sigstore
How can I upload a detached cosign container image signature to the Rekor transparency log?
I need to create a cosign signature for a Docker container using an external system that holds the signing key. I'm following this official cosign sample and the signing works great. However, I am not able to upload the signature to the Rekor Transparency Log (using rekor-cli) so that it is accepted by cosign verify. What am I doing wrong?
Here's the code to reproduce the issue:
# 1) prepare key material
openssl genrsa -out privkey.pem 4096
openssl rsa -in privkey.pem -outform PEM -pubout -out pubkey.pem
# 2) generate payload
cosign generate $IMAGE_DIGEST > payload.json
# 3) sign it and convert to base64
openssl dgst -sha256 -sign privkey.pem -out payload.json.sig payload.json
cat payload.json.sig | base64 > payload.json.base64.sig
# 4) attach signature (does not upload it to transparency log)
cosign attach signature --payload payload.json --signature payload.json.base64.sig $IMAGE_DIGEST
# 5) Verification works without tlog
cosign verify --key pubkey.pem $IMAGE_DIGEST --insecure-ignore-tlog=true
# 6) Upload to rekor tlog (note that binary signature has to be used here)
rekor-cli upload --artifact payload.json --signature payload.json.sig --public-key pubkey.pem --pki-format x509
# 7) verification with tlog fails
cosign verify --key pubkey.pem $IMAGE_DIGEST --insecure-ignore-tlog=false
The first verification without TLOG in step 5) works as expected. However, in step 7, I get the following error message:
Error: no matching signatures: signature not found in transparency log
main.go:69: error during command execution: no matching signatures: signature not found in transparency log
Is there something else I need to provide? I replayed the same scenario using the standard "keyless" method and can't see much of a difference in the generated transparency log entry (except for this one using RSA keys instead of ECDSA)
I'm using cosign v2.2.2 and rekor-cli v1.3.4. The transparency log entry I created for this sample has the log id 60018885 in case you want to look it up.
Hey @paulsavoie , I looked into this. Whatever the above you tried is totally correct. You uploaded signature, artifact, public key via rekor-cli, and that is properly added in rekor, which is known as rekor-bundle. You can check them via rekor-cli and you will get the output. You need to understand that the whatever you added in the rekor i.e rekor-bundle is not present in the image. So, at the time of verification, cosign fetch that image, which contains DIGEST of payload, signature but it has no info about rekor that you added via rekor-cli. Since, it doen't know about logIndex, not uuid, etc. So, how cosign will check in the rekor.
What we can do is get the rekor-bundle from rekor, and attach to the image, the way you attach signature and payload using below command:
cosign attach signature --payload payload.json --signature payload.json.base64.sig $IMAGE_DIGEST
Btw, i tried to get the rekor-bundle, from the rekor, and on trying to attach that bundle, it could attach that. I am also figuring out that, why it couldn't attach the bundle.
cosign attach signature --payload payload.json --signature payload.json.base64.sig --rekor-response rekor_bundle.json $IMAGE_DIGEST
cat rekor_bundle.json | jq
{
"SignedEntryTimestamp": "MEYCIQDCBEsMQKGMopTKw9/NNnxUNqEPcmJotc7VuRlkcSaS2gIhAIoHOgkFXIOy2rI843w79yLVYc6/M/QMUApLvbFcF7Qj",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0ODEwZmQ5YjEzODdlNDZhZWMyM2NmNTYwNjU3OTcxOTllZmU3NzM3YmQ0NmNiMTViYzI0Y2VkMjY5MGNhYzUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6IkdPOUlIcCsyemkvNUI4SEZWWkVYQStIN0JIVGxBZm1OQ2FMbGNxeFhLaENMQmdmazZjNFo4UkFGUnFodGVOWGMxNzlIaXkweSsvbjR5d0tyc2Q4UFh2Y3VObmlLM2tneXhXYzJHNWowTjJBRE85QStZY2U2NkUrcTN4MkQyU0FveWVMcnpkby9Qa2lmVDR1dnVZK0o1NVlMUW9XRG5nMExid1NVVGVGOGpHRXdMN3pKUTRzZzhOSnhvMFMyVStWdlZLSVNoRzFFQWlBOUMxZ2M1NWhHT29yTmFhZjhEL3JTM0V5THFIS3EzL1N1REhseHAzUVk2clU4QlZJTlVWZ2lUbWJ6WHY2eW83NnJVMmsyampwOWFaWlRiK1F2UWdWbGV6WGwrVld5U0thb0pxQ3RRNy9mMk5FdFplZ1VUSnJRQTdnMERrbXoyMUFDMzk4YlZpMHRmUDF2aXZEelh4TkMxNXBtL2tYdWk2ejcxOUtHazhxN3NRMDVyY3ZaZm9pMERmRmNZbDB0aFA4K1dsRU5kdU5zRnJtK1ZQditaYjBCbnFHM0twTkZ0Ymdtc092WXFvNHAyZjFlb1IwTFNEMlp3cEFRNERUd3dRRGh5UEk3MzdWT2ZJc1hObHg2T0srVml5Vmg4cGhRZHJrK2doRXJJVEM0WFllYVlRaUNvWTgySWNDcEh3Mmw3QS9SeDdiNXdVMDhnVkg2S1JjWmJFNm9mVStmSFFTcTQ4OHhvNnQrUHdLWHVDN1RtUFhJLzB4Uys4aDJ4bXRqOCtXOHRRQzFZRHcwU3JGZzIyelBFMkRjR3Z5KytIQXNpazd6VmEzNlovN2VzcndSOWpxdE8vd1M3UnAwQVMvenNjZVdiWTFoVEhVcXNsbE9FYU9DYThoN2NnUCtQTWdSV0dZPSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVbEpRMGxxUVU1Q1oydHhhR3RwUnpsM01FSkJVVVZHUVVGUFEwRm5PRUZOU1VsRFEyZExRMEZuUlVGdFRsVk9SRWxVZHpKcVUzWmpZbEVyYjBwMU5ncGlaMWN2Tm5ZNFdHTk9WRmRoTHpKdWRUbFVVbVJTYldONmJtVnZWMVE1VGtKclZWcEZPV2hZYVU1U0t5OUNOVTVyTlZwa2RtSjJWVEUwYmtFNVJqSmtDalZJVURKS1UxUkNTVVZ5Y0hSblNVVnpTMHRaYkhKblJrRjVUSEYxWWtGbllYSXJZWEJLY0U5QmFHOXZXa1pIV1ZOTlRDOXZVWGxXTVdoUlYwdEdiRkFLTUd4aldFazNPRFJNU0dwemNubE9iM2xCUmxoR1JuazBhR1pCUXpaVE4zTTVVRTFQUjFWU1RVNXdibU5YYkZseFpqaFFUMVJCUlZSaVRETjRVa0lyUkFwU1QxQk1Za3ROVjNoNVVIbFRTR0ZuVW5JMlJHUktOVUZyYW5oMVUwWldUelFyZG1Kb2ExaFlURTUxTkZKcWFFVlVibE5LVDNJMVYzWjZiREF5T0ZjekNqVk1haTkyV0ZWNFoyMUNjV1F2Y0dKS01EQklNVko0Ym14V0wwOHlOV3B2Tm1aNVRXUmlPVzFxTjNKUlpHUnVWMUpqVVhGU0szQTJjVWR2Ukd4NU5UY0tSRFIzVm1SaWJGVk9WbWRyTUd4T1NrOWplbkl2WTB3dmNHSllTa28yYW5kMEt6UkNhbGxYVjA1VmVIUTNNM2hDTkhSTE4yZE9aVWN3ZUZReWNGSklNQW81U2pGWVZrWTViblJtUjNWcVJuTm1VeXRVTUhCemFYbHpNRFJ2V2twWE0xRlBUbE15UkRFek9IWTFRVWhaVDJsVGJXMUNSakJtUVdOUE5qUm9iMDA1Q2pJNVJFdE9URTlEUldsbWIydFBkMjlyVkROQmVrMHZaREl4WlZBd2MxbHZOV05ZT1hKR1NGSmxhVGdyZEVGWWF6aGpVMnBZWjI5eE1rRXdabEZNVFdJS2RFWjZWVXA1YkU5elltSjJTV3N6VUV0S2VXeFpSMDVDZG5rek56SkdkRlV3ZWtaTVVWQlRiMW93TWxaSFVTODBWbXR0YVZScU5GcFRkakZaYlV4UVNRcFhiVE01ZUVkd2FEaFpVbVpGUVhKR1JWRlNOeTlLV2tad2JVc3pPV1ZwTkZsWmVsRndjRXhqVW1sRVdHUjBia0pEV1VSTE0ydHVSekZzWnpKWVIyRnpDazF0V0VsdFFYQlFTMWcwTDA5a1RVdzVaVXMwY0dZd1EwRjNSVUZCVVQwOUNpMHRMUzB0UlU1RUlGQlZRa3hKUXlCTFJWa3RMUzB0TFFvPSJ9fX19",
"integratedTime": "1704106175",
"logIndex": "60606559",
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
Hey @paulsavoie , on replicating your whole process with one replacement, i.e. using cosign as a signing tool instead of openssl, then verification process works for rekor too:
Process and steps will be:
- sign Image with
--upload=false, - then upload artifacts, sig, and public key to rekor
- and finally attach the signature, payload and rekor-bundle to image and
- then check whether verification works using rekor.
-
generate a payload - cosign generate $IMAGE_DIGEST > payload.json
-
sign an image, get the signature and do not upload it to registry.
cosign sign --key cosign.key --payload payload.json --tlog-upload=false --upload=false --output-signature op_signature2.sig $IMAGE
-
decode signature
base64 -d < op_signature2.sig > op_signature.sig
-
upload the artifact, signature, and public key to rekor.
rekor-cli upload --artifact payload.json --signature op_signature.sig --pki-format=x509 --public-key cosign.pub reated entry at index 60785227, available at: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a548120914cbcfcc511940ef1e643dbc4cb8c51cc2ebf7e8fb58d345c6766b5db -
construct a rekor-bundle:
$ cat rekor_bundle.json | jq
{
"SignedEntryTimestamp": "MEUCICgM9CCtcMXPKCIeyInCxRSwXfEE7p26tOsp754tNllqAiEArw8QbChGn6n15TEG4yJaBJbbugD3Fht+7V+WSNVmPe8=",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0ODEwZmQ5YjEzODdlNDZhZWMyM2NmNTYwNjU3OTcxOTllZmU3NzM3YmQ0NmNiMTViYzI0Y2VkMjY5MGNhYzUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM0VVpIODNTY3o3d1g1dU1LR0NJU3c5SDNvRlk1R3p6b3dFY1lxTDJOSkl3SWdjT1YzaUFmd2hEL0dBMzI2a3RQRUtGYkVHVExPTlhOVDNFcGJtK1VqbHU4PSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVWnJkMFYzV1VoTGIxcEplbW93UTBGUldVbExiMXBKZW1vd1JFRlJZMFJSWjBGRlFteFlha3hpU0c4d1dXdHROMGRaWlc4d2MzUXphbmxCSzNOS1R3b3ZVVnBMZVRkNE1WQkdTMnBJYlc1UmVVb3lTV0psVldwNU5tZEhNelpTU1dGME0xQjVjVWN3ZUZsRGNEZGtWWFZNSzBac1IwMU9la2hCUFQwS0xTMHRMUzFGVGtRZ1VGVkNURWxESUV0RldTMHRMUzB0Q2c9PSJ9fX19",
"integratedTime": 1704186031,
"logIndex": 60785227,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
NOTE: before running below cosign attach command . Make sure to pull my changes from PR, and build a cosign using make cosign and use it.
- Attach the signature, payload, and rekor-bundle to an image
./cosign attach signature --payload payload.json --signature op_signature2.sig --rekor-response rekor_bundle.json $IMAGE
- Check the manifest:
NEW_IMAGE=$(cosign triangulate ghcr.io/viveksahu26/hi-cosign:main)
crane manifest $NEW_IMAGE | jq ✭
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 233,
"digest": "sha256:fa861bd3364df5b2e0bee5054be12ea13fab3eb3879312945aa044600d8c0ae8"
},
"layers": [
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 246,
"digest": "sha256:4810fd9b1387e46aec23cf56065797199efe7737bd46cb15bc24ced2690cac52",
"annotations": {
"dev.cosignproject.cosign/signature": "MEUCIQC4UZH83Scz7wX5uMKGCISw9H3oFY5GzzowEcYqL2NJIwIgcOV3iAfwhD/GA326ktPEKFbEGTLONXNT3Epbm+Ujlu8=",
"dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEUCICgM9CCtcMXPKCIeyInCxRSwXfEE7p26tOsp754tNllqAiEArw8QbChGn6n15TEG4yJaBJbbugD3Fht+7V+WSNVmPe8=\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0ODEwZmQ5YjEzODdlNDZhZWMyM2NmNTYwNjU3OTcxOTllZmU3NzM3YmQ0NmNiMTViYzI0Y2VkMjY5MGNhYzUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM0VVpIODNTY3o3d1g1dU1LR0NJU3c5SDNvRlk1R3p6b3dFY1lxTDJOSkl3SWdjT1YzaUFmd2hEL0dBMzI2a3RQRUtGYkVHVExPTlhOVDNFcGJtK1VqbHU4PSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVWnJkMFYzV1VoTGIxcEplbW93UTBGUldVbExiMXBKZW1vd1JFRlJZMFJSWjBGRlFteFlha3hpU0c4d1dXdHROMGRaWlc4d2MzUXphbmxCSzNOS1R3b3ZVVnBMZVRkNE1WQkdTMnBJYlc1UmVVb3lTV0psVldwNU5tZEhNelpTU1dGME0xQjVjVWN3ZUZsRGNEZGtWWFZNSzBac1IwMU9la2hCUFQwS0xTMHRMUzFGVGtRZ1VGVkNURWxESUV0RldTMHRMUzB0Q2c9PSJ9fX19\",\"integratedTime\":1704186031,\"logIndex\":60785227,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
}
}
]
}
- Now, verify and Finally verification works:
cosign verify --key cosign.pub $IMAGE | jq
Verification for ghcr.io/viveksahu26/hi-cosign:main --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[
{
"critical": {
"identity": {
"docker-reference": "ghcr.io/viveksahu26/hi-cosign"
},
"image": {
"docker-manifest-digest": "sha256:53717c8c2a95af9550d0b1cebff0e4fa357c3573d936fc42af3cb73b627969bf"
},
"type": "cosign container image signature"
},
"optional": {
"Bundle": {
"SignedEntryTimestamp": "MEUCICgM9CCtcMXPKCIeyInCxRSwXfEE7p26tOsp754tNllqAiEArw8QbChGn6n15TEG4yJaBJbbugD3Fht+7V+WSNVmPe8=",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0ODEwZmQ5YjEzODdlNDZhZWMyM2NmNTYwNjU3OTcxOTllZmU3NzM3YmQ0NmNiMTViYzI0Y2VkMjY5MGNhYzUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUM0VVpIODNTY3o3d1g1dU1LR0NJU3c5SDNvRlk1R3p6b3dFY1lxTDJOSkl3SWdjT1YzaUFmd2hEL0dBMzI2a3RQRUtGYkVHVExPTlhOVDNFcGJtK1VqbHU4PSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVWnJkMFYzV1VoTGIxcEplbW93UTBGUldVbExiMXBKZW1vd1JFRlJZMFJSWjBGRlFteFlha3hpU0c4d1dXdHROMGRaWlc4d2MzUXphbmxCSzNOS1R3b3ZVVnBMZVRkNE1WQkdTMnBJYlc1UmVVb3lTV0psVldwNU5tZEhNelpTU1dGME0xQjVjVWN3ZUZsRGNEZGtWWFZNSzBac1IwMU9la2hCUFQwS0xTMHRMUzFGVGtRZ1VGVkNURWxESUV0RldTMHRMUzB0Q2c9PSJ9fX19",
"integratedTime": 1704186031,
"logIndex": 60785227,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
}
}
]
Thank you so much for the swift response! I can see that the Rekor bundle basically contains the same info as in the public URL. Is there a command to create the rekor_bundle.json file or do I have to create that by hand (by downloading it from Rekor myself and extracting the relevant parts)?
AFAIK, you need to create rekor bundle by yourself. Need confirmation from @haydentherapper .
The Rekor bundle format is not an exact match of what's returned from the server, it's a struct.
https://github.com/sigstore/cosign/pull/3248/ added support for outputting both the Rekor response struct and other associated verification data (signature and certificate). I think some of the confusion is that cosign attach takes only the Rekor struct, not the "bundle" output from cosign sign. The PR @viveksahu26 created will fix this.
If you have fetched a response from Rekor yourself through rekor-cli, then you'll need to create the rekor struct. I'd also be open to a PR that takes in a rekor response.
As an aside, we just need to be clear on when we're taking in a "bundle" vs "rekor bundle" vs "response". Unfortunately we overloaded what a bundle is in the codebase. Typically a "bundle" refers to the combination of all verification metadata (signature, certificate, Rekor proof), a "Rekor bundle" is the struct of a proof + other Rekor data, and a "response" would be whatever is returned from requests directly to Rekor.
https://github.com/sigstore/cosign/pull/3248 added support for outputting both the Rekor response struct and other associated verification data (signature and certificate).
The cosign sign command for current version v2.2.2 doesn't have flag for outputting rekor response nor for rekor bundle and neither for rekor object.
In order to verify the image via rekor log, the image must contain the rekor bundle. The rekor object is the body of rekor bundle. So, on attaching rekor bundle, rekor object will automatically attached.
Just for clearity added rekor Bundle, rekor Object and rekor response:
$ cat rekor_bundle.json | jq
{
"SignedEntryTimestamp": "MEQCIHEmjSp606etascUmCK/HYh7rRkyTfHVrOdzs/kxlhbzAiBJnpUjpSqh2QiW6GQjGgoSL8YN6Kgm4DY3Km1lfhlssw==",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjOTA5YWVlYmQ5MzU3YzA4MGE3N2VhOWQzZWVmMzU1ODMwYTMxNTRjNTJmODlhOWJlMDUyMDMxN2ZlNTQ1NjdhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRmhKSUJRdkpMOTY0cWJDQ2hENjFhWW4yYzlBMTNVNmJDNUlrY1REYmNyNUFpRUF5SWZkVWV0WGdSbDlFN3VnemdiWDlpN0VaZGw0eHdMNm9uWUtlY2JtR0xFPSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVWnJkMFYzV1VoTGIxcEplbW93UTBGUldVbExiMXBKZW1vd1JFRlJZMFJSWjBGRlNXdzFLMDgxTjAxRmNsWkdNMnh1UzJGRGRrWjNTWGxTUkhOVmR3cFhVV1ZHVjFKdk56ZHNXVzFPWlZGdWFrVXhhVmRYYzI1WmJqVkRlVWgzVVcxdWFrWjNZMGxLVlVWdldtUXJkSGxJVVRKSk9IQnRXa2xSUFQwS0xTMHRMUzFGVGtRZ1VGVkNURWxESUV0RldTMHRMUzB0Q2c9PSJ9fX19",
"integratedTime": 1704275510,
"logIndex": 61057801,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
And the body field under Payload is rekorObject`. If you decode it, you will get:
{
"apiVersion": "0.0.1",
"kind": "rekord",
"spec": {
"data": {
"hash": {
"algorithm": "sha256",
"value": "c909aeebd9357c080a77ea9d3eef355830a3154c52f89a9be0520317fe54567a"
}
},
"signature": {
"content": "MEUCIFhJIBQvJL964qbCChD61aYn2c9A13U6bC5IkcTDbcr5AiEAyIfdUetXgRl9E7ugzgbX9i7EZdl4xwL6onYKecbmGLE=",
"format": "x509",
"publicKey": {
"content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSWw1K081N01FclZGM2xuS2FDdkZ3SXlSRHNVdwpXUWVGV1JvNzdsWW1OZVFuakUxaVdXc25ZbjVDeUh3UW1uakZ3Y0lKVUVvWmQrdHlIUTJJOHBtWklRPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
}
}
}
}
And rekor response will be:
curl https://rekor.sigstore.dev/api/v1/log/entries\?logIndex\=61057801 | jq
{
"24296fb24b8ad77a88cfe47ac0ec898992d7c352d888385572ffe428f3ceace27fb28efb8c3525ea": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjOTA5YWVlYmQ5MzU3YzA4MGE3N2VhOWQzZWVmMzU1ODMwYTMxNTRjNTJmODlhOWJlMDUyMDMxN2ZlNTQ1NjdhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRmhKSUJRdkpMOTY0cWJDQ2hENjFhWW4yYzlBMTNVNmJDNUlrY1REYmNyNUFpRUF5SWZkVWV0WGdSbDlFN3VnemdiWDlpN0VaZGw0eHdMNm9uWUtlY2JtR0xFPSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVWnJkMFYzV1VoTGIxcEplbW93UTBGUldVbExiMXBKZW1vd1JFRlJZMFJSWjBGRlNXdzFLMDgxTjAxRmNsWkdNMnh1UzJGRGRrWjNTWGxTUkhOVmR3cFhVV1ZHVjFKdk56ZHNXVzFPWlZGdWFrVXhhVmRYYzI1WmJqVkRlVWgzVVcxdWFrWjNZMGxLVlVWdldtUXJkSGxJVVRKSk9IQnRXa2xSUFQwS0xTMHRMUzFGVGtRZ1VGVkNURWxESUV0RldTMHRMUzB0Q2c9PSJ9fX19",
"integratedTime": 1704275510,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d",
"logIndex": 61057801,
"verification": {
"inclusionProof": {
"checkpoint": "rekor.sigstore.dev - 2605736670972794746\n56899688\n2K8awlTbXSPXzAc5u1CVUpse38O74h0ra2Rp7xmc8W8=\nTimestamp: 1704278309483367771\n\n— rekor.sigstore.dev wNI9ajBFAiEA/+k6BRX1AjrDcDNPhOsQ2uep7oqzNRPTHFDKnz21ePwCIF6/ZMsAAwHVpBssuL4g6XcYx8IbE/pSU7Dru2RxnWET\n",
"hashes": [
"552844e8341d5f5ca35b3b5986b2844defe0cb5b3ba70463cac0a501c4116598",
"ce8ac8c1bce209194a9363cb1745a66da615e123b1d6de61030d7b6056a7acb4",
"a0d143e6cf96bce7b9650f1550cb3cc11b3f86a1cdcf6b769936f3c5998ed8e0",
"f6ddbd7786cf35f3371e88d3766b09e49d718fbf5ff74f3f99c90708f6fd4fb7",
"3d31f9e6961f61bd9631ad33ce2523d240bd34feb9c662693019168f20c616a9",
"54228e5dc4ecfd140fe299c0717138f9155108ed411ddb26e750c52943854eeb",
"03c0d114a083b63ace0a45dbf9fb93a71c1355e6ff2b843caa04ca60b3ad8630",
"dc912424fcafb9941b58d87c3c3c44e8ec82a1d5dcc7b386b498eeb14d76d484",
"05ece212ea71c71c840c01ea2c0f04d67679060c00e118d9ebf132047dd866f5",
"df4f2672db865a2583b869b285edc7318e18210bb00221e0545575e70976911a",
"60f66d91bcfd95d07d9c71ef4ca1aa0808b7fd34cf3cf050e8fac9d7eb081396",
"7f27330b3a87e8431b7530dc4582e7e339deaf6e490f1e372cb4a087a0d6d1b7",
"0f54f2c6492a507f6f121c3e7e47f1ae6fc0ca363979659af78623c66e476b69",
"d63b57eb1a8831b477e9e8f96ce4171c8bb04a4dc87eaa88c4acc3c96edb5d7f",
"b03582ce199cfd516f467cf990140df0c7709bb669d77638484d41c78cf15258",
"7940acf1d34fea9052d8af95ab3e4c0a5da981529238ad691d25800b61f210d4",
"2c4d25ba59aa573ab2c79c2d3cd9e1d74789b10632432724d63112ce50b44874",
"98c486feb5d87092a78a46c4b5be04868654900affc2e86ffb20074dc73a883a",
"6969c49bd73f19bf28a5eaeabd331ddd60502defb2cd3d96e17b741c80adec6c"
],
"logIndex": 56894370,
"rootHash": "d8af1ac254db5d23d7cc0739bb5095529b1edfc3bbe21d2b6b6469ef199cf16f",
"treeSize": 56899688
},
"signedEntryTimestamp": "MEQCIEPQJXuofj6OABnJ7pEmMn5mJR+bfYgM+U71l6a0qq20AiBTBuFdRTOdxR5lAy+2tGCHPAUZ2gnyEIhKcK1+708Zbw=="
}
}
}