From bb0843cd518d296a24472a747d69490596dee34e Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Tue, 24 Sep 2024 14:34:48 -0500
Subject: [PATCH] fix: only sign statements

---
 attestation/attestation.go | 3 ++-
 sign.go                    | 9 ++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/attestation/attestation.go b/attestation/attestation.go
index 29c696c5..952ebd29 100644
--- a/attestation/attestation.go
+++ b/attestation/attestation.go
@@ -96,8 +96,9 @@ func layersFromImage(image v1.Image) ([]*Layer, error) {
 		// copy original annotations
 		ann := maps.Clone(layerDesc.Annotations)
 		// only decode intoto statements
-		stmt := new(intoto.Statement)
+		var stmt *intoto.Statement
 		if mt == types.MediaType(intoto.PayloadType) {
+			stmt = new(intoto.Statement)
 			err = json.NewDecoder(r).Decode(&stmt)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode statement layer contents: %w", err)
diff --git a/sign.go b/sign.go
index b106ab20..832cca2d 100644
--- a/sign.go
+++ b/sign.go
@@ -19,9 +19,12 @@ func SignStatements(ctx context.Context, idx v1.ImageIndex, signer dsse.SignerVe
 	// sign every attestation layer in each manifest
 	for _, manifest := range attestationManifests {
 		for _, layer := range manifest.OriginalLayers {
-			err = manifest.Add(ctx, signer, layer.Statement, opts)
-			if err != nil {
-				return nil, fmt.Errorf("failed to sign attestation layer %w", err)
+			// skip layers without statements
+			if layer.Statement != nil {
+				err = manifest.Add(ctx, signer, layer.Statement, opts)
+				if err != nil {
+					return nil, fmt.Errorf("failed to sign attestation layer %w", err)
+				}
 			}
 		}
 	}