`mutate` image wrappers assume Docker container image semantics, breaking non-Docker OCI artifacts

[EronWright]

The image struct in mutate/image.go is the backing implementation for all v1.Image mutators (Annotations, MediaType, AppendLayers, etc.). Its compute() method unconditionally calls base.ConfigFile() and derives the layer set from configFile.RootFS.DiffIDs. For non-Docker OCI artifacts — Helm charts, WASM modules, arbitrary blobs — the config is not a Docker image config, so RootFS.DiffIDs is empty.

This causes two problems:

1. Layers() returns an empty slice. remote.Write uses Layers() to determine which blobs to upload. On a cross-repository push, layer blobs are never uploaded, and the registry rejects the manifest with MANIFEST_BLOB_UNKNOWN.

2. The config blob digest is corrupted. compute() re-marshals the config file and writes the new digest into the manifest, so the manifest now references a config blob whose content differs from the original. The original config blob is never uploaded.

Any mutator that wraps a non-Docker OCI image in the image struct will silently produce an artifact that cannot be pushed cross-repository.

Version: v0.20.7

[Subserial]

Do you have a publicly available image that this can be reproduced with?

[EronWright]

Yes — registry-1.docker.io/bitnamicharts/nginx:13.2.14 is a publicly available Helm chart stored as an OCI artifact. Its manifest uses application/vnd.cncf.helm.config.v1+json as the config media type, so the config has no rootfs.diff_ids.

Repro 1 — crane CLI (built on this library):

crane mutate --annotation test=repro --repo <dest-repo> registry-1.docker.io/bitnamicharts/nginx:13.2.14

When <dest-repo> is a different repository from the source, crane mutate fails with:

MANIFEST_BLOB_UNKNOWN: blob unknown to registry; sha256:772f859d2ac675623e0b5b77e3192603d57dd674e8d43ccb72e5bfa7c0628383

The chart's single layer blob is never uploaded because mutate/image.go's compute() derives the layer list from configFile.RootFS.DiffIDs, which is empty for non-Docker configs.

Repro 2 — Go:

src, _ := name.ParseReference("registry-1.docker.io/bitnamicharts/nginx:13.2.14")
dst, _ := name.ParseReference("<dest-repo>/nginx:13.2.14")

img, _ := remote.Image(src)
annotated := mutate.Annotations(img, map[string]string{"test": "repro"}).(v1.Image)

if err := remote.Write(dst, annotated); err != nil {
    log.Fatal(err) // MANIFEST_BLOB_UNKNOWN
}