added vendor/

2026-02-20 13:21:17 +02:00
parent dcb22b58d9
commit 7dc6f9cb08
1140 changed files with 722477 additions and 26 deletions
@@ -0,0 +1,48 @@
+// Copyright 2020 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package and provides helpers for adding Close to io.{Reader|Writer}.
+package and
+
+import (
+	"io"
+)
+
+// ReadCloser implements io.ReadCloser by reading from a particular io.Reader
+// and then calling the provided "Close()" method.
+type ReadCloser struct {
+	io.Reader
+	CloseFunc func() error
+}
+
+var _ io.ReadCloser = (*ReadCloser)(nil)
+
+// Close implements io.ReadCloser
+func (rac *ReadCloser) Close() error {
+	return rac.CloseFunc()
+}
+
+// WriteCloser implements io.WriteCloser by reading from a particular io.Writer
+// and then calling the provided "Close()" method.
+type WriteCloser struct {
+	io.Writer
+	CloseFunc func() error
+}
+
+var _ io.WriteCloser = (*WriteCloser)(nil)
+
+// Close implements io.WriteCloser
+func (wac *WriteCloser) Close() error {
+	return wac.CloseFunc()
+}
@@ -0,0 +1,97 @@
+// Copyright 2022 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package compression abstracts over gzip and zstd.
+package compression
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+
+	"github.com/google/go-containerregistry/internal/gzip"
+	"github.com/google/go-containerregistry/internal/zstd"
+	"github.com/google/go-containerregistry/pkg/compression"
+)
+
+// Opener represents e.g. opening a file.
+type Opener = func() (io.ReadCloser, error)
+
+// GetCompression detects whether an Opener is compressed and which algorithm is used.
+func GetCompression(opener Opener) (compression.Compression, error) {
+	rc, err := opener()
+	if err != nil {
+		return compression.None, err
+	}
+	defer rc.Close()
+
+	cp, _, err := PeekCompression(rc)
+	if err != nil {
+		return compression.None, err
+	}
+
+	return cp, nil
+}
+
+// PeekCompression detects whether the input stream is compressed and which algorithm is used.
+//
+// If r implements Peek, we will use that directly, otherwise a small number
+// of bytes are buffered to Peek at the gzip/zstd header, and the returned
+// PeekReader can be used as a replacement for the consumed input io.Reader.
+func PeekCompression(r io.Reader) (compression.Compression, PeekReader, error) {
+	pr := intoPeekReader(r)
+
+	if isGZip, _, err := checkHeader(pr, gzip.MagicHeader); err != nil {
+		return compression.None, pr, err
+	} else if isGZip {
+		return compression.GZip, pr, nil
+	}
+
+	if isZStd, _, err := checkHeader(pr, zstd.MagicHeader); err != nil {
+		return compression.None, pr, err
+	} else if isZStd {
+		return compression.ZStd, pr, nil
+	}
+
+	return compression.None, pr, nil
+}
+
+// PeekReader is an io.Reader that also implements Peek a la bufio.Reader.
+type PeekReader interface {
+	io.Reader
+	Peek(n int) ([]byte, error)
+}
+
+// IntoPeekReader creates a PeekReader from an io.Reader.
+// If the reader already has a Peek method, it will just return the passed reader.
+func intoPeekReader(r io.Reader) PeekReader {
+	if p, ok := r.(PeekReader); ok {
+		return p
+	}
+
+	return bufio.NewReader(r)
+}
+
+// CheckHeader checks whether the first bytes from a PeekReader match an expected header
+func checkHeader(pr PeekReader, expectedHeader []byte) (bool, PeekReader, error) {
+	header, err := pr.Peek(len(expectedHeader))
+	if err != nil {
+		// https://github.com/google/go-containerregistry/issues/367
+		if err == io.EOF {
+			return false, pr, nil
+		}
+		return false, pr, err
+	}
+	return bytes.Equal(header, expectedHeader), pr, nil
+}
@@ -0,0 +1,54 @@
+// Copyright 2020 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package estargz adapts the containerd estargz package to our abstractions.
+package estargz
+
+import (
+	"bytes"
+	"io"
+
+	"github.com/containerd/stargz-snapshotter/estargz"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+// Assert that what we're returning is an io.ReadCloser
+var _ io.ReadCloser = (*estargz.Blob)(nil)
+
+// ReadCloser reads uncompressed tarball input from the io.ReadCloser and
+// returns:
+//   - An io.ReadCloser from which compressed data may be read, and
+//   - A v1.Hash with the hash of the estargz table of contents, or
+//   - An error if the estargz processing encountered a problem.
+//
+// Refer to estargz for the options:
+// https://pkg.go.dev/github.com/containerd/stargz-snapshotter/estargz@v0.4.1#Option
+func ReadCloser(r io.ReadCloser, opts ...estargz.Option) (*estargz.Blob, v1.Hash, error) {
+	defer r.Close()
+
+	// TODO(#876): Avoid buffering into memory.
+	bs, err := io.ReadAll(r)
+	if err != nil {
+		return nil, v1.Hash{}, err
+	}
+	br := bytes.NewReader(bs)
+
+	rc, err := estargz.Build(io.NewSectionReader(br, 0, int64(len(bs))), opts...)
+	if err != nil {
+		return nil, v1.Hash{}, err
+	}
+
+	h, err := v1.NewHash(rc.TOCDigest().String())
+	return rc, h, err
+}
@@ -0,0 +1,118 @@
+// Copyright 2020 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package gzip provides helper functions for interacting with gzipped streams.
+package gzip
+
+import (
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"io"
+
+	"github.com/google/go-containerregistry/internal/and"
+)
+
+// MagicHeader is the start of gzip files.
+var MagicHeader = []byte{'\x1f', '\x8b'}
+
+// ReadCloser reads uncompressed input data from the io.ReadCloser and
+// returns an io.ReadCloser from which compressed data may be read.
+// This uses gzip.BestSpeed for the compression level.
+func ReadCloser(r io.ReadCloser) io.ReadCloser {
+	return ReadCloserLevel(r, gzip.BestSpeed)
+}
+
+// ReadCloserLevel reads uncompressed input data from the io.ReadCloser and
+// returns an io.ReadCloser from which compressed data may be read.
+// Refer to compress/gzip for the level:
+// https://golang.org/pkg/compress/gzip/#pkg-constants
+func ReadCloserLevel(r io.ReadCloser, level int) io.ReadCloser {
+	pr, pw := io.Pipe()
+
+	// For highly compressible layers, gzip.Writer will output a very small
+	// number of bytes per Write(). This is normally fine, but when pushing
+	// to a registry, we want to ensure that we're taking full advantage of
+	// the available bandwidth instead of sending tons of tiny writes over
+	// the wire.
+	// 64K ought to be small enough for anybody.
+	bw := bufio.NewWriterSize(pw, 2<<16)
+
+	// Returns err so we can pw.CloseWithError(err)
+	go func() error {
+		// TODO(go1.14): Just defer {pw,gw,r}.Close like you'd expect.
+		// Context: https://golang.org/issue/24283
+		gw, err := gzip.NewWriterLevel(bw, level)
+		if err != nil {
+			return pw.CloseWithError(err)
+		}
+
+		if _, err := io.Copy(gw, r); err != nil {
+			defer r.Close()
+			defer gw.Close()
+			return pw.CloseWithError(err)
+		}
+
+		// Close gzip writer to Flush it and write gzip trailers.
+		if err := gw.Close(); err != nil {
+			return pw.CloseWithError(err)
+		}
+
+		// Flush bufio writer to ensure we write out everything.
+		if err := bw.Flush(); err != nil {
+			return pw.CloseWithError(err)
+		}
+
+		// We don't really care if these fail.
+		defer pw.Close()
+		defer r.Close()
+
+		return nil
+	}()
+
+	return pr
+}
+
+// UnzipReadCloser reads compressed input data from the io.ReadCloser and
+// returns an io.ReadCloser from which uncompressed data may be read.
+func UnzipReadCloser(r io.ReadCloser) (io.ReadCloser, error) {
+	gr, err := gzip.NewReader(r)
+	if err != nil {
+		return nil, err
+	}
+	return &and.ReadCloser{
+		Reader: gr,
+		CloseFunc: func() error {
+			// If the unzip fails, then this seems to return the same
+			// error as the read.  We don't want this to interfere with
+			// us closing the main ReadCloser, since this could leave
+			// an open file descriptor (fails on Windows).
+			gr.Close()
+			return r.Close()
+		},
+	}, nil
+}
+
+// Is detects whether the input stream is compressed.
+func Is(r io.Reader) (bool, error) {
+	magicHeader := make([]byte, 2)
+	n, err := r.Read(magicHeader)
+	if n == 0 && err == io.EOF {
+		return false, nil
+	}
+	if err != nil {
+		return false, err
+	}
+	return bytes.Equal(magicHeader, MagicHeader), nil
+}
@@ -0,0 +1,89 @@
+// Copyright 2020 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package redact contains a simple context signal for redacting requests.
+package redact
+
+import (
+	"context"
+	"errors"
+	"net/url"
+)
+
+type contextKey string
+
+var redactKey = contextKey("redact")
+
+// NewContext creates a new ctx with the reason for redaction.
+func NewContext(ctx context.Context, reason string) context.Context {
+	return context.WithValue(ctx, redactKey, reason)
+}
+
+// FromContext returns the redaction reason, if any.
+func FromContext(ctx context.Context) (bool, string) {
+	reason, ok := ctx.Value(redactKey).(string)
+	return ok, reason
+}
+
+// Error redacts potentially sensitive query parameter values in the URL from the error's message.
+//
+// If the error is a *url.Error, this returns a *url.Error with the URL redacted.
+// Any other error type, or nil, is returned unchanged.
+func Error(err error) error {
+	// If the error is a url.Error, we can redact the URL.
+	// Otherwise (including if err is nil), we can't redact.
+	var uerr *url.Error
+	if ok := errors.As(err, &uerr); !ok {
+		return err
+	}
+	u, perr := url.Parse(uerr.URL)
+	if perr != nil {
+		return err // If the URL can't be parsed, just return the original error.
+	}
+	uerr.URL = URL(u) // Update the URL to the redacted URL.
+	return uerr
+}
+
+// The set of query string keys that we expect to send as part of the registry
+// protocol. Anything else is potentially dangerous to leak, as it's probably
+// from a redirect. These redirects often included tokens or signed URLs.
+var paramAllowlist = map[string]struct{}{
+	// Token exchange
+	"scope":   {},
+	"service": {},
+	// Cross-repo mounting
+	"mount": {},
+	"from":  {},
+	// Layer PUT
+	"digest": {},
+	// Listing tags and catalog
+	"n":    {},
+	"last": {},
+}
+
+// URL redacts potentially sensitive query parameter values from the URL's query string.
+func URL(u *url.URL) string {
+	qs := u.Query()
+	for k, v := range qs {
+		for i := range v {
+			if _, ok := paramAllowlist[k]; !ok {
+				// key is not in the Allowlist
+				v[i] = "REDACTED"
+			}
+		}
+	}
+	r := *u
+	r.RawQuery = qs.Encode()
+	return r.Redacted()
+}
@@ -0,0 +1,94 @@
+// Copyright 2019 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package retry provides methods for retrying operations. It is a thin wrapper
+// around k8s.io/apimachinery/pkg/util/wait to make certain operations easier.
+package retry
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/google/go-containerregistry/internal/retry/wait"
+)
+
+// Backoff is an alias of our own wait.Backoff to avoid name conflicts with
+// the kubernetes wait package. Typing retry.Backoff is aesier than fixing
+// the wrong import every time you use wait.Backoff.
+type Backoff = wait.Backoff
+
+// This is implemented by several errors in the net package as well as our
+// transport.Error.
+type temporary interface {
+	Temporary() bool
+}
+
+// IsTemporary returns true if err implements Temporary() and it returns true.
+func IsTemporary(err error) bool {
+	if errors.Is(err, context.DeadlineExceeded) {
+		return false
+	}
+	if te, ok := err.(temporary); ok && te.Temporary() {
+		return true
+	}
+	return false
+}
+
+// IsNotNil returns true if err is not nil.
+func IsNotNil(err error) bool {
+	return err != nil
+}
+
+// Predicate determines whether an error should be retried.
+type Predicate func(error) (retry bool)
+
+// Retry retries a given function, f, until a predicate is satisfied, using
+// exponential backoff. If the predicate is never satisfied, it will return the
+// last error returned by f.
+func Retry(f func() error, p Predicate, backoff wait.Backoff) (err error) {
+	if f == nil {
+		return fmt.Errorf("nil f passed to retry")
+	}
+	if p == nil {
+		return fmt.Errorf("nil p passed to retry")
+	}
+
+	condition := func() (bool, error) {
+		err = f()
+		if p(err) {
+			return false, nil
+		}
+		return true, err
+	}
+
+	wait.ExponentialBackoff(backoff, condition)
+	return
+}
+
+type contextKey string
+
+var key = contextKey("never")
+
+// Never returns a context that signals something should not be retried.
+// This is a hack and can be used to communicate across package boundaries
+// to avoid retry amplification.
+func Never(ctx context.Context) context.Context {
+	return context.WithValue(ctx, key, true)
+}
+
+// Ever returns true if the context was wrapped by Never.
+func Ever(ctx context.Context) bool {
+	return ctx.Value(key) == nil
+}
@@ -0,0 +1,123 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package wait is a subset of k8s.io/apimachinery to avoid conflicts
+// in dependencies (specifically, logging).
+package wait
+
+import (
+	"errors"
+	"math/rand"
+	"time"
+)
+
+// Jitter returns a time.Duration between duration and duration + maxFactor *
+// duration.
+//
+// This allows clients to avoid converging on periodic behavior. If maxFactor
+// is 0.0, a suggested default value will be chosen.
+func Jitter(duration time.Duration, maxFactor float64) time.Duration {
+	if maxFactor <= 0.0 {
+		maxFactor = 1.0
+	}
+	wait := duration + time.Duration(rand.Float64()*maxFactor*float64(duration))
+	return wait
+}
+
+// ErrWaitTimeout is returned when the condition exited without success.
+var ErrWaitTimeout = errors.New("timed out waiting for the condition")
+
+// ConditionFunc returns true if the condition is satisfied, or an error
+// if the loop should be aborted.
+type ConditionFunc func() (done bool, err error)
+
+// Backoff holds parameters applied to a Backoff function.
+type Backoff struct {
+	// The initial duration.
+	Duration time.Duration
+	// Duration is multiplied by factor each iteration, if factor is not zero
+	// and the limits imposed by Steps and Cap have not been reached.
+	// Should not be negative.
+	// The jitter does not contribute to the updates to the duration parameter.
+	Factor float64
+	// The sleep at each iteration is the duration plus an additional
+	// amount chosen uniformly at random from the interval between
+	// zero and `jitter*duration`.
+	Jitter float64
+	// The remaining number of iterations in which the duration
+	// parameter may change (but progress can be stopped earlier by
+	// hitting the cap). If not positive, the duration is not
+	// changed. Used for exponential backoff in combination with
+	// Factor and Cap.
+	Steps int
+	// A limit on revised values of the duration parameter. If a
+	// multiplication by the factor parameter would make the duration
+	// exceed the cap then the duration is set to the cap and the
+	// steps parameter is set to zero.
+	Cap time.Duration
+}
+
+// Step (1) returns an amount of time to sleep determined by the
+// original Duration and Jitter and (2) mutates the provided Backoff
+// to update its Steps and Duration.
+func (b *Backoff) Step() time.Duration {
+	if b.Steps < 1 {
+		if b.Jitter > 0 {
+			return Jitter(b.Duration, b.Jitter)
+		}
+		return b.Duration
+	}
+	b.Steps--
+
+	duration := b.Duration
+
+	// calculate the next step
+	if b.Factor != 0 {
+		b.Duration = time.Duration(float64(b.Duration) * b.Factor)
+		if b.Cap > 0 && b.Duration > b.Cap {
+			b.Duration = b.Cap
+			b.Steps = 0
+		}
+	}
+
+	if b.Jitter > 0 {
+		duration = Jitter(duration, b.Jitter)
+	}
+	return duration
+}
+
+// ExponentialBackoff repeats a condition check with exponential backoff.
+//
+// It repeatedly checks the condition and then sleeps, using `backoff.Step()`
+// to determine the length of the sleep and adjust Duration and Steps.
+// Stops and returns as soon as:
+// 1. the condition check returns true or an error,
+// 2. `backoff.Steps` checks of the condition have been done, or
+// 3. a sleep truncated by the cap on duration has been completed.
+// In case (1) the returned error is what the condition function returned.
+// In all other cases, ErrWaitTimeout is returned.
+func ExponentialBackoff(backoff Backoff, condition ConditionFunc) error {
+	for backoff.Steps > 0 {
+		if ok, err := condition(); err != nil || ok {
+			return err
+		}
+		if backoff.Steps == 1 {
+			break
+		}
+		time.Sleep(backoff.Step())
+	}
+	return ErrWaitTimeout
+}
@@ -0,0 +1,122 @@
+// Copyright 2020 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package verify provides a ReadCloser that verifies content matches the
+// expected hash values.
+package verify
+
+import (
+	"bytes"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+
+	"github.com/google/go-containerregistry/internal/and"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
+
+// SizeUnknown is a sentinel value to indicate that the expected size is not known.
+const SizeUnknown = -1
+
+type verifyReader struct {
+	inner             io.Reader
+	hasher            hash.Hash
+	expected          v1.Hash
+	gotSize, wantSize int64
+}
+
+// Error provides information about the failed hash verification.
+type Error struct {
+	got     string
+	want    v1.Hash
+	gotSize int64
+}
+
+func (v Error) Error() string {
+	return fmt.Sprintf("error verifying %s checksum after reading %d bytes; got %q, want %q",
+		v.want.Algorithm, v.gotSize, v.got, v.want)
+}
+
+// Read implements io.Reader
+func (vc *verifyReader) Read(b []byte) (int, error) {
+	n, err := vc.inner.Read(b)
+	vc.gotSize += int64(n)
+	if err == io.EOF {
+		if vc.wantSize != SizeUnknown && vc.gotSize != vc.wantSize {
+			return n, fmt.Errorf("error verifying size; got %d, want %d", vc.gotSize, vc.wantSize)
+		}
+		got := hex.EncodeToString(vc.hasher.Sum(nil))
+		if want := vc.expected.Hex; got != want {
+			return n, Error{
+				got:     vc.expected.Algorithm + ":" + got,
+				want:    vc.expected,
+				gotSize: vc.gotSize,
+			}
+		}
+	}
+	return n, err
+}
+
+// ReadCloser wraps the given io.ReadCloser to verify that its contents match
+// the provided v1.Hash before io.EOF is returned.
+//
+// The reader will only be read up to size bytes, to prevent resource
+// exhaustion. If EOF is returned before size bytes are read, an error is
+// returned.
+//
+// A size of SizeUnknown (-1) indicates disables size verification when the size
+// is unknown ahead of time.
+func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
+	w, err := v1.Hasher(h.Algorithm)
+	if err != nil {
+		return nil, err
+	}
+	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
+	if size != SizeUnknown {
+		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
+	}
+	return &and.ReadCloser{
+		Reader: &verifyReader{
+			inner:    r2,
+			hasher:   w,
+			expected: h,
+			wantSize: size,
+		},
+		CloseFunc: r.Close,
+	}, nil
+}
+
+// Descriptor verifies that the embedded Data field matches the Size and Digest
+// fields of the given v1.Descriptor, returning an error if the Data field is
+// missing or if it contains incorrect data.
+func Descriptor(d v1.Descriptor) error {
+	if d.Data == nil {
+		return errors.New("error verifying descriptor; Data == nil")
+	}
+
+	h, sz, err := v1.SHA256(bytes.NewReader(d.Data))
+	if err != nil {
+		return err
+	}
+	if h != d.Digest {
+		return fmt.Errorf("error verifying Digest; got %q, want %q", h, d.Digest)
+	}
+	if sz != d.Size {
+		return fmt.Errorf("error verifying Size; got %d, want %d", sz, d.Size)
+	}
+
+	return nil
+}
@@ -0,0 +1,114 @@
+// Copyright 2021 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package windows
+
+import (
+	"archive/tar"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"path"
+	"strings"
+
+	"github.com/google/go-containerregistry/internal/gzip"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
+)
+
+// userOwnerAndGroupSID is a magic value needed to make the binary executable
+// in a Windows container.
+//
+// owner: BUILTIN/Users group: BUILTIN/Users ($sddlValue="O:BUG:BU")
+const userOwnerAndGroupSID = "AQAAgBQAAAAkAAAAAAAAAAAAAAABAgAAAAAABSAAAAAhAgAAAQIAAAAAAAUgAAAAIQIAAA=="
+
+// Windows returns a Layer that is converted to be pullable on Windows.
+func Windows(layer v1.Layer) (v1.Layer, error) {
+	// TODO: do this lazily.
+
+	layerReader, err := layer.Uncompressed()
+	if err != nil {
+		return nil, fmt.Errorf("getting layer: %w", err)
+	}
+	defer layerReader.Close()
+	tarReader := tar.NewReader(layerReader)
+	w := new(bytes.Buffer)
+	tarWriter := tar.NewWriter(w)
+	defer tarWriter.Close()
+
+	for _, dir := range []string{"Files", "Hives"} {
+		if err := tarWriter.WriteHeader(&tar.Header{
+			Name:     dir,
+			Typeflag: tar.TypeDir,
+			// Use a fixed Mode, so that this isn't sensitive to the directory and umask
+			// under which it was created. Additionally, windows can only set 0222,
+			// 0444, or 0666, none of which are executable.
+			Mode:   0555,
+			Format: tar.FormatPAX,
+		}); err != nil {
+			return nil, fmt.Errorf("writing %s directory: %w", dir, err)
+		}
+	}
+
+	for {
+		header, err := tarReader.Next()
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			return nil, fmt.Errorf("reading layer: %w", err)
+		}
+
+		if strings.HasPrefix(header.Name, "Files/") {
+			return nil, fmt.Errorf("file path %q already suitable for Windows", header.Name)
+		}
+
+		header.Name = path.Join("Files", header.Name)
+		header.Format = tar.FormatPAX
+
+		// TODO: this seems to make the file executable on Windows;
+		// only do this if the file should be executable.
+		if header.PAXRecords == nil {
+			header.PAXRecords = map[string]string{}
+		}
+		header.PAXRecords["MSWINDOWS.rawsd"] = userOwnerAndGroupSID
+
+		if err := tarWriter.WriteHeader(header); err != nil {
+			return nil, fmt.Errorf("writing tar header: %w", err)
+		}
+
+		if header.Typeflag == tar.TypeReg {
+			if _, err = io.Copy(tarWriter, tarReader); err != nil {
+				return nil, fmt.Errorf("writing layer file: %w", err)
+			}
+		}
+	}
+
+	if err := tarWriter.Close(); err != nil {
+		return nil, err
+	}
+
+	b := w.Bytes()
+	// gzip the contents, then create the layer
+	opener := func() (io.ReadCloser, error) {
+		return gzip.ReadCloser(io.NopCloser(bytes.NewReader(b))), nil
+	}
+	layer, err = tarball.LayerFromOpener(opener)
+	if err != nil {
+		return nil, fmt.Errorf("creating layer: %w", err)
+	}
+
+	return layer, nil
+}
@@ -0,0 +1,116 @@
+// Copyright 2022 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package zstd provides helper functions for interacting with zstd streams.
+package zstd
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+
+	"github.com/google/go-containerregistry/internal/and"
+	"github.com/klauspost/compress/zstd"
+)
+
+// MagicHeader is the start of zstd files.
+var MagicHeader = []byte{'\x28', '\xb5', '\x2f', '\xfd'}
+
+// ReadCloser reads uncompressed input data from the io.ReadCloser and
+// returns an io.ReadCloser from which compressed data may be read.
+// This uses zstd level 1 for the compression.
+func ReadCloser(r io.ReadCloser) io.ReadCloser {
+	return ReadCloserLevel(r, 1)
+}
+
+// ReadCloserLevel reads uncompressed input data from the io.ReadCloser and
+// returns an io.ReadCloser from which compressed data may be read.
+func ReadCloserLevel(r io.ReadCloser, level int) io.ReadCloser {
+	pr, pw := io.Pipe()
+
+	// For highly compressible layers, zstd.Writer will output a very small
+	// number of bytes per Write(). This is normally fine, but when pushing
+	// to a registry, we want to ensure that we're taking full advantage of
+	// the available bandwidth instead of sending tons of tiny writes over
+	// the wire.
+	// 64K ought to be small enough for anybody.
+	bw := bufio.NewWriterSize(pw, 2<<16)
+
+	// Returns err so we can pw.CloseWithError(err)
+	go func() error {
+		// TODO(go1.14): Just defer {pw,zw,r}.Close like you'd expect.
+		// Context: https://golang.org/issue/24283
+		zw, err := zstd.NewWriter(bw, zstd.WithEncoderLevel(zstd.EncoderLevelFromZstd(level)))
+		if err != nil {
+			return pw.CloseWithError(err)
+		}
+
+		if _, err := io.Copy(zw, r); err != nil {
+			defer r.Close()
+			defer zw.Close()
+			return pw.CloseWithError(err)
+		}
+
+		// Close zstd writer to Flush it and write zstd trailers.
+		if err := zw.Close(); err != nil {
+			return pw.CloseWithError(err)
+		}
+
+		// Flush bufio writer to ensure we write out everything.
+		if err := bw.Flush(); err != nil {
+			return pw.CloseWithError(err)
+		}
+
+		// We don't really care if these fail.
+		defer pw.Close()
+		defer r.Close()
+
+		return nil
+	}()
+
+	return pr
+}
+
+// UnzipReadCloser reads compressed input data from the io.ReadCloser and
+// returns an io.ReadCloser from which uncompressed data may be read.
+func UnzipReadCloser(r io.ReadCloser) (io.ReadCloser, error) {
+	gr, err := zstd.NewReader(r)
+	if err != nil {
+		return nil, err
+	}
+	return &and.ReadCloser{
+		Reader: gr,
+		CloseFunc: func() error {
+			// If the unzip fails, then this seems to return the same
+			// error as the read.  We don't want this to interfere with
+			// us closing the main ReadCloser, since this could leave
+			// an open file descriptor (fails on Windows).
+			gr.Close()
+			return r.Close()
+		},
+	}, nil
+}
+
+// Is detects whether the input stream is compressed.
+func Is(r io.Reader) (bool, error) {
+	magicHeader := make([]byte, 4)
+	n, err := r.Read(magicHeader)
+	if n == 0 && err == io.EOF {
+		return false, nil
+	}
+	if err != nil {
+		return false, err
+	}
+	return bytes.Equal(magicHeader, MagicHeader), nil
+}