# Notary Fallback Mechanism ```plantuml @startuml NotaryFallback !theme aws-orange title Notary Fallback Mechanism scale 1200 width skinparam handwritten true skinparam backgroundColor #111111 actor "notary" as cli order 10 #White participant "ECR" as reg order 20 #Orange !$inline = "#MediumPurple" !$c200 = "#Green" !$r200 = '""200 OK""' !$c201 = "#GoldenRod" !$r201 = '""201 Created""' !$c400 = "#Red" !$r400 = '""400 Bad Request""' !$c404 = "#Gray" !$r404 = '""404 Not Found""' !$c405 = "#Red" !$r405 = '""405 Method Unsupported""' !$cFFF = "#Red" !$rFFF = '""4xx/5xx Failure""' note across: //""OCI Artifact Manifest"" support **DOES NOT** imply ""Referrers API"" support// note across: //""Referrers API"" support **DOES** imply ""OCI Artifact Manifest"" support// == Artifact Push Phase == note across: //Check that subject manifest exists; **assume:""true""**// cli -> reg: ""HEAD manifests/<color:$inline>$(identifier(subjectManifest))</color>"" cli <-[$c200] reg: $r200 note across: //Check that artifact manifest exists; **assume:""false""**// cli -> reg: ""HEAD manifests/<color:$inline>$(digest(artifactManifest))</color>"" cli <-[$c404] reg: $r404 note across: //Check that the artifact blob exists; **assume:""false""**// cli -> reg: ""HEAD blobs/<color:$inline>$(digest(artifactBlob))</color>"" cli <-[$c404] reg: $r404 note across: //Upload the artifact blob (via ""POST-then-PUT"")// cli -> reg: ""POST blobs/uploads"" cli <-[$c201] reg: $r201 cli -> reg: ""PUT blobs/uploads/<color:$inline>${session_id}/digest(artifactBlob))</color>"" cli <-[$c201] reg: $r201 note across: //Attempt artifact manifest upload via ""oci-v1.1"" spec// cli -> reg: ""PUT manifests/<color:$inline>$(digest(artifactManifest))</color>"" alt ""Artifacts"" //supported?// else #SkyBlue true cli <-[$c201] reg: $r201 else #Pink false cli <-[$c400] reg: $r400 ""[code:UNSUPPORTED]"" note across: //Check that fallback artifact manifest exists; **assume:""false""**// cli -> reg: ""HEAD manifests/<color:$inline>$(digest(fallbackArtifactManifest))</color>"" cli <-[$c404] reg: $r404 note across: //Check that OCI image config blob exists; **assume:""false""**// cli -> reg: ""HEAD blobs/<color:$inline>$(digest(${ORAS_CONFIG_BLOB})</color>"" cli <-[$c404] reg: $r404 note across: //Upload the OCI image config blob exists (via ""POST-then-PUT"")// cli -> reg: ""POST blobs/uploads"" cli <-[$c201] reg: $r201 cli -> reg: ""PUT <color:$inline>${session_id}/$(digest(${ORAS_CONFIG_BLOB})</color>"" cli <-[$c201] reg: $r201 note across: //Upload fallback artifact manifest// cli -> reg: ""PUT manifests/<color:$inline>$(digest(fallbackArtifactManifest))</color>"" cli <-[$c201] reg: $r201 end == Artifact/Subject Relationship Phase == note across: //Check for the Referrers API support// cli -> reg: ""GET referrers/sha256:<color:$inline>$("0"*64)</color>"" alt ""Referrers API"" //supported?// else #SkyBlue true cli <-[$c200] reg: $r200 else #Pink false cli <-[$c404] reg: $r404 note across: //Check if fallback artifacts manifest list exists// cli -> reg: ""GET manifests/<color:$inline>${alg}-$(digest(subject))</color>"" alt ""Fallback Manifest List"" //exists?// else #SkyBlue true cli <-[$c200] reg: $r200 note across: //Best-effort attempt to delete the existing artifacts manifest list;//\n//for simplicity, this has been left here, but in practice, do not//\n//delete until after a successful push// cli -> reg: ""DELETE manifests/<color:$inline>$(digest(manifestList))</color>"" opt ""DELETE"" //supported?// else #SkyBlue true cli <-[$c200] reg: $r200 else #Pink false cli <-[$c405] reg: $r405 end else #Pink false cli <-[$c404] reg: $r404 end note across: //Upload the new artifacts manifest list// cli -> reg: ""PUT manifests/<color:$inline>${alg}-$(digest(subject))</color>"" cli <-[$c201] reg: $r201 end note across: //No further work to be done//