Add referrers fetcher and ctr content fetch-referrers

[liunan-ms]

This PR adds a referrer fetcher interface in remotes by updating containerd#7644, enables ctr content fetch-referrers command to fetch referrers list from a remote registry and write it in stdout.

This feature relies on the support of OCI reference type in OCI distribution-spec 1.1.

To enable referrers fetch, referrers capability has to be added into the host config: (https://github.com/containerd/containerd/blob/main/docs/hosts.md)

# In /etc/containerd/certs.d/liunancr.azurecr.io/hosts.toml

# Optional top-level default server for this hosts file (used as fallback)
server = "https://liunancr.azurecr.io"

# Per-host configuration (key must be host name)
[host."liunancr.azurecr.io"]
# Allowed values (parsed by the current code): "pull", "resolve", "push", "referrers"
# Example: allow pull & resolve & push & fetch referrers
capabilities = ["pull", "resolve", "push", "referrers"]

Go interface

readCloser, incompleteDesc, err := fetcher.(remotes.ReferrersFetcher). FetchReferrers(ctx, dgst, artifactTypes...)

ctr command

ctr content fetch-referrers <registry>/<repo>:dummy-tag <Digest> <Artifact-Type>

Example

# Build binaries with this change
make binaries

./bin/ctr content fetch-referrers --hosts-dir /etc/containerd/certs.d liunancr.azurecr.io/net-monitor:v1 sha256:2534d619626aae155e4d82437e5d24136802206b7241351ac3bc6b249575ca5c application/vnd.cncf.notary.signature

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:2283352fe379e08bf5669529f8b12621c8cb3030ea532a64ef0053f8fd49263c",
      "size": 738,
      "annotations": {
        "io.cncf.notary.x509chain.thumbprint#S256": "[\"630ff252838e010d632b1af5192bb8ff9fee57e124868194ce434c60d4ccfd2e\"]",
        "org.opencontainers.image.created": "2025-09-17T22:31:06Z"
      },
      "artifactType": "application/vnd.cncf.notary.signature"
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:a4a4257ae9001efd6acf152ad29af8fb29e622bc5e5e6e3f263e5829a5f4b3cc",
      "size": 738,
      "annotations": {
        "io.cncf.notary.x509chain.thumbprint#S256": "[\"630ff252838e010d632b1af5192bb8ff9fee57e124868194ce434c60d4ccfd2e\"]",
        "org.opencontainers.image.created": "2025-09-17T21:38:29Z"
      },
      "artifactType": "application/vnd.cncf.notary.signature"
    }
  ]
}

Note: ctr content fetch-referrers command returns a descriptor that contains a list of referrer manifests, run ctr content fetch-object <registry>/<repo>@<referrer-manifest-digest> to get the entire manifest of a referrer.

# Build binaries with this change
make binaries

./bin/ctr content fetch-object liunancr.azurecr.io/net-monitor@sha256:2283352fe379e08bf5669529f8b12621c8cb3030ea532a64ef0053f8fd49263c | jq .
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.cncf.notary.signature",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [
    {
      "mediaType": "application/jose+json",
      "digest": "sha256:59a5f9c14a35e6136d7269a0668cab5216a1b648f02c9860bc4fe7f509967be4",
      "size": 2091
    }
  ],
  "subject": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "digest": "sha256:2534d619626aae155e4d82437e5d24136802206b7241351ac3bc6b249575ca5c",
    "size": 942
  },
  "annotations": {
    "io.cncf.notary.x509chain.thumbprint#S256": "[\"630ff252838e010d632b1af5192bb8ff9fee57e124868194ce434c60d4ccfd2e\"]",
    "org.opencontainers.image.created": "2025-09-17T22:31:06Z"
  }
}