copy: detect zstd:chunked sentinel layer and skip full-digest mitigation during pull

When pulling an image, the storage destination's FilterLayers method
detects the zstd:chunked sentinel layer, marks it as empty, and
internally records that SkipMitigation() should be called to bypass
unnecessary full-digest verification.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Author: giuseppe

image/copy/single.go

@@ -458,6 +458,18 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor
 	}
 	manifestLayerInfos := man.LayerInfos()
 
+	// Let the destination filter manifest layer infos before copying.
+	// Destinations that support it (e.g., c/storage) may detect storage-specific
+	// markers and return indices of layers that should be treated as empty.
+	type layerFilter interface {
+		FilterLayers([]manifest.LayerInfo) []int
+	}
+	if f, ok := ic.c.dest.(layerFilter); ok {
+		for _, idx := range f.FilterLayers(manifestLayerInfos) {
+			manifestLayerInfos[idx].EmptyLayer = true
+		}
+	}
+
 	// copyGroup is used to determine if all layers are copied
 	copyGroup := sync.WaitGroup{}
 
@@ -466,7 +478,11 @@ func (ic *imageCopier) copyLayers(ctx context.Context) ([]compressiontypes.Algor
 		defer ic.c.concurrentBlobCopiesSemaphore.Release(1)
 		defer copyGroup.Done()
 		cld := copyLayerData{}
-		if !ic.c.options.DownloadForeignLayers && ic.c.dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
+		if manifestLayerInfos[index].EmptyLayer {
+			// Empty layers (e.g., zstd:chunked sentinel) need no copying.
+			cld.destInfo = srcLayer
+			logrus.Debugf("Skipping empty layer %q", srcLayer.Digest)
+		} else if !ic.c.options.DownloadForeignLayers && ic.c.dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
 			// DiffIDs are, currently, needed only when converting from schema1.
 			// In which case src.LayerInfos will not have URLs because schema1
 			// does not support them.

image/storage/storage_dest.go

@@ -62,7 +62,8 @@ type storageImageDestination struct {
 	manifest              []byte                   // (Per-instance) manifest contents, or nil if not yet known.
 	manifestMIMEType      string                   // Valid if manifest != nil
 	manifestDigest        digest.Digest            // Valid if manifest != nil
-	untrustedDiffIDValues []digest.Digest          // From config’s RootFS.DiffIDs (not even validated to be valid digest.Digest!); or nil if not read yet
+	untrustedDiffIDValues       []digest.Digest // From config’s RootFS.DiffIDs (not even validated to be valid digest.Digest!); or nil if not read yet
+	zstdChunkedSentinelDetected bool            // Set by FilterLayers if a zstd:chunked sentinel layer is present
 	signatures            []byte                   // Signature contents, temporary
 	signatureses          map[digest.Digest][]byte // Instance signature contents, temporary
 	metadata              storageImageMetadata     // Metadata contents being built
@@ -221,6 +222,17 @@ func (s *storageImageDestination) NoteOriginalOCIConfig(ociConfig *imgspecv1.Ima
 	return nil
 }
 
+// FilterLayers inspects the manifest layer infos and returns indices of layers
+// that should be treated as empty. For c/storage, this detects the zstd:chunked
+// sentinel layer and records that the full-digest mitigation can be skipped.
+func (s *storageImageDestination) FilterLayers(layerInfos []manifest.LayerInfo) []int {
+	if len(layerInfos) > 0 && layerInfos[0].Digest == toc.ZstdChunkedSentinelDigest {
+		s.zstdChunkedSentinelDetected = true
+		return []int{0}
+	}
+	return nil
+}
+
 // PutBlobWithOptions writes contents of stream and returns data representing the result.
 // inputInfo.Digest can be optionally provided if known; if provided, and stream is read to the end without error, the digest MUST match the stream contents.
 // inputInfo.Size is the expected length of stream, if known.
@@ -424,6 +436,10 @@ func (s *storageImageDestination) PutBlobPartial(ctx context.Context, chunkAcces
 		return private.UploadedBlob{}, err
 	}
 	defer differ.Close()
+	if s.zstdChunkedSentinelDetected {
+		logrus.Debugf("Sentinel detected for layer %s: skipping full-digest mitigation", srcInfo.Digest)
+		chunked.SkipMitigation(differ)
+	}
 
 	out, err := s.imageRef.transport.store.PrepareStagedLayer(nil, differ)
 	if err != nil {
@@ -1451,6 +1467,11 @@ func (s *storageImageDestination) CommitWithOptions(ctx context.Context, options
 	}
 	layerBlobs := man.LayerInfos()
 
+	// Mark the zstd:chunked sentinel layer as empty.
+	if len(layerBlobs) > 0 && layerBlobs[0].Digest == toc.ZstdChunkedSentinelDigest {
+		layerBlobs[0].EmptyLayer = true
+	}
+
 	// Extract, commit, or find the layers.
 	for i, blob := range layerBlobs {
 		if stopQueue, err := s.commitLayer(i, addedLayerInfo{

image/storage/storage_src.go

@@ -352,7 +352,14 @@ func (s *storageImageSource) LayerInfosForCopy(ctx context.Context, instanceDige
 	}
 	slices.Reverse(physicalBlobInfos)
 
-	res, err := buildLayerInfosForCopy(man.LayerInfos(), physicalBlobInfos, gzipCompressedLayerType)
+	manifestLayerInfos := man.LayerInfos()
+	// Mark the zstd:chunked sentinel layer as empty — it was never stored
+	// physically, so buildLayerInfosForCopy must skip it.
+	if len(manifestLayerInfos) > 0 && manifestLayerInfos[0].Digest == toc.ZstdChunkedSentinelDigest {
+		manifestLayerInfos[0].EmptyLayer = true
+	}
+
+	res, err := buildLayerInfosForCopy(manifestLayerInfos, physicalBlobInfos, gzipCompressedLayerType)
 	if err != nil {
 		return nil, fmt.Errorf("creating LayerInfosForCopy of image %q: %w", s.image.ID, err)
 	}