--output type=oci should set mediaType in the generated index.json

[tianon]

One of the OCI spec changes from CVE-2021-41190 was that mediaType inside an application/vnd.oci.image.index.v1+json is strongly recommended (ideally it'd be "MUST" but backwards compatibility in the spec required it be less strict; opencontainers/image-spec#933). It's a small thing, but it seems that the OCI tarball output from BuildKit does not set this value at all inside index.json, as seen in the reproducer below. 😄

Simple reproducer:
echo 'FROM hello-world' | docker buildx build --builder foo --pull --output type=oci - | tar --extract --to-stdout index.json | jq

Current output is something like:

$ echo 'FROM hello-world' | docker buildx build --builder foo --pull --output type=oci - | tar --extract --to-stdout index.json | jq
#0 building with "foo" instance using docker-container driver

#1 [internal] booting buildkit
#1 pulling image moby/buildkit:master
#1 pulling image moby/buildkit:master 6.9s done
#1 creating container buildx_buildkit_foo0
#1 creating container buildx_buildkit_foo0 0.9s done
#1 DONE 7.8s

#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile:
#2 transferring dockerfile: 54B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/library/hello-world:latest
#3 ...

#4 [auth] library/hello-world:pull token for registry-1.docker.io
#4 DONE 0.0s

#3 [internal] load metadata for docker.io/library/hello-world:latest
#3 DONE 1.3s

#5 [internal] load .dockerignore
#5 transferring context: 2B done
#5 DONE 0.0s

#6 [1/1] FROM docker.io/library/hello-world:latest@sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6
#6 resolve docker.io/library/hello-world:latest@sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6 0.0s done
#6 sha256:c1ec31eb59444d78df06a974d155e597c894ab4cda84f08294145e845394988e 2.46kB / 2.46kB 0.1s done
#6 DONE 0.2s

#7 exporting to oci image format
#7 exporting layers done
#7 exporting manifest sha256:8d24fe82ec0fcf4297c8289dab4a7c2ec2652c647a21d91d73cd40b3f063b9c1 0.0s done
#7 exporting config sha256:d2c94e258dcb3c5ac2798d32e1249e42ef01cba4841c2234249495f87264ac5a done
#7 sending tarball done
#7 DONE 0.2s
{
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:8d24fe82ec0fcf4297c8289dab4a7c2ec2652c647a21d91d73cd40b3f063b9c1",
      "size": 477,
      "annotations": {
        "org.opencontainers.image.created": "2024-01-29T19:44:44Z"
      },
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    }
  ]
}

(on buildx version 0.12.0 and buildkit 2d608c3)

[tianon]

I think something like this is probably the right fix, but I'm very very very unconfident about it (and haven't had a chance to test it yet): 😅 ❤️

diff --git a/client/ociindex/ociindex.go b/client/ociindex/ociindex.go
index 512a77a68..43d8a6b1c 100644
--- a/client/ociindex/ociindex.go
+++ b/client/ociindex/ociindex.go
@@ -155,6 +155,9 @@ func insertDesc(index *ocispecs.Index, desc ocispecs.Descriptor, tag string) err
 	if index.SchemaVersion == 0 {
 		index.SchemaVersion = 2
 	}
+	if index.MediaType == "" {
+		index.MediaType = ocispecs.MediaTypeImageIndex
+	}
 	if tag != "" {
 		if desc.Annotations == nil {
 			desc.Annotations = make(map[string]string)

[tonistiigi]

Fix for (part of) this was made in containerd and will be included when it is in containerd release.