github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

401 Unauthorized HTTP Response When Pulling Container Image Manifest Owned By Public Gitea Organization #14467

New Issue
Closed
opened 2025-11-02 11:13:41 -06:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-11-02 11:13:41 -06:00
Owner
Copy Link

Originally created by @zombiemaker on GitHub (May 8, 2025).

Description

invoke-webrequest -uri https://mygitea.mydomain.com/v2/myorg/mycontaine/manifests/mytag -method head -Authentication Basic -Credential $credential

StatusCode : 200
StatusDescription : OK
Content : {}
RawContent : HTTP/1.1 200 OK
Docker-Content-Digest: sha256:01b0ca90f68d7dc269584904b2597718987a98bcf0159624858dee4a9aa98cad
Docker-Distribution-Api-Version: registry/2.0
ETag: "sha256:01b0ca90f68d7dc269584904b2…
Headers : {[Docker-Content-Digest, System.String[]], [Docker-Distribution-Api-Version, System.String[]], [ETag, System.String[]], [Date, System.String[]]…}
RawContentLength : 0
RelationLink : {}

  • Expected behavior: be able to get the manifest without credentials
  • Tested on demo.gitea.com and got the same results

invoke-webrequest -uri https://demo.gitea.com/v2/testcontainerregistry/haproxy/manifests/3.1.3-bookworm -method head
Invoke-WebRequest: Response status code does not indicate success: 401 (Unauthorized).

invoke-webrequest -uri https://demo.gitea.com/v2/testcontainerregistry/haproxy/manifests/3.1.3-bookworm -method head -Authentication Basic -Credential $credential2

StatusCode : 200
StatusDescription : OK
Content : {}
RawContent : HTTP/1.1 200 OK
Alt-Svc: h3=":443"; ma=2592000
Date: Thu, 08 May 2025 14:57:50 GMT
Docker-Content-Digest: sha256:52353496966c190b1a7e0ed10f1bceb30b3dfa920db028c9cd9cca788a5bfc8d
Docker-Distributio…
Headers : {[Alt-Svc, System.String[]], [Date, System.String[]], [Docker-Content-Digest, System.String[]], [Docker-Distribution-Api-Version, System.String[]]…}
RawContentLength : 0
RelationLink : {}

Gitea Version

1.23.7

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

2.47.2

Operating System

container image gitea:1.23.7-rootless

How are you running Gitea?

  • using container image gitea:1.23.7-rootless
  • running on Docker Engine

Database

SQLite

Originally created by @zombiemaker on GitHub (May 8, 2025). ### Description - Gitea version: gitea:1.23.7-rootless container image - Gitea organization: myorg - Gitea organization visibility: public - Trying to pull [OCI distribution spec container image manifest](https://specs.opencontainers.org/distribution-spec/?v=v1.0.0#pulling-manifests) of image owned by myorg: https://mygitea.mydomain.com/v2/myorg/mycontainer/manifests/mytag - Receive 401 HTTP response when requesting without credentials - Using PowerShell invoke-webrequest without credentials invoke-webrequest -uri https://mygitea.mydomain.com/v2/myorg/mycontaine/manifests/mytag -method head Invoke-WebRequest: Response status code does not indicate success: 401 (Unauthorized). - Using PowerShell invoke-webrequest with credentials invoke-webrequest -uri https://mygitea.mydomain.com/v2/myorg/mycontaine/manifests/mytag -method head -Authentication Basic -Credential $credential StatusCode : 200 StatusDescription : OK Content : {} RawContent : HTTP/1.1 200 OK Docker-Content-Digest: sha256:01b0ca90f68d7dc269584904b2597718987a98bcf0159624858dee4a9aa98cad Docker-Distribution-Api-Version: registry/2.0 ETag: "sha256:01b0ca90f68d7dc269584904b2… Headers : {[Docker-Content-Digest, System.String[]], [Docker-Distribution-Api-Version, System.String[]], [ETag, System.String[]], [Date, System.String[]]…} RawContentLength : 0 RelationLink : {} - Expected behavior: be able to get the manifest without credentials - Tested on demo.gitea.com and got the same results invoke-webrequest -uri https://demo.gitea.com/v2/testcontainerregistry/haproxy/manifests/3.1.3-bookworm -method head Invoke-WebRequest: Response status code does not indicate success: 401 (Unauthorized). invoke-webrequest -uri https://demo.gitea.com/v2/testcontainerregistry/haproxy/manifests/3.1.3-bookworm -method head -Authentication Basic -Credential $credential2 StatusCode : 200 StatusDescription : OK Content : {} RawContent : HTTP/1.1 200 OK Alt-Svc: h3=":443"; ma=2592000 Date: Thu, 08 May 2025 14:57:50 GMT Docker-Content-Digest: sha256:52353496966c190b1a7e0ed10f1bceb30b3dfa920db028c9cd9cca788a5bfc8d Docker-Distributio… Headers : {[Alt-Svc, System.String[]], [Date, System.String[]], [Docker-Content-Digest, System.String[]], [Docker-Distribution-Api-Version, System.String[]]…} RawContentLength : 0 RelationLink : {} ### Gitea Version 1.23.7 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version 2.47.2 ### Operating System container image gitea:1.23.7-rootless ### How are you running Gitea? - using container image gitea:1.23.7-rootless - running on Docker Engine ### Database SQLite
GiteaMirror added the type/questiontopic/packages labels 2025-11-02 11:13:41 -06:00
GiteaMirror commented 2025-11-02 11:13:42 -06:00
Author
Owner
Copy Link

@techknowlogick commented on GitHub (May 8, 2025):

The OCI API that's implemented in Gitea (based on the OCI token auth spec, due to various requirements) always expects a "token". Not a token as in a Gitea app token, but one provided by the OCI token auth service (something that transforms a gitea token into an OCI token that matches their spec, or accepts no token and the returns an anon token) with scopes allowed, even for "anon" requests. More details on the implemented spec: https://distribution.github.io/distribution/spec/auth/token/

This means that to achieve what you are looking to do to fetch the manifest via powershell webrequests, you'll need to first request an empty token, and then pass that token to the manifest route.

OCI clients have this flow built in, as you can see by the following screenshot of a docker pull on a computer that has not done a docker login:
Image

Something you could do is to use a lightweight client such as skopeo that will do that back and forth to get you the manifest json: an example can be found here: https://github.com/containers/skopeo/blob/main/docs/skopeo-inspect.1.md#examples

@techknowlogick commented on GitHub (May 8, 2025): The OCI API that's implemented in Gitea (based on the OCI token auth spec, due to various requirements) always expects a "token". Not a token as in a Gitea app token, but one provided by the OCI token auth service (something that transforms a gitea token into an OCI token that matches their spec, or accepts no token and the returns an anon token) with scopes allowed, even for "anon" requests. More details on the implemented spec: https://distribution.github.io/distribution/spec/auth/token/ This means that to achieve what you are looking to do to fetch the manifest via powershell webrequests, you'll need to first request an empty token, and then pass that token to the manifest route. OCI clients have this flow built in, as you can see by the following screenshot of a docker pull on a computer that has not done a docker login: ![Image](https://github.com/user-attachments/assets/d489ac2d-20ce-4e8b-a544-5d723417da5e) Something you could do is to use a lightweight client such as skopeo that will do that back and forth to get you the manifest json: an example can be found here: https://github.com/containers/skopeo/blob/main/docs/skopeo-inspect.1.md#examples
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/packages type/question
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#14467
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?