cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Improve reporting of verify cli commands with multiple images

Open lcarva opened this issue 2 years ago • 1 comments

Description

The cosign veify* sub-commands allow passing multiple image references. However, it's not obvious how to interpret the output on either failure or success.

Given that an image may have multiple attestations, for example, it's impossible to map the retrieved attestation to an image reference. Consider this example command:

cosign verify-attestation ... registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest > attestations.json

Let's say that one of the images above has 2 attestations while the other only have 1. attestations.json contains 4 attestations. It's not possible to deterministically map all the attestations to their corresponding image reference.

The behavior could also be improved on the error case. cosign processes each image sequentially quitting on the first found error. If the user wants to check 3 images, and the first one has an issue, the user is unaware of potential issues on the remaining 2 image references. This can be a quite tedious user experience.

Also, when an error occurs, cosign does not display which image failed verification. It's possible to infer this by correlating the input with the text output but it's far from ideal:

$ cosign verify ...  registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest
Error: no matching signatures:

main.go:52: error during command execution: no matching signatures:

lcarva avatar May 24 '22 16:05 lcarva

Perhaps a new --output format would be a good solution for correlating results/errors with image references:

$ cosign verify --output=json-report ...  registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest
Error: no matching signatures:

main.go:52: error during command execution: no matching signatures:
{
  "registry.com/foo:latest": {
    "signatures": [...],
    "success": true,
    "errors": []
  },
  "registry.com/bar:latest": {
    "signatures": [...],
    "success": true,
    "errors": []
  },
  "registry.com/spam:latest": {
    "signatures": [],
    "success": false,
    "errors": ["no matching signatures"]
  },
}

The process should still with exit a non-0 code.

lcarva avatar May 24 '22 16:05 lcarva