fix skopeo copy can't decrypt to docker-daemon image

internal/image/docker_schema1.go

@@ -105,9 +105,23 @@ func (m *manifestSchema1) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUp
 
 // UpdatedImage returns a types.Image modified according to options.
 // This does not change the state of the original Image object.
-func (m *manifestSchema1) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
+func (m *manifestSchema1) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (image types.Image, retErr error) {
 	copy := manifestSchema1{m: manifest.Schema1Clone(m.m)}
 
+	manifestTmp := m
+	defer func() {
+		if retErr != nil {
+			m = manifestTmp
+		}
+	}()
+
+	// No conversion required, update manifest
+	if options.LayerInfos != nil {
+		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
+			return nil, err
+		}
+	}
+
 	// We have 2 MIME types for schema 1, which are basically equivalent (even the un-"Signed" MIME type will be rejected if there isn’t a signature; so,
 	// handle conversions between them by doing nothing.
 	if options.ManifestMIMEType != manifest.DockerV2Schema1MediaType && options.ManifestMIMEType != manifest.DockerV2Schema1SignedMediaType {
@@ -124,12 +138,6 @@ func (m *manifestSchema1) UpdatedImage(ctx context.Context, options types.Manife
 		}
 	}
 
-	// No conversion required, update manifest
-	if options.LayerInfos != nil {
-		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
-			return nil, err
-		}
-	}
 	if options.EmbeddedDockerReference != nil {
 		copy.m.Name = reference.Path(options.EmbeddedDockerReference)
 		if tagged, isTagged := options.EmbeddedDockerReference.(reference.NamedTagged); isTagged {

internal/image/docker_schema2.go

@@ -161,13 +161,27 @@ func (m *manifestSchema2) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUp
 // The returned error will be a manifest.ManifestLayerCompressionIncompatibilityError
 // if the CompressionOperation and CompressionAlgorithm specified in one or more
 // options.LayerInfos items is anything other than gzip.
-func (m *manifestSchema2) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
+func (m *manifestSchema2) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (image types.Image, retErr error) {
 	copy := manifestSchema2{ // NOTE: This is not a deep copy, it still shares slices etc.
 		src:        m.src,
 		configBlob: m.configBlob,
 		m:          manifest.Schema2Clone(m.m),
 	}
 
+	manifestTmp := m
+	defer func() {
+		if retErr != nil {
+			m = manifestTmp
+		}
+	}()
+
+	// No conversion required, update manifest
+	if options.LayerInfos != nil {
+		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
+			return nil, err
+		}
+	}
+
 	converted, err := convertManifestIfRequiredWithUpdate(ctx, options, map[string]manifestConvertFn{
 		manifest.DockerV2Schema1MediaType:       copy.convertToManifestSchema1,
 		manifest.DockerV2Schema1SignedMediaType: copy.convertToManifestSchema1,
@@ -181,12 +195,6 @@ func (m *manifestSchema2) UpdatedImage(ctx context.Context, options types.Manife
 		return converted, nil
 	}
 
-	// No conversion required, update manifest
-	if options.LayerInfos != nil {
-		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
-			return nil, err
-		}
-	}
 	// Ignore options.EmbeddedDockerReference: it may be set when converting from schema1 to schema2, but we really don't care.
 
 	return memoryImageFromManifest(&copy), nil

internal/image/oci.go

@@ -143,13 +143,26 @@ func (m *manifestOCI1) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUpdat
 // if the combination of CompressionOperation and CompressionAlgorithm specified
 // in one or more options.LayerInfos items indicates that a layer is compressed using
 // an algorithm that is not allowed in OCI.
-func (m *manifestOCI1) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
+func (m *manifestOCI1) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (image types.Image, retErr error) {
 	copy := manifestOCI1{ // NOTE: This is not a deep copy, it still shares slices etc.
 		src:        m.src,
 		configBlob: m.configBlob,
 		m:          manifest.OCI1Clone(m.m),
 	}
 
+	manifestTmp := m
+	defer func() {
+		if retErr != nil {
+			m = manifestTmp
+		}
+	}()
+
+	// No conversion required, update manifest
+	if options.LayerInfos != nil {
+		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
+			return nil, err
+		}
+	}
 	converted, err := convertManifestIfRequiredWithUpdate(ctx, options, map[string]manifestConvertFn{
 		manifest.DockerV2Schema2MediaType:       copy.convertToManifestSchema2Generic,
 		manifest.DockerV2Schema1MediaType:       copy.convertToManifestSchema1,
@@ -162,13 +175,6 @@ func (m *manifestOCI1) UpdatedImage(ctx context.Context, options types.ManifestU
 	if converted != nil {
 		return converted, nil
 	}
-
-	// No conversion required, update manifest
-	if options.LayerInfos != nil {
-		if err := copy.m.UpdateLayerInfos(options.LayerInfos); err != nil {
-			return nil, err
-		}
-	}
 	// Ignore options.EmbeddedDockerReference: it may be set when converting from schema1, but we really don't care.
 
 	return memoryImageFromManifest(&copy), nil