skopeo icon indicating copy to clipboard operation
skopeo copied to clipboard

Published 20 hours ago verified publisher icon containers

Skopeo sync does not sync Notation signatures

Open tuminoid opened this issue 1 year ago • 6 comments

Skopeo does not sync Notation signatures, despite the skopeo command output is saying it is copying signatures.

Is there a way to get skopeo to sync/copy/export Notation signatures from one registry to another?

Skopeo used:

$ skopeo --version
skopeo version 1.4.1

# source image has been signed
$ notation inspect --insecure-registry 127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
Inspecting all signatures for signed artifact
127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
└── application/vnd.cncf.notary.signature
    └── sha256:6c57ac4270780eb18dab9d76da9918f8b21d9b5105e80b5a7110826d304d5483
        ├── media type: application/jose+json
        ├── signature algorithm: RSASSA-PSS-SHA-512
        ├── signed attributes
        │   ├── signingScheme: notary.x509
        │   └── signingTime: Tue Feb 13 10:05:42 2024
        ├── user defined attributes
        │   └── (empty)
        ├── unsigned attributes
        │   └── signingAgent: Notation/1.0.0 external-signer/v0.1.0+unreleased
        ├── certificates
        │   ├── SHA256 fingerprint: 05b4585c5382c5a83479637d59dcdd6ea4020f70c563402c6601715fc66a1c8b
        │   │   ├── issued to: CN=Notation.leaf
        │   │   ├── issued by: CN=Notation Root CA,O=Notation
        │   │   └── expiry: Wed Feb 12 08:05:42 2025
        │   └── SHA256 fingerprint: cfd1ed85f0f40ee9dffd1c8df09e5c4026998791a63847a040728c3837dcbec0
        │       ├── issued to: CN=Notation Root CA,O=Notation
        │       ├── issued by: CN=Notation Root CA,O=Notation
        │       └── expiry: Wed Feb 12 08:05:40 2025
        └── signed artifact
            ├── media type: application/vnd.docker.distribution.manifest.v2+json
            ├── digest: sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
            └── size: 527

Syncing the image to second registry:

$ skopeo sync --src-tls-verify=false --dest-tls-verify=false --src docker --dest docker 127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7 127.0.0.1:5000
INFO[0000] Tag presence check                            imagename="127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7" tagged=true
INFO[0000] Copying image ref 1/1                         from="docker://127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7" to="docker://127.0.0.1:5000/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7"
Getting image source signatures
Copying blob 9ad63333ebc9 done  
Copying config 3f57d9401f done  
Writing manifest to image destination
Storing signatures
INFO[0000] Synced 1 images from 1 sources

Target image is not signed anymore, even the skopeo sync said it was doing signatures too.

$ notation inspect --insecure-registry 127.0.0.1:5000/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
127.0.0.1:5000/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7 has no associated signature

tuminoid avatar Feb 13 '24 09:02 tuminoid

Thanks for your report.

Notation signatures are OCI artifacts, aren’t they? If so, it should be possible to copy them separately — if you can list their digests (or if they have tags that can be discovered by skopeo sync).

We do want to support automatically copying signatures per referrer links ( https://github.com/containers/image/issues/1848 ), but it does not exist yet.

mtrmac avatar Feb 13 '24 16:02 mtrmac

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Mar 15 '24 00:03 github-actions[bot]

skopeo copy is not attesting the signature in Images signed using notation and transported in other path and trying to attest signature over the same image. notation ls $IMAGE gives:

root@okhardubuntu:~/.config/notation# notation ls registry.private.com/repo/archlinux2:latest
Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:latest) because resolved digest may not point to the same signed artifact, as tags are mutable. registry.private.com/repo/archlinux2@sha256:85dc960fa1b01560091e6de62b09c4ad99c35cf818f6a7e2b2118a57f712bcb7 has no associated signature

oras copy , does copy and notation ls showing signature associated.

omkhard avatar Mar 26 '24 10:03 omkhard

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Apr 27 '24 00:04 github-actions[bot]

Yeah this is still valid.

A friendly reminder that this issue had no activity for 30 days.

tuminoid avatar May 06 '24 07:05 tuminoid

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Jun 06 '24 00:06 github-actions[bot]