Skip to content
This repository has been archived by the owner on Nov 20, 2021. It is now read-only.

Fetching signatures with a .cosign extension #3

Closed
youssefazrak opened this issue May 18, 2021 · 4 comments · Fixed by #4
Closed

Fetching signatures with a .cosign extension #3

youssefazrak opened this issue May 18, 2021 · 4 comments · Fixed by #4

Comments

@youssefazrak
Copy link
Contributor

I'm opening this one in this repo, could be in the cosign repo though but the admission-controller highlighted the issue in all cases.

When I sign a container, the signature is uploaded to the gcr registry with a .sig extension.
The manager is looking for a .cosign extension which leads to a failure and the image can't be deployed.

Workaround is to manually change the extension type of the signature to .cosign.

Logs below:

2021-05-18T10:16:01.728Z        INFO    setup   got keys        {"keys": [{"Curve":{"P":115792089210356248762697446949407573530086143415290314195533631308867097853951,"N":115792089210356248762697446949407573529996955224135760342422259061068512044369,"B":41058363725152142129326129780047268409114441015993725554835256314039467401291,"Gx":48439561293906451759052585252797914202762949526041747995844080717082404635286,"Gy":36134250956749795798585127919587881956611106672985015071877198253568414405109,"BitSize":256,"Name":"P-256"},"X":90267568229939487926866458760644303534802452132972563999067836130002425539829,"Y":14559034451613936683845461449964595690936525597393660688601444978229135211276}]}
2021-05-18T10:16:02.314Z        ERROR   setup   checking signatures     {"image": "http://eu.gcr.io/xyz/xyz:test-sign", "error": "GET https://eu.gcr.io/v2/xyz/xyz/manifests/sha256-9d2d8d6819138ddeb8407b5c1010f95fb63237fa7cf24522cce6982bdf9c8dfd.cosign: MANIFEST_UNKNOWN: Failed to fetch \"sha256-9d2d8d6819138ddeb8407b5c1010f95fb63237fa7cf24522cce6982bdf9c8dfd.cosign\" from request \"/v2/xyz/xyz/manifests/sha256-9d2d8d6819138ddeb8407b5c1010f95fb63237fa7cf24522cce6982bdf9c8dfd.cosign\"."}
@dlorenc
Copy link
Owner

dlorenc commented May 18, 2021

Ah yes! We changed the specification in cosign as of the last release - .sig is correct now. Do you want to send a PR here to update?

@youssefazrak
Copy link
Contributor Author

youssefazrak commented May 18, 2021
edited
Loading

If I'm not mistaken this is happening at:
https://github.com/dlorenc/cosigned/blob/main/main.go#L122
https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L153

If you have any pointer, I will take care of the PR as I'm not finding this change you mention :)

@dlorenc
Copy link
Owner

dlorenc commented May 19, 2021

Looks right! I think you might just have to update the version of cosign itself in the go.mod file

@youssefazrak
Copy link
Contributor Author

Cheers, just saw that we are pointing to the 0.2.0 version.
Working on the PR now.

youssefazrak added a commit to youssefazrak/cosigned that referenced this issue May 19, 2021
@youssefazrak
Updating cosign version to fix signatures fetching
1ac6ee2 
PR sigstore/cosign#287 changed the signature
extension from .cosign to .sig.

As we are using Cosign:v0.2.0, the manager was not able anymore to fetch
signatures signed with latest version of Cosign.

Fixes: dlorenc#3

Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com>
@youssefazrak youssefazrak mentioned this issue May 19, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updating cosign version to fix signatures fetching youssefazrak/cosigned
2 participants
@dlorenc @youssefazrak