cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

COSIGN_DOCKER_MEDIA_TYPES is not sufficient for cosign attest

Open lcarva opened this issue 2 years ago • 1 comments

When using COSIGN_DOCKER_MEDIA_TYPES=1 cosign attest, the generated manifest contains a nested non-docker entity:

$ COSIGN_DOCKER_MEDIA_TYPES=1 cosign -d attest --predicate /tmp/predicate.json --key /tmp/signing-key quay.io/lucarval/festoji:latest
...
{"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","size":233,"digest":"sha256:cb978855b77b57c23449c4bbaa36fcd9c4c390ead881eb0eb485681756dcb644"},"layers":[{"mediaType":"application/vnd.dsse.envelope.v1+json","size":4516,"digest":"sha256:da0941eb5616c32607785d97f8a619acd5e46bffeb711f98c8086d9795795534","annotations":{"dev.cosignproject.cosign/signature":""}}]}
2022/03/22 10:00:16 <-- 400 https://quay.io/v2/lucarval/festoji/manifests/sha256-62cc2a539e9cf713b0d90e739a4c8977aefc11a561c74534c8dddeab9cb252bf.att (49.894003ms)
2022/03/22 10:00:16 HTTP/2.0 400 Bad Request
Content-Length: 1107
Content-Type: application/json
Date: Tue, 22 Mar 2022 14:00:16 GMT
Server: nginx/1.14.1

Notice how the top level object has mediaType set to application/vnd.docker.distribution.manifest.v2+json and the config also has a docker mediaType, application/vnd.docker.container.image.v1+json. This is expected, good.

However, the object in layers has the mediaType application/vnd.dsse.envelope.v1+json

Since the registry I'm targeting, quay.io, doesn't currently support the application/vnd.dsse.envelope.v1+json mediaType, I'm unable to upload my attestation to it.

quay.io will add support to this mediaType in PROJQUAY-3386. But it does seem like the behavior of COSIGN_DOCKER_MEDIA_TYPES for attestation is broken. The purpose is to support legacy registries which will most definitely not support the application/vnd.dsse.envelope.v1+json mediaType.

lcarva avatar Mar 22 '22 14:03 lcarva 

$ cosign version
   ____    ___    ____    ___    ____   _   _
  / ___|  / _ \  / ___|  |_ _|  / ___| | \ | |
 | |     | | | | \___ \   | |  | |  _  |  \| |
 | |___  | |_| |  ___) |  | |  | |_| | | |\  |
  \____|  \___/  |____/  |___|  \____| |_| \_|
cosign

GitVersion:    v1.6.0
GitCommit:     4b2c3c0c8ee97f31b9dac3859b40e0a48b8648ee
GitTreeState:  clean
BuildDate:     '2022-03-03T17:59:06Z'
GoVersion:     go1.17.7
Compiler:      gc
Platform:      linux/amd64

lcarva avatar Mar 22 '22 14:03 lcarva