copy: add option to strip sparse manifest lists

[aguidirh]

Add option to strip sparse manifest lists

This PR adds the ability to strip missing instances from manifest lists when copying only a subset of images from a multi-architecture manifest, addressing compatibility issues with registries that don't support sparse manifest lists. The implementation of this PR was based on containers/image#1707

Motivation

Closes #227

When using CopySpecificImages to copy only certain platforms from a multi-architecture image, the resulting manifest list in the destination still references all original instances, even though only a subset was actually copied. This creates a "sparse" manifest list where some referenced instances don't exist.

Problem:

1. Registry Compatibility: Some registries reject sparse manifest lists or fail to serve them correctly
2. Digest Mismatches: The manifest list still has the original digest even though the content differs
3. No User Control: Users had no way to control this behavior - they were forced to accept sparse lists

This PR provides users explicit control over this behavior.

Changes

1. New SparseManifestListAction type and option

• Added SparseManifestListAction enum with two values:
  • KeepSparseManifestList (default): Preserves existing behavior - keeps manifest list as-is even when some instances are missing
  • StripSparseManifestList: Removes non-copied instances from the destination manifest list
• Added SparseManifestListAction field to Options struct
• Works with CopySpecificImages mode

2. New RemoveListSignatures option for granular signature control

• Added RemoveListSignatures field to Options struct
• Removes only the manifest list signature while preserving per-instance signatures
• Provides more granular control than RemoveSignatures (which removes all signatures)
• When RemoveSignatures is true, it takes precedence

3. Instance operation refactoring

• Renamed instanceCopy → instanceOp and instanceCopyKind → instanceOpKind for clarity
• Added instanceOpDelete operation alongside instanceOpCopy and instanceOpClone
• Modified prepareInstanceOps() to return both the operation list and the count of copy/clone operations (excluding deletes)
• Delete operations are processed in reverse order (highest to lowest index) to avoid index shifting issues

4. Manifest list editing support

• Added ListOpDelete operation to ListEdit
• Added DeleteIndex field to ListEdit for specifying which instance to delete
• Implemented delete support in both OCI Index and Docker Schema2 List formats
• Added bounds checking to prevent invalid delete operations

5. Validation and error handling

• Prevents creating empty manifest lists (returns error if all instances would be deleted)
• Validates that stripping can only happen when signatures are handled (via RemoveSignatures or RemoveListSignatures)
• Clear error messages when stripping is requested but signatures prevent modification
• Improved error context for system image selection from manifest lists

User Experience

Before (sparse lists always created):

options := &copy.Options{
    ImageListSelection: copy.CopySpecificImages,
    Instances:         []digest.Digest{amd64Digest},
}
// Result: Sparse manifest list with missing instances
// Some registries may reject or fail to serve this

opy.Options{
    ImageListSelection:       copy.CopySpecificImages,
    Instances:                []digest.Digest{amd64Digest},
    SparseManifestListAction: copy.StripSparseManifestList,
    RemoveSignatures:         true,
}

Implementation Details

Code structure refactoring

• Unified single-instance and manifest-list system image code paths for better maintainability
• Moved error wrapping logic to common code path
• Added validation to prevent RemoveListSignatures with single-instance copies

Safe deletion processing

• Delete operations appended in reverse index order to prevent shifting issues
• Separate tracking of copy/clone operations vs delete operations
• Progress reporting reflects actual copy count, not total operation count

Testing

Comprehensive test coverage includes:

✅ Basic copy operations with and without stripping
✅ Delete operations in OCI Index and Docker Schema2 formats
✅ Bounds checking for invalid delete indices
✅ Signature handling validation (requires explicit removal when stripping)
✅ Empty manifest list prevention
✅ Integration tests with actual copy operations
✅ Copy count assertions in prepareInstanceOps tests
✅ All existing tests continue to pass
Compatibility
✅ Fully backward compatible - new optional fields with safe defaults
✅ Default behavior (KeepSparseManifestList) matches existing behavior
✅ Existing code continues to work unchanged
✅ No breaking changes to public API

Credits

This implementation is based on the original work by @bertbaron and @mtrmac in containers/image#1707, adapted for the container-libs monorepo structure.

[packit-as-a-service]

Packit jobs failed. @containers/packit-build please check.

[mtrmac]

Thanks! Just a brief first look: generally the structure and choice of affected sub packages look correct.

This is impressively small, I was expecting a that a larger change to internal/manifest would be necessary.

[aguidirh]

@mtrmac when using StripSparseManifestList it will fail with Manifest list was edited, but we cannot modify it: "Would invalidate signatures" should we make mandatory the usage of --remove-signatures when using StripSparseManifestList ?

[mtrmac]

Thanks!

Just a very quick look for now.

[mtrmac]

should we make mandatory the usage of --remove-signatures when using StripSparseManifestList ?

Hum… it’s a thought.

We currently ask the user to explicitly use --remove-signatures for all other edits (e.g. converting the manifest format or changing compression), so I think also requiring an explicit ACK that the signatures are going to be broken would be consistent here.

---

Actually, c/image only cares about the signatures of the per-platform instances, it never validates the signature on the list (but it does create it). So, ideally, we should allow stripping the list’s signature but keep the per-instance signatures, so that users can create sparse mirrors but still validate image integrity. I think that would be a new option in copy.Options — and maybe some mirroring tools (in some situations?) would enable it by default when the user explicitly asks for sparse copies.

E.g., purely hypothetically, it might make sense to hard-code this to on when mirroring the OpenShift product payload, because we know how signatures are validated there; and maybe not hard-code it for other images, because those might be validated using some other software like cosign.

[TomSweeneyRedHat]

LGTM
and happy green test buttons.

[aguidirh]

We currently ask the user to explicitly use --remove-signatures for all other edits (e.g. converting the manifest format or changing compression), so I think also requiring an explicit ACK that the signatures are going to be broken would be consistent here.

I added a validation which requires the user to use RemoveSignatures or the new option StripOnlyListSignatures when SparseManifestListAction == StripSparseManifestList

Actually, c/image only cares about the signatures of the per-platform instances, it never validates the signature on the list (but it does create it). So, ideally, we should allow striping the list’s signature but keep the per-instance signatures, so that users can create sparse mirrors but still validate image integrity. I think that would be a new option in copy.Options — and maybe some mirroring tools (in some situations?) would enable it by default when the user explicitly asks for sparse copies.

I added an option StripOnlyListSignatures where it removes the signature of the manifest list while it keeps the signature of the instances requested by the user.

E.g., purely hypothetically, it might make sense to hard-code this to on when mirroring the OpenShift product payload, because we know how signatures are validated there; and maybe not hard-code it for other images, because those might be validated using some other software like cosign.

I'm not sure if I understood this last comment, could you please explain it to me?

I just pushed a commit with the last changes that I mentioned above.

[mtrmac]

purely hypothetically, it might make sense to hard-code this to on when mirroring the OpenShift product payload, because we know how signatures are validated there; and maybe not hard-code it for other images, because those might be validated using some other software like cosign.

I'm not sure if I understood this last comment, could you please explain it to me?

Software that knows how the images is going to be used can hard-code option values so that users don’t have to care; generic software like skopeo should probably default to doing the safe thing, and not discard potentially-valuable data or break signatures without the user understanding the consequence.

[mtrmac]

Thanks!

[mtrmac]

I really didn’t mean to ask for the in-memory test harness here.

It was more of… “if there is no plausible unit test, it is acceptable to leave the code untested here instead of writing thousands of lines”.

---

I would actually like to ask for an added test — but not here. At least one integration test in the Skopeo repo, perhaps exercising the platform filtering and sparse creation together. (Integration tests in Skopeo are where we run the top-level skopeo copy commands, and where we have local registries, other infrastructure, and license to take more than a few hundred milliseconds.) That would, though, mean also wiring up the new features as Skopeo options, which might not be in scope — so, non-blocking as well.

[mtrmac]

Please add assertions for the copy count, throughout.

[aguidirh]

Fixed at commit c4ba928830.

[mtrmac]

Thanks! Looks good, please squash to avoid the PR-time fixups.

[TomSweeneyRedHat]

LGTM

[TomSweeneyRedHat]

/lgtm

[Luap99]

Why was this added? Pushing an empty manifest used to work and is done by several podman tests as such this breaks podman CI now.

containers/podman#28339
https://api.cirrus-ci.com/v1/artifact/task/5657829631066112/html/int-podman-debian-14-root-host.log.html#t--Podman-push-podman-push-to-local-registry-with-authorization--1
https://api.cirrus-ci.com/v1/artifact/task/5857432867438592/html/sys-podman-rawhide-rootless-host.log.html

I have not looked at the larger picture here if this limitation should just be removed. If this needs more work then I would propose to revert this PR to unblock others people vendor work.

[aguidirh]

This was added only to avoid pushing empty manifests.

Why empty manifests are a valid scenario? I can create another PR to remove those lines above if empty manifests are a valid scenario. What do you think @mtrmac ?

[mtrmac]

I think copying empty images should work, why not; but stripping a non-empty manifest to empty is almost certainly a mistake.

I’ll try to fix that today.

[mtrmac]

#713