Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cosign attach command couldn't attach the rekor-bundle to an image #3678

Closed
ArubaTest opened this issue Apr 28, 2024 · 1 comment
Closed

cosign attach command couldn't attach the rekor-bundle to an image #3678

ArubaTest opened this issue Apr 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@ArubaTest
Copy link

Description

My requirement is to copy signature from one docker registry location to another registry location, together with the image.

This is what i did for the signature file to achieve this goal:

  • Download the original signature by cosign download signature;
    $ cosign download signature <registry_location_A> > signature.raw
  • Parse the signature file into payload, signature, cert, bundle.json, etc;
    $ cat signature.raw | jq -rj .Payload | base64 -d > tmp/payload
    $ cat signature.raw | jq -rj .Base64Signature > tmp/signature
    $ cat signature.raw | jq -rj .Bundle > tmp/bundle.json
    $ cat tmp/bundle.json
    {
    "SignedEntryTimestamp": "MEUCICKgTYPZ78d1lRMeGZgOzKDzFt6QL8qoYPCdjU1FC0FFAiEA3l6r2g1B2TEZ5p4nQHvrNYSi5GdxYt6/CEF0JiUFahE=",
    "Payload": {
    "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3......",
    "integratedTime": 1713602723,
    "logIndex": 35,
    "logID": "c4f66443a08e6b5d4f26bd984373c53a4420681df4e86d7eb60a5d7e36f9d5b7"
    }
  • Then use cosign attach signature command to try to attach the sinature for the image in new location B;
    $ cosign attach signature --payload tmp/payload --signature tmp/signature --rekor-response tmp/bundle.json <registry_location_B>
  • Download the new signature from registry_location_B and I saw the Bundle is not attached succeed.
    $ cosign download signature <registry_location_A> > signature.new
    $ cat signature.new
    {"Base64Signature":"MEUCIHxJt0clf0aSiPdtEhjk0hHUSA7AXv3FU89rHU4ynYPaAiEAjCa0b0z3A9s5ycAGCu9SRa9XnPdXCWSM6iTsNH+6+g0=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiOTg3NzgwNzA0OTc2LmRrci5lY3IudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vYXJ1YmFvcy9jb250YWluZXItbWFuYWdlciJ9LCJpbWFnZSI6eyJkb2NrZXItbWFuaWZlc3QtZGlnZXN0Ijoic2hhMjU2OjQ5ZTY4NGUzODZiOGI5MzViZTMwM2RhZGU3ZmIzYzg0MTk0OTBmNTVkYTZkMDU4MmU1ODdkZTIwNWMwYmFkZTQifSwidHlwZSI6ImNvc2lnbiBjb250YWluZXIgaW1hZ2Ugc2lnbmF0dXJlIn0sIm9wdGlvbmFsIjpudWxsfQ==","Cert":null,"Chain":null,"Bundle":null,"RFC3161Timestamp":null}

Version
cosign version: 2.2.4

Solution:
Cosign attach should attach the rekor-bundle if rekor-response flag is provided by the user.

Discussion at #3458
@ArubaTest ArubaTest added the bug Something isn't working label Apr 28, 2024
@haydentherapper
Copy link
Contributor

Dup of #3458

Will try to circle back to this issue soon, sorry it's been open for awhile.

@haydentherapper haydentherapper closed this as not planned Won't fix, can't repro, duplicate, stale Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydentherapper @ArubaTest