add authentication to remote descriptor retrieval in fetchAttestation#1895
add authentication to remote descriptor retrieval in fetchAttestation#1895
Conversation
…sForReference Signed-off-by: rafi <refaei.shikho@hotmail.com>
There was a problem hiding this comment.
Pull request overview
Adds keychain-based authentication when retrieving the remote descriptor during attestation discovery, enabling access to private registries via existing Docker credentials.
Changes:
- Add
go-containerregistryauthn import. - Pass
remote.WithAuthFromKeychain(authn.DefaultKeychain)to theremote.Getcall infetchAttestationsForReference.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| func fetchAttestationsForReference(ctx context.Context, ref name.Reference) ([]oci.Signature, error) { | ||
| desc, err := remote.Get(ref, remote.WithContext(ctx)) | ||
| desc, err := remote.Get(ref, remote.WithContext(ctx), remote.WithAuthFromKeychain(authn.DefaultKeychain)) |
There was a problem hiding this comment.
Authentication is only added to the initial remote descriptor lookup. The subsequent attestation fetches via ociremote.Signatures are still configured with remote.WithContext(ctx) only, so private registries will likely still fail when pulling the attestation artifacts. Consider reusing a shared set of remote options (context + WithAuthFromKeychain(authn.DefaultKeychain)) and passing it both to remote.Get and to ociremote.WithRemoteOptions(...) in both branches.
No description provided.