Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with Signature Generation and Verification in cosign v2.4.0 #3980

Open
srinics opened this issue Dec 19, 2024 · 0 comments
Open

Issues with Signature Generation and Verification in cosign v2.4.0 #3980

srinics opened this issue Dec 19, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@srinics
Copy link

srinics commented Dec 19, 2024
edited
Loading

Description:

Hello,
I am facing two issues with cosign v2.4.0.
Issue 1: Signature Generation and Verification
Signature generation and verification are successful in Registry 1. I have a container image and used cosign to sign the image using the following command. I am using a PKCS11 module and an RSA 3072 key.

cosign sign --key "pkcs11:token=xxxx;slot-id=0001;id=%2e%10;object=test?module-path=/usr/lib/libedssp11.so&pin-value=xxx" --tlog-upload=false --output-signature=acb.sig --output-payload=acb.json $IMAGE_DIGEST

Signature generation is successful, and I can verify the signature using the following command:

cosign verify <image-with-repo-1-url>:<tag> --key <publickey.pem> --insecure-ignore-tlog=true --allow-insecure-registry
Verification for <image>:<tag>: The following checks were performed on each of these signatures:
The cosign claims were validated
The signatures were verified against the specified public key
JSON
[{"critical":{"identity":{"docker-reference":"image"},"image":{"docker-manifest-digest":"sha256:95157a044eeee7077e3bb0302a7da8c9838f6a489435cc90e4c775c93708aa98"},"type":"cosign container image signature"},"optional":{"Subject":""}}]

Saving Image from Registry 1

docker save <image-with-repo-1-url>:<tag> -o <image-name>.tar.gz
cosign download signature <image-with-repo-1-url>:<tag> --output <signature.json>

Importing Image to Registry 2
docker load -i <image-name>.tar.gz

Pushing the Image to Registry 2

docker tag <load-img-id> <image-with-repo-2-url>:<tag>
docker push <image-with-repo-2-url>:<tag>

Kindly note that Registry 2 is a local (http) registry.
Issue 1: Attaching Signature
I tried to attach the signature with the following command but encountered an issue:

cosign attach signature --allow-insecure-registry --payload '<signature.json>' <image-with-repo-2-url>:<tag>
Error: read .: is a directory
main.go:74: error during command execution: read .: is a directory

I was able to attach the signature using the following command:
cat /tmp/acb2.json | jq '.Base64Signature' | sed -e 's#"##g' > signature.txt
`cosign attach signature --allow-insecure-registry --payload '<signature.json>' --signature <signature.txt> :

`Issue 2: Verification Failure
Verification of the signature is failing with the following command:

cosign verify <image-with-repo-2-url>:<tag> --key publickey.pem --insecure-ignore-tlog=true --allow-insecure-registry
Error: no matching signatures: crypto/rsa: verification error
main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error

Can anyone help with any steps or missing parts in the flow? Kindly help.

Thanks,
Srini
@srinics srinics added the enhancement New feature or request label Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@srinics