containers · bitoku · Sep 2, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
diff --git a/...h_signature/blobs/sha256/0c8b263642b51b5c1dc40fe402ae2e97119c6007b6e52146419985ec1f0092dc b/...h_signature/blobs/sha256/0c8b263642b51b5c1dc40fe402ae2e97119c6007b6e52146419985ec1f0092dc
@@ -0,0 +1 @@
+insert binary content here #9671
diff --git a/...h_signature/blobs/sha256/44353f0bf0dd9507c2e9daea7ad4f8a5f0e23bc16068d612227507e54599c18a b/...h_signature/blobs/sha256/44353f0bf0dd9507c2e9daea7ad4f8a5f0e23bc16068d612227507e54599c18a
@@ -0,0 +1 @@
+{"architecture":"","os":"","config":{},"rootfs":{"type":"","diff_ids":["sha256:6f06dd0e26608013eff30bb1e951cda7de3fdd9e78e907470e0dd5c0ed25e273"]}}
diff --git a/...h_signature/blobs/sha256/6f06dd0e26608013eff30bb1e951cda7de3fdd9e78e907470e0dd5c0ed25e273 b/...h_signature/blobs/sha256/6f06dd0e26608013eff30bb1e951cda7de3fdd9e78e907470e0dd5c0ed25e273
@@ -0,0 +1 @@
+test-payload
diff --git a/...h_signature/blobs/sha256/a527179158cd5cebc11c152b8637b47ce96c838ba2aa0de66d14f45cedc11423 b/...h_signature/blobs/sha256/a527179158cd5cebc11c152b8637b47ce96c838ba2aa0de66d14f45cedc11423
@@ -0,0 +1,30 @@
+{
+  "created": "2019-08-20T20:19:55.211423266Z",
+  "architecture": "amd64",
+  "os": "linux",
+  "config": {
+    "Env": [
+      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ],
+    "Cmd": [
+      "/bin/sh"
+    ]
+  },
+  "rootfs": {
+    "type": "layers",
+    "diff_ids": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ]
+  },
+  "history": [
+    {
+      "created": "2019-08-20T20:19:55.062606894Z",
+      "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+    },
+    {
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+      "empty_layer": true
+    }
+  ]
+}
diff --git a/...h_signature/blobs/sha256/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 b/...h_signature/blobs/sha256/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
@@ -0,0 +1,27 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "config": {
+    "mediaType": "application/vnd.oci.image.config.v1+json",
+    "digest": "sha256:44353f0bf0dd9507c2e9daea7ad4f8a5f0e23bc16068d612227507e54599c18a",
+    "size": 147
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
+      "digest": "sha256:6f06dd0e26608013eff30bb1e951cda7de3fdd9e78e907470e0dd5c0ed25e273",
+      "size": 12,
+      "annotations": {
+        "dev.cosignproject.cosign/signature": "test-signature"
+      }
+    }
+  ],
+  "subject": {
+    "mediaType": "application/vnd.oci.image.manifest.v1+json",
+    "digest": "sha256:eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18",
+    "size": 1506,
+    "annotations": {
+      "org.opencontainers.image.ref.name": "imageValue"
+    }
+  }
+}
diff --git a/...h_signature/blobs/sha256/eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18 b/...h_signature/blobs/sha256/eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18
@@ -0,0 +1,16 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "config": {
+    "mediaType": "application/vnd.oci.image.config.v1+json",
+    "digest": "sha256:a527179158cd5cebc11c152b8637b47ce96c838ba2aa0de66d14f45cedc11423",
+    "size": 585
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:0c8b263642b51b5c1dc40fe402ae2e97119c6007b6e52146419985ec1f0092dc",
+      "size": 33
+    }
+  ]
+}
diff --git a/image/oci/layout/fixtures/delete_image_with_signature/index.json b/image/oci/layout/fixtures/delete_image_with_signature/index.json
@@ -0,0 +1,21 @@
+{
+  "schemaVersion": 2,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18",
+      "size": 476,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "latest"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+      "size": 704,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "sha256-eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18.sig"
+      }
+    }
+  ]
+}
diff --git a/image/oci/layout/fixtures/delete_image_with_signature/oci-layout b/image/oci/layout/fixtures/delete_image_with_signature/oci-layout
@@ -0,0 +1 @@
+{"imageLayoutVersion": "1.0.0"}
diff --git a/...mage_layout/blobs/sha256/0c8b263642b51b5c1dc40fe402ae2e97119c6007b6e52146419985ec1f0092dc b/...mage_layout/blobs/sha256/0c8b263642b51b5c1dc40fe402ae2e97119c6007b6e52146419985ec1f0092dc
@@ -0,0 +1 @@
+insert binary content here #9671
diff --git a/...mage_layout/blobs/sha256/a527179158cd5cebc11c152b8637b47ce96c838ba2aa0de66d14f45cedc11423 b/...mage_layout/blobs/sha256/a527179158cd5cebc11c152b8637b47ce96c838ba2aa0de66d14f45cedc11423
@@ -0,0 +1,30 @@
+{
+  "created": "2019-08-20T20:19:55.211423266Z",
+  "architecture": "amd64",
+  "os": "linux",
+  "config": {
+    "Env": [
+      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ],
+    "Cmd": [
+      "/bin/sh"
+    ]
+  },
+  "rootfs": {
+    "type": "layers",
+    "diff_ids": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ]
+  },
+  "history": [
+    {
+      "created": "2019-08-20T20:19:55.062606894Z",
+      "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
+    },
+    {
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+      "empty_layer": true
+    }
+  ]
+}
diff --git a/...mage_layout/blobs/sha256/eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18 b/...mage_layout/blobs/sha256/eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18
@@ -0,0 +1,16 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "config": {
+    "mediaType": "application/vnd.oci.image.config.v1+json",
+    "digest": "sha256:a527179158cd5cebc11c152b8637b47ce96c838ba2aa0de66d14f45cedc11423",
+    "size": 585
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:0c8b263642b51b5c1dc40fe402ae2e97119c6007b6e52146419985ec1f0092dc",
+      "size": 33
+    }
+  ]
+}
diff --git a/image/oci/layout/fixtures/single_image_layout/index.json b/image/oci/layout/fixtures/single_image_layout/index.json
@@ -0,0 +1,13 @@
+{
+  "schemaVersion": 2,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:eaa95f3cfaac07c8a5153eb77c933269586ad0226c83405776be08547e4d2a18",
+      "size": 476,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "latest"
+      }
+    }
+  ]
+}
diff --git a/image/oci/layout/fixtures/single_image_layout/oci-layout b/image/oci/layout/fixtures/single_image_layout/oci-layout
@@ -0,0 +1 @@
+{"imageLayoutVersion": "1.0.0"}
diff --git a/image/oci/layout/oci_delete.go b/image/oci/layout/oci_delete.go
@@ -3,6 +3,7 @@ package layout
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io/fs"
 	"os"
@@ -42,7 +43,15 @@ func (ref ociReference) DeleteImage(ctx context.Context, sys *types.SystemContex
 		return err
 	}
 
-	return ref.deleteReferenceFromIndex(descriptorIndex)
+	err = ref.deleteReferenceFromIndex(descriptorIndex)
+	if err != nil {
+		return err
+	}
+
+	if isSigstoreTag(ref.image) {
+		return nil
+	}
+	return ref.deleteSignatures(ctx, sys, descriptor.Digest)
 }
 
 // countBlobsForDescriptor updates dest with usage counts of blobs required for descriptor, INCLUDING descriptor itself.
@@ -187,3 +196,22 @@ func saveJSON(path string, content any) (retErr error) {
 
 	return json.NewEncoder(file).Encode(content)
 }
+
+// deleteSignatures delete sigstore signatures of the given manifest digest.
+func (ref ociReference) deleteSignatures(ctx context.Context, sys *types.SystemContext, d digest.Digest) error {
+	signTag, err := sigstoreAttachmentTag(d)
+	if err != nil {
+		return err
+	}
+
+	signRef, err := newReference(ref.dir, signTag, -1)
+	if err != nil {
+		return err
+	}
+
+	err = signRef.DeleteImage(ctx, sys)
+	if err != nil && errors.As(err, &ImageNotFoundError{}) {
+		return nil
+	}
+	return err
+}
diff --git a/image/oci/layout/oci_delete_test.go b/image/oci/layout/oci_delete_test.go
@@ -40,6 +40,33 @@ func TestReferenceDeleteImage_onlyOneImage(t *testing.T) {
 	require.Equal(t, 0, len(index.Manifests))
 }
 
+func TestReferenceDeleteImage_onlyOneImageWithSignatures(t *testing.T) {
+	tmpDir := loadFixture(t, "delete_image_with_signature")
+
+	ref, err := NewReference(tmpDir, "latest")
+	require.NoError(t, err)
+
+	ociRef, ok := ref.(ociReference)
+	require.True(t, ok)
+	index, err := ociRef.getIndex()
+	require.NoError(t, err)
+	require.Equal(t, 2, len(index.Manifests))
+
+	err = ref.DeleteImage(context.Background(), nil)
+	require.NoError(t, err)
+
+	// Check that all blobs were deleted
+	blobsDir := filepath.Join(tmpDir, "blobs")
+	files, err := os.ReadDir(filepath.Join(blobsDir, "sha256"))
+	require.NoError(t, err)
+	require.Empty(t, files)
+
+	// Check that the index is empty as there is only one image in the fixture
+	index, err = ociRef.getIndex()
+	require.NoError(t, err)
+	require.Equal(t, 0, len(index.Manifests))
+}
+
 func TestReferenceDeleteImage_onlyOneImage_emptyImageName(t *testing.T) {
 	tmpDir := loadFixture(t, "delete_image_only_one_image")
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"architecture":"","os":"","config":{},"rootfs":{"type":"","diff_ids":["sha256:6f06dd0e26608013eff30bb1e951cda7de3fdd9e78e907470e0dd5c0ed25e273"]}}