Fix duplicate .att/.sig OCI layers for same digest type hints by ab-ghosh · Pull Request #1601 · tektoncd/chains

ab-ghosh · 2026-03-28T18:25:55Z

Changes

When a Task declares the same OCI image through multiple type-hint formats, produces duplicate layers in the .att and/or .sig manifests.

This fixes the issue at two levels:

Extraction-level dedup — Added a seen map in ExtractOCIImagesFromResults to skip already-extracted digests across all type-hint parsing loops.
Storage-level dedup — Before appending a new layer in AttestationStorer.Store and SimpleStorer.Store, check if a layer with the same content digest already exists. This handles the case where independent signable types (TaskRunArtifact and OCIArtifact) both store to the same .att/.sig tag.

Fixes #1596

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

Has Docs included if any changes are user facing
Has Tests included if any functionality added or changed
Follows the commit message standard
Meets the Tekton contributor standards (including
functionality, content, code)
Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fix: prevent duplicate .sig layers when a Task image is reported via multiple result type-hints

anithapriyanatarajan · 2026-04-01T05:49:00Z

/approve

anithapriyanatarajan · 2026-04-01T05:49:24Z

/kind bug

ab-ghosh · 2026-04-01T13:22:05Z

/cc @jkhelil

infernus01

Just a small NIT.

infernus01 · 2026-04-02T06:59:31Z

 			continue
 		}
+		if seen[dgst.DigestStr()] {
+			continue


NIT - Adding a log line for eg. logger.Debugf("Skipping duplicate digest %s", dgst.DigestStr()) would help people understand why an image wasn't processed.

Thanks for the suggestion, addressed.

infernus01 · 2026-04-02T06:59:46Z

 				continue
 			}
+			if seen[dgst.DigestStr()] {
+				continue


Same NIT here.

infernus01 · 2026-04-02T09:21:10Z

/lgtm

tekton-robot · 2026-04-02T09:21:13Z

@infernus01: changing LGTM is restricted to collaborators

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

anithapriyanatarajan · 2026-04-10T07:24:30Z

 			logger.Errorf("error getting digest: %v", err)
 			continue
 		}
+		if seen[dgst.DigestStr()] {


@ab-ghosh dgst.DigestStr() returns only sha256:xxx, stripping the repository name entirely. This means two legitimately different images that happen to produce the same content digest (e.g., a mirrored image gcr.io/my/img@sha256:abc and quay.io/my/img@sha256:abc) will be silently deduplicated, dropping one of them from the signing set. so could you consider dgst.Name() that uses the full repo@SHA256:XYZ. Also please include test case addressing this.

Yeah, that's right, thanks for the suggestion. I have updated it to use dgst.Name() and also added a test case to cover this scenario.

anithapriyanatarajan · 2026-04-22T08:59:30Z

@ab-ghosh - with #1578 merged now, could we check the feasibility to dedup any image url /digest that could be duplicated with a TR that has results:

results:

name: IMAGE_DIGEST
name: IMAGE_URL
name: build-image-ARTIFACT_OUTPUTS
type: object
properties:
uri: {}
digest: {}
isBuildArtifact: {}

Please consider this task definition as a sample - https://gist.github.com/anithapriyanatarajan/1650aeb3ebdbcea05d4a9baef649507c#file-gistfile1-txt-L123-L190

ab-ghosh · 2026-04-22T12:51:55Z

Added dedup for the ARTIFACT_OUTPUTS. Also added unit test which covers the exact scenario from your sample task (same image in both IMAGE_URL/IMAGE_DIGEST and build-image-ARTIFACT_OUTPUTS)

When a Task declares the same OCI image through multiple type-hint formats (IMAGE_URL/IMAGE_DIGEST, IMAGES, and *ARTIFACT_OUTPUTS), Chains produces duplicate layers in cosign .att/.sig manifests. This adds dedup at two levels: 1. Extraction: track seen digests in ExtractOCIImagesFromResults to avoid returning the same digest from different type-hint formats 2. Storage: check existing layers in AttestationStorer and SimpleStorer before appending, preventing duplicates from independent signable types (TaskRunArtifact + OCIArtifact) storing to the same tag Also adds debug logging when existing layer checks fail instead of silently swallowing errors. Fixes tektoncd#1596

anithapriyanatarajan · 2026-05-11T06:15:52Z

/lgtm

ab-ghosh · 2026-05-19T06:14:15Z

/cc @jkhelil

anithapriyanatarajan · 2026-05-26T06:52:00Z

/approve

Approving this PR based after feature testing on a kind cluster following steps here - https://gist.github.com/anithapriyanatarajan/81fc8c92ceccf760ce74f40c7b30a2f9

tekton-robot · 2026-05-26T06:52:09Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan, infernus01

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

tekton-robot requested review from PuneetPunamiya and jkhelil March 28, 2026 18:26

tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 28, 2026

ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch from 84b9ba9 to 0151950 Compare March 28, 2026 18:58

tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 1, 2026

anithapriyanatarajan removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 1, 2026

tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 1, 2026

infernus01 approved these changes Apr 2, 2026

View reviewed changes

tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 2, 2026

ab-ghosh mentioned this pull request Apr 2, 2026

Handle signing OCI artifacts in *ARTIFACT_OUTPUTS #1578

Merged

6 tasks

ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch from 0151950 to 7d970c4 Compare April 2, 2026 08:27

anithapriyanatarajan reviewed Apr 10, 2026

View reviewed changes

anithapriyanatarajan requested changes Apr 10, 2026

View reviewed changes

tekton-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 10, 2026

ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch from 7d970c4 to 6a97a81 Compare April 13, 2026 07:06

ab-ghosh requested a review from anithapriyanatarajan April 13, 2026 07:11

ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch 2 times, most recently from d0d5463 to edf93b1 Compare April 22, 2026 12:48

ab-ghosh force-pushed the fix-duplicate-oci-layers-1596 branch from edf93b1 to b0a0331 Compare April 22, 2026 12:52

tekton-robot assigned anithapriyanatarajan May 11, 2026

tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 11, 2026

tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 26, 2026

tekton-robot merged commit 3fbaa94 into tektoncd:main May 26, 2026
20 checks passed

Uh oh!

Conversation

ab-ghosh commented Mar 28, 2026 • edited by anithapriyanatarajan Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Submitter Checklist

Release Notes

Uh oh!

anithapriyanatarajan commented Apr 1, 2026

Uh oh!

anithapriyanatarajan commented Apr 1, 2026

Uh oh!

ab-ghosh commented Apr 1, 2026

Uh oh!

infernus01 left a comment

Choose a reason for hiding this comment

Uh oh!

infernus01 Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

ab-ghosh Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

infernus01 Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

infernus01 commented Apr 2, 2026

Uh oh!

tekton-robot commented Apr 2, 2026

Uh oh!

anithapriyanatarajan Apr 10, 2026

Choose a reason for hiding this comment

Uh oh!

ab-ghosh Apr 13, 2026

Choose a reason for hiding this comment

Uh oh!

anithapriyanatarajan commented Apr 22, 2026

Uh oh!

ab-ghosh commented Apr 22, 2026

Uh oh!

anithapriyanatarajan commented May 11, 2026

Uh oh!

ab-ghosh commented May 19, 2026

Uh oh!

anithapriyanatarajan commented May 26, 2026

Uh oh!

tekton-robot commented May 26, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

ab-ghosh commented Mar 28, 2026 •

edited by anithapriyanatarajan

Loading