Signed-off-by: Engin Diri [email protected]

Summary

Hello cosign community and @cpanato,

I added GoFish support via goreleasers (@caarlos0). The only things we need before merging this PR:

A github repo called: fish-food similar to https://github.com/goreleaser/fish-food and and ensure access to it during the release process.

owner: sigstore
name: fish-food

Ticket Link

Fixes #855

Release Note

NONE

Closes https://github.com/sigstore/cosign/issues/2131

Authored by @kommendorkapten and @patflynn

Summary

First iteration of the proposed new bundle format for cosign. See README.md for more details. The intent for this PR is not to be merged in this state, it is to start the discussion as decided on the design review meeting at 2022-08-22.

Before accepting, make sure these tasks are done:

• [ ] https://github.com/sigstore/community/discussions/136 concluded
• [ ] Updated the binary fields to have the correct datatype.
• [ ] Move shared messages (Certificate, CertificateChain, Signarture, etc) into a shared place and reuse those definitions.

Release Note

N/A as of now.

Documentation

N/A as of now.

Signed-off-by: Noah Kreiger [email protected]

Summary

By not using the types.NewProposedEntry the in-toto rekor function was not assiging the hash key, which caused a downstream error when querying by the hash to find the log entry after it was added, making it appear as if it did not get added.

This fix will add the envelope hash to in-toto entries during tlog entry creation that will allow the entries to be queried by the hash downstream.

Release Note

• Bugfix adds envelope hash to in-toto entries in tlog entry creation

I have images deployed from multiple source in one cluster+namespace. For example I have three images:

• ***.azurecr.io/image-repo/image-name/@sha256:
• gcr.io/image-repo/authentication@sha256:
• gcr.io/knative-releases/knative.dev/serving/cmd/queue@

As you may notice I have control over first two images so I can put them in one repo and deploy. But I have no control over the third image as it is knative image. Will webhook allow all three images to be deployed? If yes, how? What config changes need to be made?

Question

I'm trying to sign a container image that I pushed to docker.io. This seems simple enough:

$ cosign sign -key cosign.key docker.io/adambkaplan/ruby-ex

However, when trying to pull the image, cosign does not appear to use my local credentials. Instead cosign appears to do the following:

1. Try to GET the root of the container registry
2. With the UNAUTHORIZED response, then it requests a "pull" scoped token
3. After receiving the token, it then tries to pull the container image. For whatever reason the token is invalid, and the pull fails.

I was able to verify that my ~/.docker/config.json contains valid auth credentials for docker.io, and that I can pull images using those credentials with my container engine (podman).

This could be related to #337.

Here's the debug output:

cosign -d sign -key cosign.key docker.io/adambkaplan/ruby-ex
2021/08/27 10:46:56 --> GET https://index.docker.io/v2/
2021/08/27 10:46:56 GET /v2/ HTTP/1.1
Host: index.docker.io
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip


2021/08/27 10:46:56 <-- 401 https://index.docker.io/v2/ (201.76705ms)
2021/08/27 10:46:56 HTTP/1.1 401 Unauthorized
Content-Length: 87
Content-Type: application/json
Date: Fri, 27 Aug 2021 14:46:56 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

2021/08/27 10:46:56 --> GET https://auth.docker.io/token?scope=repository%3Aadambkaplan%2Fruby-ex%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials]
2021/08/27 10:46:56 GET /token?scope=repository%3Aadambkaplan%2Fruby-ex%3Apull&service=registry.docker.io HTTP/1.1
Host: auth.docker.io
User-Agent: go-containerregistry/v0.6.0
Accept-Encoding: gzip


2021/08/27 10:46:57 <-- 200 https://auth.docker.io/token?scope=repository%3Aadambkaplan%2Fruby-ex%3Apull&service=registry.docker.io (179.251563ms) [body redacted: basic token response contains credentials]
2021/08/27 10:46:57 HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json
Date: Fri, 27 Aug 2021 14:46:56 GMT
Strict-Transport-Security: max-age=31536000


2021/08/27 10:46:57 --> GET https://index.docker.io/v2/adambkaplan/ruby-ex/manifests/latest
2021/08/27 10:46:57 GET /v2/adambkaplan/ruby-ex/manifests/latest HTTP/1.1
Host: index.docker.io
User-Agent: go-containerregistry/v0.6.0
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization: <redacted>
Accept-Encoding: gzip


2021/08/27 10:46:57 <-- 401 https://index.docker.io/v2/adambkaplan/ruby-ex/manifests/latest (43.68461ms)
2021/08/27 10:46:57 HTTP/1.1 401 Unauthorized
Content-Length: 162
Content-Type: application/json
Date: Fri, 27 Aug 2021 14:46:57 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:adambkaplan/ruby-ex:pull",error="insufficient_scope"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"adambkaplan/ruby-ex","Action":"pull"}]}]}

2021/08/27 10:46:57 --> GET https://auth.docker.io/token?scope=repository%3Aadambkaplan%2Fruby-ex%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials]
2021/08/27 10:46:57 GET /token?scope=repository%3Aadambkaplan%2Fruby-ex%3Apull&service=registry.docker.io HTTP/1.1
Host: auth.docker.io
User-Agent: go-containerregistry/v0.6.0
Accept-Encoding: gzip


2021/08/27 10:46:57 <-- 200 https://auth.docker.io/token?scope=repository%3Aadambkaplan%2Fruby-ex%3Apull&service=registry.docker.io (38.934215ms) [body redacted: basic token response contains credentials]
2021/08/27 10:46:57 HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json
Date: Fri, 27 Aug 2021 14:46:57 GMT
Strict-Transport-Security: max-age=31536000


2021/08/27 10:46:57 --> GET https://index.docker.io/v2/adambkaplan/ruby-ex/manifests/latest
2021/08/27 10:46:57 GET /v2/adambkaplan/ruby-ex/manifests/latest HTTP/1.1
Host: index.docker.io
User-Agent: go-containerregistry/v0.6.0
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization: <redacted>
Accept-Encoding: gzip


2021/08/27 10:46:57 <-- 401 https://index.docker.io/v2/adambkaplan/ruby-ex/manifests/latest (40.460773ms)
2021/08/27 10:46:57 HTTP/1.1 401 Unauthorized
Content-Length: 162
Content-Type: application/json
Date: Fri, 27 Aug 2021 14:46:57 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:adambkaplan/ruby-ex:pull",error="insufficient_scope"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"adambkaplan/ruby-ex","Action":"pull"}]}]}

error: signing docker.io/adambkaplan/ruby-ex: getting remote image: GET https://index.docker.io/v2/adambkaplan/ruby-ex/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:adambkaplan/ruby-ex Type:repository]]

Description

Today cosign is very oriented around OCI entities as both the thing being signed, as well as the medium for storing signatures, attestations, etc. While this is a pervasive medium for binaries, it doesn't capture another critical lifecycle stage: source, which has an even more pervasive medium: Git.

🚨🚨 This conversation will be muddied by the existence of git commit -s, which solves one specific part of the problem, but hopefully I will motivate the ways this is insufficient here 🚨🚨

git commit -s solves a very focused problem: authenticating commit authors (assuming publicly verifiable keys for that author). However, git commit -s encodes the signature into the Merkle DAG, which suffers similar problems with early container image signing efforts: it's presence changes the DAG, and post-facto attachment is impossible without changing the DAG. This is fine for the authentication use-case, but not for the breadth of use-cases cosign is pursuing.

Let's look in particular at "attestations". Some of these (e.g. provenance) can be established at the point of authoring, but the vast majority of attestations will be attached post-facto, and often by a diverse set of authors. Some examples here would be:

• "review" attestations: looking at compliance requirements and things like SLSA it is just as important to know who reviewed a change as who authored the change.
• "validated" attestations: an example of a "robot" attestation would be the completion of various presubmit checks. You can think of this as a portable medium for encoding Github's "checks" or "commit status" information. This could include various levels of testing, style checking, or source-level vulnerability scanning.

Fortunately, (unlike OCI) Git already has an established medium for attaching metadata to commits called git notes:

Commit notes are blobs containing extra information about an object (usually information to supplement a commit’s message). These blobs are taken from notes refs. A notes ref is usually a branch which contains "files" whose paths are the object names for the objects they describe, with some directory separators included for performance reasons

You can even see that the examples of how to use these encompass some of the use cases above:

git show -s 72a144e
[...]
    Signed-off-by: Junio C Hamano <[email protected]>

Notes:
    Tested-by: Johannes Sixt <[email protected]>

I would be remiss at this point if I did not h/t git-appraise and @ojarjur who taught me about Git notes! This project touches on the other use case I mention above: reviews (although more for content than attestation).

So what am I actually proposing?

I think that it would be interesting to start thinking about a pkg/git to match pkg/oci which enables us to use cosign to sign and attest to things using git notes post-facto. e.g. passing a remote/refspec to:

COSIGN_EXPERIMENTAL=1 cosign attest --predicate <FILE> --type <TYPE> <REMOTE/REFSPEC>

Summary

This commit adds a "blob" subcommand to the sget tool. The "blob" subcommand provides an easy and convenient way to download and verify binary large objects (BLOBs).

Breaking Changes: The sget image download command can be now found as subcommand: sget image

Example Output:

❯ ./sget blob https://github.com/shibumi/mnemonic/releases/download/v0.3.2/mnemonic_0.3.2_linux_arm64.tar.gz --signature https://github.com/shibumi/mnemonic/releases/download/v0.3.2/mnemonic_0.3.2_linux_arm64.tar.gz.sig > mnemonic_0.3.2_linux_arm64.tar.gz
Certificate is trusted by Fulcio Root CA
Email: []
URI: https://github.com/shibumi/mnemonic/.github/workflows/goreleaser.yml@refs/tags/v0.3.2
Issuer:  https://token.actions.githubusercontent.com
Verified OK
tlog entry verified with uuid: "7afc36d7e17268f0bf3b1f6e415e304aa96795b8c49963588e15a20225c3fa17" index: 932675

Ticket Link

None

Release Note

breaking change: sget has obtained two new subcommands: image and blob. Blob allows to download and verify BLOBs..

Our primary goal is broad registry support. Right now we're unsure of where we are:

• GCR (tested, mostly works)
• Google Artifact Registry (works)
• Quay - works in latest version, not in hosted service yet
• Dockerhub?
• Azure Container Registry?
• Amazon Container Registry?
• Others?

We have some options we can try to increase support, but they're kind of ugly. I'd first like to understand how much support we have vs. how much we would gain by doing terrible things with media types.

cc @jonjohnsonjr @font (slack here: https://github.com/google/go-containerregistry/blob/93228a70849651ba98cdee6f0654f623d7cdcbdb/pkg/v1/manifest.go#L27)

Summary

With cosign 1.3.0 it is not possible to store the public certificate generated by the OIDC-issuer in a convenient way. To store the public key locally on disk, the user has to intercept the cosign stdout, parse it and store it. This is inconvenient and error-prone. We want to make signing and public key distribution as easy as possible, hence this PR introduces a new pubkey-output flag for the sign-blob sub-command.

The pubkey-output flag respects the b64 flag and prints the certificate/key as file in a given file path.

Ticket Link

Fixes None

Release Note

The cosign cli is now able to store the public certificate/key during sign-blob operations via the `pubkey-output` flag.

Description

From a slack conversation with @developer-guy @Dentrax and @joshuagl, capturing it here so I don't forget!

We've already discussed support for signing/verifying/storing attestations, using the In-Toto model: https://github.com/in-toto/attestation, and @developer-guy brought up a common use case around storing vulnerability scan reports for an image in the registry.

Storing scans is slightly problematic in that the scan results are timely, a scan with no vulnerabilities a month ago doesn't mean that the image has no know vulnerabilities today. Rather than storing scan results directly, we can convert them into an attestation, by adding a timestamp and a signer.

Rather than saying "this has no vulnerabilties", the statement becomes "this had no vulnerabilities as of $TIME, as seen by $SIGNER". Then the $SIGNER signs this, making it a formal attestation.

Policy engines can then rely on these, and policies can be written in the form of "there must be a clean scan report within the last X days".

I think to implement all of this in cosign, we would do something like:

• define a new provenance predicate either here in cosign or in the in-toto repo to convey a timestamped scan report.
• add some cosign commands:

cosign sign-attestation -f <attestation> cosign attach attestation -f <attestation> <img>

We can still use all of the KMS/key/ephemeral support for signing - but these are slightly different from the rest of what cosign works with, as the attestation itself is signed, not the OCI image wrapper. The scan report would be generated and timestamped, then cosign would sign the file locally (similar to sign-blob). Then the signed blob can get attached to an image.

Does this all make sense?

Abstract

Slightly the same with verify-dockerfile, but for Kubernetes Resources, responsible for creating containers such as Deployments, ReplicaSets, DaemonSets. etc. The same logic we used to check ImageRefs in verify-dockerfile command can simply traverse the whole resource to check given images actually signed. There is an alternative way of doing the same with creating ValidatingAdmissionWebhook like a project cosigned. But with this command, we can verify the whole images as early as possible in the CI pipelines before applying them into the Kubernetes cluster.

Implementation

We may have to write a Resource decider to correctly decide where we should get the image ref from the manifest by looking at the kind of the Resource. For example like the following examples:

Kind: Deployment | |-> spec.template.spec.containers[*].image

Kind: Pod | |-> spec.containers[*].image

After founding the images, we should verify them one by one against the public key or keyless.

Usage

Maybe we can give this command the following name: verify-manifest.

$ cosign verify-manifest -key cosign.pub <path/to/manifest>

To propose as simple as possible, I don't want to add all the other options that we can suğpport, but we can support all the other commands that verify-dockerfile currently supports.

cc: @Dentrax

Description

I noticed that KeyOpts is starting to have a conglomerate of options that I think rather belong in SignOptions, since they have nothing to do with the Key... Likewise, most commands should use the SignOptions instead of using KeyOpts to populate their options.

In particular:

TSAServerURL string RFC3161TimestampPath string TSACertChainPath string BundlePath string

SkipConfirmation is an option for tlog upload as well, which also doesn't have anything to do with your Key creation...

Signed-off-by: Ville Aikas [email protected]

Summary

Remove some lingering uses of COSIGN_EXPERIMENTAL. Drop the warning about public-good-instance not being GA since it is.

Release Note

Documentation

Description

It's unclear to me what the behaviour of the --insecure-skip-tlog-verify means or if there's a bug. I would assume that by using that flag, less verifications would be done, and therefore verification using that flag should not result in something failing that passes without that flag.

      --insecure-skip-tlog-verify                                                                skip transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log

An example (from the head), first with not specifying --insecure-skip-tlog-verify and the second with it:

./cosign verify cgr.dev/chainguard/static@sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2 --certificate-identity='https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

Verification for cgr.dev/chainguard/static@sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/chainguard-images/static"},"image":{"docker-manifest-digest":"sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com","1.3.6.1.4.1.57264.1.2":"schedule","1.3.6.1.4.1.57264.1.3":"e0e47eb5f17844c26a041480b6cd6c8ff612778f","1.3.6.1.4.1.57264.1.4":".github/workflows/release.yaml","1.3.6.1.4.1.57264.1.5":"chainguard-images/images","1.3.6.1.4.1.57264.1.6":"refs/heads/main","Bundle":{"SignedEntryTimestamp":"MEYCIQD0mNj/m4tLjb/o2/7+SUAimv8gIkj2hE5ZE/5wCI8iogIhAND5nqBgET4sj+5lqiTni7dDOxITBeBVgPpb/8keMGgi","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJmODQ1N2UzMTQyZTVlMGIxYWRjMjhhNWU0ZDI4OGViOWIyYTMzNTBiODgzZWZkYTdhNjZjOTE5MTI0NDIzOGQzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQjhGMWtsNzV2Uk9mc2pnbWRqZWMzbXo2T08vU2pIcHlQQlZmVzB2UkVPT0FpQnl2YnVTL01zWVAyczBzUU1mVms4dFRPOFZ3Tkt0RkkzdkdFbEh0T0I4MEE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUjJSRU5EUVRCSFowRjNTVUpCWjBsVlIyTklZMDB4Y1ZoSlNqQXlUMGhXTW5sbVZXMHdTVGg1WldkdmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDFVUVhsTlJFRjRUVVJCZUZkb1kwNU5hazEzVFZSQmVVMUVRWGxOUkVGNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZVY2tZdmIwUkpNRXBOSzJoT2IzSkRlRUZFV2tZNU1GQkpVSE50YUZreVMwaFpRemNLUTFGVVJUTlJhak15VWpaalJtZE9iVUpTY2pscldYVlFia0Z1WjFobVQxRXpaMlpZUVM4MVlqZG9RbWR6T0VveFpFdFBRMEZ0UVhkblowcGpUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZSWlhReUNqZ3ZPVmRNYURoMFZUUXhhMjQwZG1ZeVRWVnphMDlGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJGQldVUldVakJTUVZGSUwwSkdOSGRZU1ZwaFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKT2IxbFhiSFZhTTFab1kyMVJkQXBoVnpGb1dqSldla3d5YkhSWlYyUnNZM2s0ZFZveWJEQmhTRlpwVEROa2RtTnRkRzFpUnprelkzazVlVnBYZUd4WldFNXNURzVzYUdKWGVFRmpiVlp0Q21ONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkd0SFEybHpSMEZSVVVKbk56aDNRVkZGUlVzeWFEQmtTRUo2VDJrNGRtUkhPWEphVnpSMVdWZE9NR0ZYT1hVS1kzazFibUZZVW05a1Ywb3hZekpXZVZreU9YVmtSMVoxWkVNMWFtSXlNSGRHWjFsTFMzZFpRa0pCUjBSMmVrRkNRV2RSU1dNeVRtOWFWMUl4WWtkVmR3cE9aMWxMUzNkWlFrSkJSMFIyZWtGQ1FYZFJiMXBVUW14T1JHUnNXV3BXYlUxVVl6Uk9SRkpxVFdwYWFFMUVVWGhPUkdkM1dXcGFhbHBFV21wUFIxcHRDazVxUlhsT2VtTTBXbXBCYzBKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUWpSMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGw1V2xkNGJGbFlUbXdLVEc1c2FHSlhkM2RLWjFsTFMzZFpRa0pCUjBSMmVrRkNRbEZSV1ZreWFHaGhWelZ1WkZkR2VWcERNWEJpVjBadVdsaE5kbUZYTVdoYU1sWjZUVUl3UndwRGFYTkhRVkZSUW1jM09IZEJVVmxGUkROS2JGcHVUWFpoUjFab1draE5kbUpYUm5CaWFrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QkNtVkJRakpCVGpBNVRVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKb1Z5OVJWVkU0UVVGQlVVUUtRVVZqZDFKUlNXZFhOREl6UW14U1dYWmlRVk5ZVGpZelVqTTJhRzUxVlZsa05XMVRTVUpGZGxwblEwTjBMM1JyWlZSUlEwbFJSRVZPV1VGRmVFSkNUd281TlhGaFFreEVVbVZEWjBGSVdIaENXa3g1VG5KbGFGWnRSM2RWVVcxTEwyNXFRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXdRVVJDYlVGcVJVRnpaV3Q0Q25KWGRFTnhlQ3RyV21rMGRXWkxTekE1YVRkVU9HSm1kVTVWVFVSbVVWSlZNMkp4VDNrekszbFhPRVZLTkZKSWNHUnZja3RZVEVwVVlYQndjRUZxUlVFS2REQmFhVk5PVWpOa01VOU9TR3A1ZEhObWRsUmlkbFJaZGpoMFNYaHNjSFZQVUdkblJIbE9kV2d4Vnk5NE5rMXlUMnBVY0hOeWRXaGlaMkZJVEM5NmVRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ==","integratedTime":1672618221,"logIndex":10286378,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main","githubWorkflowName":".github/workflows/release.yaml","githubWorkflowRef":"refs/heads/main","githubWorkflowRepository":"chainguard-images/images","githubWorkflowSha":"e0e47eb5f17844c26a041480b6cd6c8ff612778f","githubWorkflowTrigger":"schedule","run_attempt":"1","run_id":"3819302484","sha":"e0e47eb5f17844c26a041480b6cd6c8ff612778f"}}]
vaikas@villes-mbp cosign % ./cosign verify cgr.dev/chainguard/static@sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867af46666e31739d2 --certificate-identity='https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main' --certificate-oidc-issuer='https://token.actions.githubusercontent.com' --insecure-skip-tlo
g-verify
**Warning** Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: no matching signatures:
checking expiry on certificate with bundle: certificate expired before signatures were entered in log: 2023-01-02T00:20:01Z is before 2023-01-04T11:00:44+02:00
main.go:62: error during command execution: no matching signatures:
checking expiry on certificate with bundle: certificate expired before signatures were entered in log: 2023-01-02T00:20:01Z is before 2023-01-04T11:00:44+02:00

It is skipping the verification here as expected: https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L599

But now when it then goes here, the acceptableRekorBundleTime is nil as expected by specifying that flag, but then that means this gets evaluated against current time here: https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L708

And not surprisingly it fails because the cert has expired by design. So, just curious if this is really the intended behaviour, or if there's a bug in here.

• the outputted private and public keys that where created when importing key pairs with --import-key-pair command where hardcoded to imported-cosign. this commit allows for a custom name to be specified using the --out or -o flag to --import-key-pair. example: --out my-test leads to my-test.key and my-test.pub files being outputted. if no --out flag is specified, the default imported-cosign, so backwards compatibility allowed.

Closes https://github.com/sigstore/cosign/issues/2586

Signed-off-by: ChrisJBurns [email protected]

Documentation

• Do we want to add an updated code snippet in Import Key Pair docs to show the --out flag? Or do we just leave it?

Description Currently when importing key pairs using import-key-pair command, it currently hardcodes the outputted key pair names to import-key.key & import-key.pub. We want to offer the user the ability to specify a custom name if they want - otherwise, default to import-key.

This to be seen as the same nature of change as implemented in https://github.com/sigstore/cosign/pull/2561 for generate-key-pair.

Description

When I run cosign verify-blob, resource temporarily unavailable error occurs frequently.

https://github.com/aquaproj/aqua/actions/runs/3784672207/jobs/6434146871#step:39:26

Error: verifying blob [/tmp/257978516]: getting Fulcio roots: initializing tuf: updating local metadata and targets: creating cached local store: resource temporarily unavailable
main.go:62: error during command execution: verifying blob [/tmp/257978516]: getting Fulcio roots: initializing tuf: updating local metadata and targets: creating cached local store: resource temporarily unavailable

The command passed by retrying.

Version

https://github.com/aquaproj/aqua/blob/d37dec79a9b96c85592eb24d69f9972cbd176f9a/pkg/cosign/version.go#L3

v1.13.1

environment

At the moment, this error occurs only in GitHub Actions ubuntu-latest. This error haven't occurred in my laptop.

How to reproduce

Run the following command, then it failed temporarily.

env COSIGN_EXPERIMENTAL=1 cosign verify-blob \
  --signature https://github.com/terraform-linters/tflint/releases/download/v0.43.0/checksums.txt.keyless.sig \
  --certificate https://github.com/terraform-linters/tflint/releases/download/v0.43.0/checksums.txt.pem \
  checksums.txt

assets: https://github.com/terraform-linters/tflint/releases/tag/v0.43.0