cosign
cosign copied to clipboard
Improve reporting of verify cli commands with multiple images
Description
The cosign veify*
sub-commands allow passing multiple image references. However, it's not obvious how to interpret the output on either failure or success.
Given that an image may have multiple attestations, for example, it's impossible to map the retrieved attestation to an image reference. Consider this example command:
cosign verify-attestation ... registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest > attestations.json
Let's say that one of the images above has 2 attestations while the other only have 1. attestations.json
contains 4 attestations. It's not possible to deterministically map all the attestations to their corresponding image reference.
The behavior could also be improved on the error case. cosign processes each image sequentially quitting on the first found error. If the user wants to check 3 images, and the first one has an issue, the user is unaware of potential issues on the remaining 2 image references. This can be a quite tedious user experience.
Also, when an error occurs, cosign does not display which image failed verification. It's possible to infer this by correlating the input with the text output but it's far from ideal:
$ cosign verify ... registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest
Error: no matching signatures:
main.go:52: error during command execution: no matching signatures:
Perhaps a new --output
format would be a good solution for correlating results/errors with image references:
$ cosign verify --output=json-report ... registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest
Error: no matching signatures:
main.go:52: error during command execution: no matching signatures:
{
"registry.com/foo:latest": {
"signatures": [...],
"success": true,
"errors": []
},
"registry.com/bar:latest": {
"signatures": [...],
"success": true,
"errors": []
},
"registry.com/spam:latest": {
"signatures": [],
"success": false,
"errors": ["no matching signatures"]
},
}
The process should still with exit a non-0 code.