From e1d3a099764ce9cbb596c3dcacf3c098a5f5dce3 Mon Sep 17 00:00:00 2001
From: Avi Deitcher <avi@deitcher.net>
Date: Thu, 30 Nov 2023 14:31:17 +0200
Subject: [PATCH] when filling cache, ensure we include attestations

Signed-off-by: Avi Deitcher <avi@deitcher.net>
---
 src/cmd/linuxkit/cache/pull.go | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/cmd/linuxkit/cache/pull.go b/src/cmd/linuxkit/cache/pull.go
index 72ea27e4d..796444959 100644
--- a/src/cmd/linuxkit/cache/pull.go
+++ b/src/cmd/linuxkit/cache/pull.go
@@ -5,12 +5,16 @@ import (
 	"fmt"
 
 	"github.com/containerd/containerd/reference"
-	"github.com/google/go-containerregistry/pkg/v1"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/partial"
 	"github.com/google/go-containerregistry/pkg/v1/validate"
 	lktspec "github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec"
 )
 
+const (
+	unknown = "unknown"
+)
+
 // ValidateImage given a reference, validate that it is complete. If not, pull down missing
 // components as necessary. It also calculates the hash of each component.
 func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lktspec.ImageSource, error) {
@@ -49,13 +53,17 @@ func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lkts
 		// or because it was not available - so get it from the remote
 		return ImageSource{}, errors.New("no such image")
 	case imageIndex != nil:
-		// check that the index has a manifest for our arch
+		// check that the index has a manifest for our arch, as well as any non-arch-specific ones
 		im, err := imageIndex.IndexManifest()
 		if err != nil {
 			return ImageSource{}, fmt.Errorf("could not get index manifest: %v", err)
 		}
+		var found bool
 		for _, m := range im.Manifests {
-			if m.Platform != nil && m.Platform.Architecture == architecture && m.Platform.OS == linux {
+			if m.Platform == nil {
+				continue
+			}
+			if m.Platform.Architecture == architecture && m.Platform.OS == linux {
 				img, err := imageIndex.Image(m.Digest)
 				if err != nil {
 					return ImageSource{}, fmt.Errorf("unable to get image: %v", err)
@@ -63,6 +71,18 @@ func (p *Provider) ValidateImage(ref *reference.Spec, architecture string) (lkts
 				if err := validate.Image(img); err != nil {
 					return ImageSource{}, fmt.Errorf("invalid image: %s", err)
 				}
+				found = true
+			}
+			if m.Platform.Architecture == unknown && m.Platform.OS == unknown {
+				img, err := imageIndex.Image(m.Digest)
+				if err != nil {
+					return ImageSource{}, fmt.Errorf("unable to get image: %v", err)
+				}
+				if err := validate.Image(img); err != nil {
+					return ImageSource{}, fmt.Errorf("invalid image: %s", err)
+				}
+			}
+			if found {
 				return p.NewSource(
 					ref,
 					architecture,