vexctl icon indicating copy to clipboard operation
vexctl copied to clipboard

Published 20 hours ago verified publisher icon openvex

Getting error while attesting the image

Open anilMishra opened this issue 1 year ago • 3 comments

When I am trying to attest image in a public repository it is resulting into an error 'has no digest' meanwhile we are giving required digest in query. I am attaching image with the executed queries with all permutations.please help me on this issue

anilMishra avatar Nov 28 '23 15:11 anilMishra

image001

anilMishra avatar Nov 28 '23 16:11 anilMishra

Hey @anilMishra thanks for the report, unfortunately I could not catch the image before ttl.sh removed it. Can you push it again to see what's going on ? Thanks!!

puerco avatar Dec 06 '23 04:12 puerco

I ran into the same issue, an initial look shows that there is some processing missing when passing a raw image reference

vexctl attest --attach --sign vex.json ghcr.io/wagoodman/test-ctr-images/alpine@sha256:d98f53941d04a2c76b454064c27dd9ffc30cdb07c34001f45015752bdf1e4ecb

around here: https://github.com/openvex/vexctl/blob/57f62c5b17bd25f4b89339d795ff1a55e16e06a8/pkg/ctl/implementation.go#L593

The reference is parsed (name.ParseReference(pref.Name)) but the value is thrown away and instead perf is used. However, there is no code path to populate perf.Hashes... as done with the package URL parsing in the first if block.

A workaround in the meantime @anilMishra would be to craft an OCI package URL.

wagoodman avatar Jan 08 '24 15:01 wagoodman