sigstore
Cannot sign images hosted on docker.io even though the docker login works
Description
$docker login
Authenticating with existing credentials...
Login Succeeded
Logging in with your password grants your terminal complete access to your account.
For better security, log in with a limited-privilege personal access token. Learn more at https://docs.docker.com/go/access-tokens/
It seems that cosign is not able to use the local docker configuration. This used to work.
$cosign sign --yes --key ~/.cosign/cosign.key sha256:7cb40419573ccedc366bbcaccfa89ee25fefe8bbfe670f59174d9d258691a1f0
Enter password for private key:
WARNING: Image reference sha256:7cb40419573ccedc366bbcaccfa89ee25fefe8bbfe670f59174d9d258691a1f0 uses a tag, not a digest, to identify the image to sign.
This can lead you to sign a different image than the intended one. Please use a
digest (example.com/ubuntu@sha256:abc123...) rather than tag
(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
images by tag will be removed in a future release.
Error: signing [sha256:7cb40419573ccedc366bbcaccfa89ee25fefe8bbfe670f59174d9d258691a1f0]: accessing entity: GET https://index.docker.io/v2/library/sha256/manifests/7cb40419573ccedc366bbcaccfa89ee25fefe8bbfe670f59174d9d258691a1f0: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]
main.go:74: error during command execution: signing [sha256:7cb40419573ccedc366bbcaccfa89ee25fefe8bbfe670f59174d9d258691a1f0]: accessing entity: GET https://index.docker.io/v2/library/sha256/manifests/7cb40419573ccedc366bbcaccfa89ee25fefe8bbfe670f59174d9d258691a1f0: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]
Version
Enter password for private key: Error: signing [nataliagranato/nginx:ubuntu]: getting signer: reading key: decrypt: encrypted: decryption failed main.go:74: error during command execution: signing [nataliagranato/nginx:ubuntu]: getting signer: reading key: decrypt: encrypted: decryption failed
I have the same problem, I haven't been able to solve it yet.
I am also having the same problem with decryption failed. What version of cosign are you using?
I am only aware of cosign signing an image along with DIGEST or tag. But I am not sure whether cosign support directly signing DIGEST of an image or not ? Is there any docs for same. @hectorj2f What's do you think on this ?
Faced the issue right now !!. For weird reason I think reinstalling cosign is the solution. I was using devbox to add cosign in virtual environment. I removed the package and added again, It worked fine. Honestly I don't know the reason !!
I fixed this by adding --registry-username='' and --registry-password=''
ex:
--registry-username='${{ secrets.DOCKER_USERNAME }}' --registry-password='${{ secrets.DOCKER_PASSWORD }}'
I can confirm Docker Hub still does not support using a registry authentication file. In my case that file is ${XDG_RUNTIME_DIR}/containers/auth.json, which is used by Podman, Buildah, Skopeo, etc.
Only ${XDG_RUNTIME_DIR}/containers/auth.json is being used. Docker is not installed on this system, and $HOME/.docker/config.json does not exist.
All tested, only docker.io has this problem.
{
"auths": {
"docker.io": {
"auth": "<REDACTED>"
},
"ghcr.io": {
"auth": "<REDACTED>"
},
"quay.io": {
"auth": "<REDACTED>"
},
"registry.gitlab.com": {
"auth": "<REDACTED>"
}
}
}
Only workaround is --registry-username and --registry-password options.
Signed with this command.
cosign sign --key <PRIVATE_KEY> --recursive --yes docker.io/<USER>/<REPOSITORY>@<MANIFEST_IMAGE_INDEX_DIGEST>
Tested on https://github.com/sigstore/cosign/releases/tag/v2.5.3.
Kindly pinging @haydentherapper.
