Digest id is changing when mirroring images

Solution Verified - Updated -

Issue

When copying images with skopeo:

### Listing images at destination registry
$  curl -s -u xxxx:yyyy https://default-route-openshift-image-registry.apps.mylab/v2/_catalog | jq "." | grep sso71
    "openshift/redhat-sso71-openshift",

### Checking image digest at origin
$ skopeo inspect --creds "aaaa:bbbb" docker://registry.access.redhat.com/redhat-sso-7/sso71-openshift:1.3 | jq -r '.Digest'
sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d

### Copying image
$ skopeo copy --src-creds="aaaa:bbbb" --dest-creds="xxxx:yyyy" --remove-signatures docker://registry.access.redhat.com/redhat-sso-7/sso71-openshift:1.3 docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift:1.3

### Verify the image is listed
$ curl -s -u xxxx:yyyy https://default-route-openshift-image-registry.apps.mylab/v2/_catalog | jq "." | grep sso71
    "openshift/redhat-sso71-openshift",
    "test/sso71-openshift"             <----- the new image

### Checking image digest at destination
$ skopeo inspect --creds "xxxx:yyyy" docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift:1.3 | jq -r '.Digest'
sha256:2b07e91589991521e45b1c131cb59358d06d7c6a356cbe5f7b9ee50d2417f197

there is a clear mismatch between the origin and the destination digest.
When trying a different method for copying forcing the sha256 digest in the image reference:

# skopeo copy --all --src-creds="aaaa:bbbb" --dest-creds="xxxx:yyyy" docker://registry.access.redhat.com/redhat-sso-7/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d
Getting image source signatures
FATA[0001] Copying a schema1 image with an embedded Docker reference to docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d (Docker reference default-route-openshift-image-registry.apps.mylab/test/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d) would change the manifest, which is not possible (image is signed or the destination specifies a digest)

In that particular case it is described that the image is using a Schema 1 manifest.

Environment

Red Hat OpenShift Container Platform
- 3.11
- 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content