cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Why calling v2 referrers api and including all signature layer in new signature manifest

Open MinerYang opened this issue 1 year ago • 5 comments
trafficstars

Question step 1 sign image with regular cosign step2 sign image with COSIGN_EXPERIMENTAL=1 and --registry-referrers-mode oci-1-1 step3 get new signature manifest, will including all preceding signatures layers

/data/registry/docker/registry/v2/blobs/sha256$ cat eb/ebc4372c9fe2bff1a0ba3c15857cab9ba97174c8ca64a8168a4b2f85cbc6700d/data  | jq .
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.dev.cosign.artifact.sig.v1+json",
    "size": 451,
    "digest": "sha256:24e41e6b63095501c8c9d0b7021b79fcf23ffdb295fba17af443f95205448939"
  },
  "layers": [
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEQCIHqac+pViFr85AikUF78koAK5ELvZ9zpSYie+i8XiRD/AiAdOXycSHfAujPel3QH9GnnNfLSyygglSzpyUJwMuuTaw==",
        "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEUCIQDf4eY/DVX21rZIZJUWrpk7MQAcNNwRZuMlnWFdd/pfegIgLR3Z3EF2ohSCC0lIFINcdiyLO1AJJGeCr33qYt+73A8=\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJSHFhYytwVmlGcjg1QWlrVUY3OGtvQUs1RUx2Wjl6cFNZaWUraThYaVJEL0FpQWRPWHljU0hmQXVqUGVsM1FIOUdubk5mTFN5eWdnbFN6cHlVSndNdXVUYXc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712641884,\"logIndex\":84292486,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
      }
    },
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEQCIF9XqjuO8dMIqQTg6gomrYoGp5ukVN1T9UC8sc4noOfgAiADfrki8OBV36KjckR2X75LWCDrCRLH4NIXy1aWI4+kXg==",
        "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEYCIQD9FvimCVi5KMkjYkkLIFC7ISTr86rxqcxSJYUN2ix4RAIhAL4s62geCxqHF0NOmE30J3UsfCtNDzzd+/fTVSfwtusQ\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRjlYcWp1TzhkTUlxUVRnNmdvbXJZb0dwNXVrVk4xVDlVQzhzYzRub09mZ0FpQURmcmtpOE9CVjM2S2pja1IyWDc1TFdDRHJDUkxINE5JWHkxYVdJNCtrWGc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712649737,\"logIndex\":84307241,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
      }
    },
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEUCIC4OJ4fcPET7AxS3ZMNeYtxDdSXY1jqVY30KQcqS73sCAiEAkK+R2/cQlYexmq7/avRXLTZ1/SRlaAomfVGwuG+fat0=",
        "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEYCIQD9ImUx+SrChaql3SKKJeWOeDYEUetHfIwUcECUc94ZmgIhAMEA2ZCbqT1MT5MO9K40LlZKmrhSXYutnpw+wxJwXxgT\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQzRPSjRmY1BFVDdBeFMzWk1OZVl0eERkU1hZMWpxVlkzMEtRY3FTNzNzQ0FpRUFrSytSMi9jUWxZZXhtcTcvYXZSWExUWjEvU1JsYUFvbWZWR3d1RytmYXQwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712649852,\"logIndex\":84307411,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
      }
    }
  ],
  "subject": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "size": 524,
    "digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"
  }
}

MinerYang avatar Apr 09 '24 09:04 MinerYang