ratify
ratify copied to clipboard
ratify-project
The verifierReports did not include signature digest
What would you like to be added?
The current verifierReports did not include the digest for a signature manifest. If an image has multiple signatures, it will be very hard to know which signature failed verification. It's better to show the digest of every OCI artifact that was verified, so that it can be correlated later for different purposes.
An example of current verifierReports in the Ratify logs:
"verifierReports": [
{
"subject": "***.azurecr.io/fromado@sha256:9bd300b50747ff122cf5c2fb47f1e29a162604e85f37659cde09d6358221a1d4",
"isSuccess": true,
"name": "verifier-cosign",
"type": "cosign",
"message": "cosign verification success. valid signatures found. please refer to extensions field for verifications performed.",
"extensions": {
"signatures": [
{
"signature": "*****",
"verifications": [
{
"isSuccess": false,
"bundleVerified": false,
"error": "crypto/rsa: verification error",
"keyInformation": {
"provider": "keymanagementprovider-akv",
"name": "test-cosign",
"version": "849bc742cb674e0aa4cc5573e692209a"
}
}
]
},
{
"signature": "*****",
"verifications": [
{
"isSuccess": true,
"bundleVerified": false,
"keyInformation": {
"provider": "keymanagementprovider-akv",
"name": "test-cosign",
"version": "849bc742cb674e0aa4cc5573e692209a"
}
}
]
}
]
},
"artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
}
]
} component-type=server go.version=go1.21.9 trace-id=d38178b1-7dd7-46c3-95d7-c3b57236b40d
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this feature?
- [ ] Yes, I am willing to implement it.
