moraza · August 22, 2025 20:21
diff --git a/get_docker_layer_links.sh b/get_docker_layer_links.sh
 #!/usr/bin/env bash

 ## Usage: ./get_docker_layer_links.sh public.ecr.aws/amazonlinux/amazonlinux:2023
 # URLs returned can then be used to submit proxy whitelist request in enterprise environment.
 set -euo pipefail

 if [ $# -ne 1 ]; then
  echo "Usage: $0 <image:tag>"
  echo "Example: $0 public.ecr.aws/amazonlinux/amazonlinux:2023"
  exit 1
 fi

 IMAGE="$1"

 # Split into registry/repository:tag
 REGISTRY=$(echo "$IMAGE" | cut -d/ -f1)
 REPO_AND_TAG=$(echo "$IMAGE" | cut -d/ -f2-)

 if [[ "$REPO_AND_TAG" != *:* ]]; then
  REPO="$REPO_AND_TAG"
  TAG="latest"
 else
  REPO=$(echo "$REPO_AND_TAG" | cut -d: -f1)
  TAG=$(echo "$REPO_AND_TAG" | cut -d: -f2)
 fi

 # Step 1: Try unauthenticated HEAD request to see if auth is needed
 AUTH_RESP=$(curl -sI "https://${REGISTRY}/v2/${REPO}/manifests/${TAG}" || true)
 if echo "$AUTH_RESP" | grep -qi "WWW-Authenticate"; then
  REALM=$(echo "$AUTH_RESP" | sed -n 's/.*realm="\([^"]*\)".*/\1/p')
  SERVICE=$(echo "$AUTH_RESP" | sed -n 's/.*service="\([^"]*\)".*/\1/p')
  SCOPE=$(echo "$AUTH_RESP" | sed -n 's/.*scope="\([^"]*\)".*/\1/p')
  TOKEN=$(curl -s "${REALM}?service=${SERVICE}&scope=${SCOPE}" | jq -r '.token')
  AUTH_HEADER="Authorization: Bearer $TOKEN"
 else
  AUTH_HEADER=""
 fi

 # Step 2: Fetch manifest list (or manifest)
 MANIFEST=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  -H "$AUTH_HEADER" \
  "https://${REGISTRY}/v2/${REPO}/manifests/${TAG}")

 MEDIA_TYPE=$(echo "$MANIFEST" | jq -r '.mediaType // empty')

 # Step 3: If manifest list, pick linux/amd64
 if [[ "$MEDIA_TYPE" == "application/vnd.docker.distribution.manifest.list.v2+json" ]] || \
   [[ "$MEDIA_TYPE" == "application/vnd.oci.image.index.v1+json" ]]; then
  DIGEST=$(echo "$MANIFEST" | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest' | head -n1)
  if [ -z "$DIGEST" ]; then
    echo "No linux/amd64 manifest found!"
    exit 1
  fi
  MANIFEST=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
    -H "$AUTH_HEADER" \
    "https://${REGISTRY}/v2/${REPO}/manifests/${DIGEST}")
 fi

 # Step 4: Extract layers
 BLOBS=$(echo "$MANIFEST" | jq -r '.layers[].digest')

 #echo "TOKEN: $TOKEN"

 echo "Blob download URLs for $IMAGE:"
 for DIGEST in $BLOBS; do
  echo "https://${REGISTRY}/v2/${REPO}/blobs/${DIGEST}"
  OUTPUT=$(curl -v -H "$AUTH_HEADER" "https://${REGISTRY}/v2/${REPO}/blobs/${DIGEST}" 2<&1)
  echo "$OUTPUT" | grep -i location
 done
	#!/usr/bin/env bash

	## Usage: ./get_docker_layer_links.sh public.ecr.aws/amazonlinux/amazonlinux:2023
	# URLs returned can then be used to submit proxy whitelist request in enterprise environment.
	set -euo pipefail

	if [ $# -ne 1 ]; then
	echo "Usage: $0 <image:tag>"
	echo "Example: $0 public.ecr.aws/amazonlinux/amazonlinux:2023"
	exit 1
	fi

	IMAGE="$1"

	# Split into registry/repository:tag
	REGISTRY=$(echo "$IMAGE" \| cut -d/ -f1)
	REPO_AND_TAG=$(echo "$IMAGE" \| cut -d/ -f2-)

	if [[ "$REPO_AND_TAG" != : ]]; then
	REPO="$REPO_AND_TAG"
	TAG="latest"
	else
	REPO=$(echo "$REPO_AND_TAG" \| cut -d: -f1)
	TAG=$(echo "$REPO_AND_TAG" \| cut -d: -f2)
	fi

	# Step 1: Try unauthenticated HEAD request to see if auth is needed
	AUTH_RESP=$(curl -sI "https://${REGISTRY}/v2/${REPO}/manifests/${TAG}" \|\| true)
	if echo "$AUTH_RESP" \| grep -qi "WWW-Authenticate"; then
	REALM=$(echo "$AUTH_RESP" \| sed -n 's/.realm="\([^"]\)".*/\1/p')
	SERVICE=$(echo "$AUTH_RESP" \| sed -n 's/.service="\([^"]\)".*/\1/p')
	SCOPE=$(echo "$AUTH_RESP" \| sed -n 's/.scope="\([^"]\)".*/\1/p')
	TOKEN=$(curl -s "${REALM}?service=${SERVICE}&scope=${SCOPE}" \| jq -r '.token')
	AUTH_HEADER="Authorization: Bearer $TOKEN"
	else
	AUTH_HEADER=""
	fi

	# Step 2: Fetch manifest list (or manifest)
	MANIFEST=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
	-H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
	-H "$AUTH_HEADER" \
	"https://${REGISTRY}/v2/${REPO}/manifests/${TAG}")

	MEDIA_TYPE=$(echo "$MANIFEST" \| jq -r '.mediaType // empty')

	# Step 3: If manifest list, pick linux/amd64
	if [[ "$MEDIA_TYPE" == "application/vnd.docker.distribution.manifest.list.v2+json" ]] \|\| \
	[[ "$MEDIA_TYPE" == "application/vnd.oci.image.index.v1+json" ]]; then
	DIGEST=$(echo "$MANIFEST" \| jq -r '.manifests[] \| select(.platform.os=="linux" and .platform.architecture=="amd64") \| .digest' \| head -n1)
	if [ -z "$DIGEST" ]; then
	echo "No linux/amd64 manifest found!"
	exit 1
	fi
	MANIFEST=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
	-H "$AUTH_HEADER" \
	"https://${REGISTRY}/v2/${REPO}/manifests/${DIGEST}")
	fi

	# Step 4: Extract layers
	BLOBS=$(echo "$MANIFEST" \| jq -r '.layers[].digest')

	#echo "TOKEN: $TOKEN"

	echo "Blob download URLs for $IMAGE:"
	for DIGEST in $BLOBS; do
	echo "https://${REGISTRY}/v2/${REPO}/blobs/${DIGEST}"
	OUTPUT=$(curl -v -H "$AUTH_HEADER" "https://${REGISTRY}/v2/${REPO}/blobs/${DIGEST}" 2<&1)
	echo "$OUTPUT" \| grep -i location
	done
No results found