Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify-attestation's type option cannot parse URI. #2158

Closed
otms61 opened this issue Aug 13, 2022 · 4 comments · Fixed by #2159
Closed

verify-attestation's type option cannot parse URI. #2158

otms61 opened this issue Aug 13, 2022 · 4 comments · Fixed by #2159
Labels
bug Something isn't working

Comments

@otms61
Copy link
Contributor

otms61 commented Aug 13, 2022

Description

Verify-attestation's help says that type can use an URI, but I got the error when I passed an URI.

--type string specify a predicate type (slsaprovenance|link|spdx|spdxjson|cyclonedx|vuln|custom) or an URI (default "custom")

$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation  --type "https://example.com/TestResult/v1" otms61/test-custom-attest
Error: converting to consumable policy validation: invalid predicate type: https://example.com/TestResult/v1
main.go:62: error during command execution: converting to consumable policy validation: invalid predicate type: https://example.com/TestResult/v1

The default value(custom) for type is set after v1.10.1. We cannot leave the type unspecified as in the past.

So if we specify an URI when creating an attestation, we cannot verify it.

$ cat test-result.json
{"passed": true}

$ COSIGN_EXPERIMENTAL=1 cosign attest --type "https://example.com/TestResult/v1" --predicate test-result.json  otms61/test-custom-attest

Specifying a URI and unspecified also failed.

$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation  --type "https://example.com/TestResult/v1" otms61/test-custom-attest
Error: converting to consumable policy validation: invalid predicate type: https://example.com/TestResult/v1
main.go:62: error during command execution: converting to consumable policy validation: invalid predicate type: https://example.com/TestResult/v1

$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation  otms61/test-custom-attest
Error: none of the attestations matched the predicate type: custom
main.go:62: error during command execution: none of the attestations matched the predicate type: custom

Expectation

verify-attestation's type option can parse an URI.

Version

GitVersion:    v1.10.1
GitCommit:     a39ce91fadc582e0efce3321744a79ccd3c8b39c
GitTreeState:  clean
BuildDate:     2022-08-04T16:59:14Z
GoVersion:     go1.18.5
Compiler:      gc
Platform:      darwin/amd64
@otms61 otms61 added the bug Something isn't working label Aug 13, 2022
@otms61 otms61 mentioned this issue Aug 13, 2022
Merged
@chipzoller
Copy link

+1, this is breaking some automation. The expectation is that cosign verify-attestation <image> returns all attestations for the image without specifying type.

@dlorenc
Copy link
Member

dlorenc commented Aug 15, 2022

I haven't had time to double check the fix yet, @chipzoller can you confirm this works for you: #2159

@chipzoller
Copy link

Not able to test this for a bit, sorry.

@chipzoller
Copy link

chipzoller commented Aug 28, 2022
edited

I'm still seeing, as of 1.11.1, that cosign verify-attestation is not returning all attestations like in previous behavior. Was this a conscious design change in the command?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix handling of verify-attestation types for URIs otms61/cosign
3 participants
@dlorenc @otms61 @chipzoller