cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Keyless verification example is broken

Open imjasonh opened this issue 4 years ago • 1 comments

Description

In Usage: https://github.com/sigstore/cosign/blob/main/KEYLESS.md#usage

$ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/dlorenc-vmtest2/demo
The following checks were performed on all of these signatures:
  - The cosign claims were validated
  - The claims were present in the transparency log
  - The signatures were integrated into the transparency log when the certificate was valid
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  [email protected]
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36"},"Type":"cosign container image signature"},"Optional":null}

However, when I try this myself:

$ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/dlorenc-vmtest2/demo
error: fetching signatures: getting signature manifest: GET https://gcr.io/v2/dlorenc-vmtest2/demo/manifests/sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig: MANIFEST_UNKNOWN: Failed to fetch "sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig" from request "/v2/dlorenc-vmtest2/demo/manifests/sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig".

Now that we have a demo automatically building and signing an image in GitHub Actions, should the keyless.md example show verifying that image instead?

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/sigstore/cosign/github.com/sigstore/cosign/cmd/cosign:latest
Verification for ghcr.io/sigstore/cosign/github.com/sigstore/cosign/cmd/cosign:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  []
{"critical":{"identity":{"docker-reference":"ghcr.io/sigstore/cosign/github.com/sigstore/cosign/cmd/cosign"},"image":{"docker-manifest-digest":"sha256:d0c800c07eaca471b6e658132ce014aee88e1e7b21434294f80ea961bb797429"},"type":"cosign container image signature"},"optional":{"run_attempt":"1","run_id":"1432920006","sha":"bb05c81d02365f12d2df6a555071130568f85a65"}}

imjasonh avatar Nov 08 '21 14:11 imjasonh

Makes sense, I bet that image got cleaned up.

dlorenc avatar Nov 08 '21 14:11 dlorenc

Fixed by #2313

znewman01 avatar Nov 22 '22 20:11 znewman01