Fix manifest list digest in tag docker [CLOUDDST-24102] (#275)

Manifest list to be signed should be the same as the one to be uploaded.
It also cleaned up some unused variables and docstrings.

src/pubtools/_quay/tag_docker.py

@@ -15,7 +15,6 @@
 )
 from .utils.misc import (
     get_internal_container_repo_name,
-    get_pyxis_ssl_paths,
     set_aws_kms_environment_variables,
 )
 from .quay_client import QuayClient
@@ -516,8 +515,6 @@ def copy_tag_sign_images(self, push_item: Any, tag: str, executor: Executor) ->
                 Push item to perform the workflow with.
             tag (str):
                 Tag, which acts as a destination to the copy operation.
-            signature_handler (BasicSignatureHandler):
-                Instance of signature handler which will perform the signing.
             executor (Executor):
                 Instance of Executor subclass used for skopeo inspect.
         """
@@ -582,7 +579,6 @@ def copy_tag_sign_images(self, push_item: Any, tag: str, executor: Executor) ->
                     )
                 )
 
-            cert, key = get_pyxis_ssl_paths(self.target_settings)
             item_processor = item_processor_for_internal_data(
                 self.quay_client,
                 self.target_settings["quay_host"].rstrip("/"),
@@ -643,8 +639,6 @@ def merge_manifest_lists_sign_images(
                 Tag, which acts as a destination to the merge operation.
             add_archs ([str]):
                 Architectures which should be copied to the existing manifest list.
-            signature_handler (BasicSignatureHandler):
-                Instance of signature handler which will perform the signing.
         """
         LOG.info(
             "Architectures {0} of tag '{1}' will be copied to destination tag '{2}'".format(
@@ -708,7 +702,6 @@ def merge_manifest_lists_sign_images(
                         (reference, manifest["digest"], push_item.claims_signing_key)
                     )
 
-            namespace = self.target_settings["quay_namespace"]
             item_processor = item_processor_for_internal_data(
                 self.quay_client,
                 self.target_settings["quay_host"].rstrip("/"),
@@ -752,7 +745,7 @@ def merge_manifest_lists_sign_images(
             ml_to_sign = raw_src_manifest
             self.quay_client.upload_manifest(raw_src_manifest, dest_image, raw=True)
         else:
-            ml_to_sign = json.dumps(new_manifest_list)
+            ml_to_sign = json.dumps(new_manifest_list, sort_keys=True, indent=4)
             self.quay_client.upload_manifest(new_manifest_list, dest_image)
 
         if push_item.claims_signing_key:
@@ -841,8 +834,6 @@ def untag_image(self, push_item: Any, tag: str) -> None:
         )
         dest_image = "{0}:{1}".format(full_repo, tag)
 
-        cert, key = get_pyxis_ssl_paths(self.target_settings)
-
         for signer in self.target_settings["signing"]:
             if signer["enabled"]:
                 signercls = SIGNER_BY_LABEL[signer["label"]]

tests/test_integration.py

@@ -946,8 +946,8 @@ def test_tag_docker_multiarch_merge_ml(
                         "sha256:1111111111",
                         "sha256:5555555555",
                         "sha256:5555555555",
-                        "sha256:71e75d5344d529631eaf40a8f9522edb7a66620d73eda6aff667572d511c6519",
-                        "sha256:71e75d5344d529631eaf40a8f9522edb7a66620d73eda6aff667572d511c6519",
+                        "sha256:5fd7b41b6f2af60c0dd393623acd01a7010eebbea85a525137cb5de35d19b8e8",
+                        "sha256:5fd7b41b6f2af60c0dd393623acd01a7010eebbea85a525137cb5de35d19b8e8",
                     ],
                     identity=[
                         "some-registry1.com/namespace/test_repo:v1.6",