cosign
cosign copied to clipboard
Published
20 hours ago •
sigstore
sigstore
Failed to verify docker image with rekor-cli
trafficstars
Description
I'm failed to verify docker Image against the transpancy log with rekor-cli verify:
$ rekor-cli verify --signature mor.sig --artifact https://registry.hub.docker.com/morwn/hello-container --public-key cosign.pub
error: error retrieving external entities: invalid PGP signature: openpgp: invalid data: tag byte does not have MSB set
The signing look like this:
$ COSIGN_EXPERIMENTAL=1 cosign sign --key cosign.key morwn/hello-container --output-signature mor.sig
Enter password for private key:
tlog entry created with index: 2917341
Pushing signature to: index.docker.io/morwn/hello-container
The transparency record fetch successfully:
~ rekor-cli get --log-index 2917341
LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
Index: 2917341
IntegratedTime: 2022-07-12T13:02:48Z
UUID: f626e59fee9d7eddc024649552eb253cb4e89d90694657bd41a0f9a31f318166
Body: {
"HashedRekordObj": {
"data": {
"hash": {
"algorithm": "sha256",
"value": "3a00805ef235787497903a3226dcfec67f37f839746f68c8cf8a6b170aefdd40"
}
},
"signature": {
"content": "MEUCIQD7dsj7iWuvbNPZ21g4aSwHxAsQcixdD3/hWby9Z2v9ggIgNyUUbw/dR09HLvgLeeSouAipWXlPDZjj6/SQvn0GkKk=",
"publicKey": {
"content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFaTlTWTlQdzVyeE4xL3dXczZKVTF4Q3RWUC9xbgpMMHJZRndBZVJVWHRQTHFKcmpYNWw4OFRtNTRJRW05dW1FMk5RbC9kQW00WWxNRS9hYmhHcno1a09RPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
}
}
}
}
My cosign version:
GitVersion: 1.9.0
GitCommit: a4cb262dc3d45a283a6a7513bb767a38a2d3f448
GitTreeState: "clean"
BuildDate: 2022-06-03T13:47:07Z
GoVersion: go1.18.3
Compiler: gc
Platform: darwin/arm64
My rekor-cli:
GitVersion: v0.9.0
GitCommit: 66f5c0611e77d0ea15b718b958387e2d016f910a
GitTreeState: clean
BuildDate: 2022-06-30T13:00:39Z
GoVersion: go1.17.11
Compiler: gc
Platform: darwin/arm64
