From 5ce8b803cc029290521d6a64ba0f98f627718b9d Mon Sep 17 00:00:00 2001
From: Priya Wadhwa <priyawadhwa@google.com>
Date: Fri, 3 Dec 2021 14:25:07 -0800
Subject: [PATCH] Fix bug in uploading signatures to OCI

We should be using `SignedEntity` instead of `SignedImage` to account for manifest lists that may be signed by cosign.
---
 pkg/chains/storage/oci/oci.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/chains/storage/oci/oci.go b/pkg/chains/storage/oci/oci.go
index 4921496c56..8607eac10d 100644
--- a/pkg/chains/storage/oci/oci.go
+++ b/pkg/chains/storage/oci/oci.go
@@ -107,7 +107,7 @@ func (b *Backend) uploadSignature(format simple.SimpleContainerImage, rawPayload
 	if err != nil {
 		return errors.Wrap(err, "getting digest")
 	}
-	image, err := ociremote.SignedImage(ref)
+	se, err := ociremote.SignedEntity(ref)
 	if err != nil {
 		return errors.Wrap(err, "getting signed image")
 	}
@@ -123,7 +123,7 @@ func (b *Backend) uploadSignature(format simple.SimpleContainerImage, rawPayload
 		return err
 	}
 	// Attach the signature to the entity.
-	newSE, err := mutate.AttachSignatureToImage(image, sig)
+	newSE, err := mutate.AttachSignatureToEntity(se, sig)
 	if err != nil {
 		return err
 	}
@@ -163,7 +163,7 @@ func (b *Backend) uploadAttestation(attestation in_toto.Statement, rawPayload []
 				return errors.Wrapf(err, "%s is not a valid repository", b.cfg.Storage.OCI.Repository)
 			}
 		}
-		image, err := ociremote.SignedImage(ref)
+		se, err := ociremote.SignedEntity(ref)
 		if err != nil {
 			return errors.Wrap(err, "getting signed image")
 		}
@@ -176,7 +176,7 @@ func (b *Backend) uploadAttestation(attestation in_toto.Statement, rawPayload []
 		if err != nil {
 			return err
 		}
-		newImage, err := mutate.AttachAttestationToImage(image, att)
+		newImage, err := mutate.AttachAttestationToEntity(se, att)
 		if err != nil {
 			return err
 		}