
+	sbomRef, err := ociremote.SBOMTag(ref, ociRemoteOpts)
 	if err != nil {
 		return err
 	}
 
-	var cleanTags []name.Tag
+	referrerRefs := []name.Reference{}
+	digest, ok := ref.(name.Digest)
+	if !ok {
+		var err error
+		digest, err = ociremote.ResolveDigest(ref, ociRemoteOpts)
+		if err != nil {
+			return fmt.Errorf("resolving digest: %w", err)
+		}
+	}
+	idx, err := remote.Referrers(digest, remoteOpts...)
+	if err != nil {
+		return err
+	}
+	if idx != nil {
+		// Delete manifest
+		imgDigest, err := idx.Digest()
+		if err != nil {
+			return err
+		}
+		referrerDigestStr := fmt.Sprintf("%s@%s", ref.Context().Name(), imgDigest.String())
+		referrerDigest, err := name.NewDigest(referrerDigestStr)
+		if err != nil {
+			return err
+		}
+		referrerRefs = append(referrerRefs, referrerDigest)
+
+		// Delete layers in the manifest
+		idxManifest, err := idx.IndexManifest()
+		if err != nil {
+			return err
+		}
+		if idxManifest != nil {
+			for _, manifest := range idxManifest.Manifests {
+				layerDigestStr := fmt.Sprintf("%s@%s", ref.Context().Name(), manifest.Digest.String())
+				layerDigest, err := name.NewDigest(layerDigestStr)
+				if err != nil {
+					return err
+				}
+				referrerRefs = append(referrerRefs, layerDigest)
+			}
+		}
+	}
+
+	var cleanTags []name.Reference
 	switch cleanType {
 	case options.CleanTypeSignature:
-		cleanTags = []name.Tag{sigRef}
+		cleanTags = append([]name.Reference{sigRef}, referrerRefs...)
 	case options.CleanTypeSbom:
-		cleanTags = []name.Tag{sbomRef}
+		cleanTags = []name.Reference{sbomRef}
 	case options.CleanTypeAttestation:
-		cleanTags = []name.Tag{attRef}
+		cleanTags = append([]name.Reference{attRef}, referrerRefs...)
 	case options.CleanTypeAll:
-		cleanTags = []name.Tag{sigRef, attRef, sbomRef}
+		cleanTags = append([]name.Reference{sigRef, attRef, sbomRef}, referrerRefs...)
 	default:
 		panic("invalid CleanType value")
 	}
@@ -103,13 +147,16 @@ func CleanCmd(ctx context.Context, regOpts options.RegistryOptions, cleanType op
 			case errors.As(err, &te) && te.StatusCode == http.StatusBadRequest:
 				// Docker registry >=v2.3 requires does not allow deleting the OCI object name directly, must use the digest instead.
 				// See https://github.com/distribution/distribution/blob/main/docs/content/spec/api.md#deleting-an-image
-				if err := deleteByDigest(t, remoteOpts...); err != nil {
-					if errors.As(err, &te) && te.StatusCode == http.StatusNotFound { //nolint: revive
+				tTag, ok := t.(name.Tag)
+				if ok {
+					if err := deleteByDigest(tTag, remoteOpts...); err != nil {
+						if errors.As(err, &te) && te.StatusCode == http.StatusNotFound { //nolint: revive
+						} else {
+							fmt.Fprintf(os.Stderr, "could not delete %s by digest from %s:\n%v\n", t, imageRef, err)
+						}
 					} else {
-						fmt.Fprintf(os.Stderr, "could not delete %s by digest from %s:\n%v\n", t, imageRef, err)
+						fmt.Fprintf(os.Stderr, "Removed %s from %s\n", t, imageRef)
 					}
-				} else {
-					fmt.Fprintf(os.Stderr, "Removed %s from %s\n", t, imageRef)
 				}
 			default:
 				fmt.Fprintf(os.Stderr, "could not delete %s from %s:\n%v\n", t, imageRef, err)

test/e2e_test.go

@@ -296,6 +296,28 @@ func TestImportSignVerifyClean(t *testing.T) {
 
 	// It doesn't work
 	mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t)
+
+	// Sign with new bundle format
+	so.NewBundleFormat = true
+	must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t)
+
+	// Verify should work again
+	trustedRootPath := prepareTrustedRoot(t, "")
+	bundleVerifyCmd := cliverify.VerifyCommand{
+		CommonVerifyOptions: options.CommonVerifyOptions{
+			TrustedRootPath: trustedRootPath,
+		},
+		KeyRef:              pubKeyPath,
+		NewBundleFormat:     true,
+		UseSignedTimestamps: false,
+	}
+	must(bundleVerifyCmd.Exec(ctx, []string{imgName}), t)
+
+	// Clean again
+	must(cli.CleanCmd(ctx, options.RegistryOptions{}, "all", imgName, true), t)
+
+	// Verify should fail again
+	mustErr(bundleVerifyCmd.Exec(ctx, []string{imgName}), t)
 }
 
 type targetInfo struct {