Explicitly fail encryption/decryption if we can't change the manifest

We would fail with an internal error anyway, this fails explicitly.

Signed-off-by: Miloslav Trmač <[email protected]>

Author: mtrmac

copy/encryption.go

@@ -40,6 +40,10 @@ func (ic *imageCopier) blobPipelineDecryptionStep(stream *sourceStream, srcInfo
 		}, nil
 	}
 
+	if ic.cannotModifyManifestReason != "" {
+		return nil, fmt.Errorf("layer %s should be decrypted, but we can’t modify the manifest: %s", srcInfo.Digest, ic.cannotModifyManifestReason)
+	}
+
 	desc := imgspecv1.Descriptor{
 		Annotations: stream.info.Annotations,
 	}
@@ -83,6 +87,10 @@ func (ic *imageCopier) blobPipelineEncryptionStep(stream *sourceStream, toEncryp
 		}, nil
 	}
 
+	if ic.cannotModifyManifestReason != "" {
+		return nil, fmt.Errorf("layer %s should be encrypted, but we can’t modify the manifest: %s", srcInfo.Digest, ic.cannotModifyManifestReason)
+	}
+
 	var annotations map[string]string
 	if !decryptionStep.decrypting {
 		annotations = srcInfo.Annotations