Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container image verification failed #1031

Open
JanetZhouJ opened this issue Sep 6, 2024 · 2 comments
Open

Container image verification failed #1031

JanetZhouJ opened this issue Sep 6, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@JanetZhouJ
Copy link

What is not working as expected?

When verifying the signed container image with notation I am getting the error

What did you expect to happen?

I just test notation for a new build image and it work error and the reason describe is mismatch Content-Length, but I check nginx for harbor, it has not error and the request code is 200, so what means about mismatch Content-Length

How can we reproduce it?

First notation cert generate-test --default "registry-ops.cokutau.com"
notation sign --signature-format cose registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 --- it works goods

notation ls registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011
registry-ops.cokutau.com/dev-pjcxa/botstudio@sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030
└── application/vnd.cncf.notary.signature
└── sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a

notation verify registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 -v -- it work errors
INFO Allowed to access the referrers API, fallback if not supported
INFO Reference 20240906_152011 resolved to manifest descriptor: {MediaType:application/vnd.docker.distribution.manifest.v2+json Digest:sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030 Size:1786 URLs:[] Annotations:map[] Data:[] Platform: ArtifactType:}
Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:20240906_152011) because resolved digest may not point to the same signed artifact, as tags are mutable.
INFO Checking whether signature verification should be skipped or not
INFO Trust policy configuration: &{Name:registry-ops.cokutau.com RegistryScopes:[] SignatureVerification:{VerificationLevel:strict Override:map[] VerifyTimestamp:} TrustStores:[ca:registry-ops.cokutau.com] TrustedIdentities:[]}
INFO Check over. Trust policy is not configured to skip signature verification
INFO Processing signature with manifest mediaType: application/vnd.oci.image.manifest.v1+json and digest: sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a
Error: signature verification failed: unable to retrieve digital signature with digest "sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a" associated with "registry-ops.cokutau.com/dev-pjcxa/botstudio@sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030" from the Repository, error : GET "https://registry-ops.cokutau.com/v2/dev-pjcxa/botstudio/manifests/sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a": mismatch Content-Length

Describe your environment

root@1b81bd31a2ce:/tmp# uname -a
Linux 1b81bd31a2ce 5.14.0-427.13.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 30 18:22:29 EDT 2024 x86_64 GNU/Linux
I use wget notation_$NOTATION_VERSION_linux_amd64.tar.gz and tar > /usr/local/bin/notation to use

What is the version of your Notation CLI or Notation Library?

Version: 1.2.0
Go version: go1.23.0
Git commit: 4700ad6

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Sep 10, 2024

Hi @JanetZhouJ ,

To troubleshoot the verification issue, can you please share the manifest metadata of your signed image? Maybe you can use ORAS tool to get the manifest metadata:

oras manifest fetch registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011

@FeynmanZhou FeynmanZhou removed the triage Need to triage label Oct 8, 2024
@yizha1
Copy link
Contributor

yizha1 commented Nov 25, 2024

@JanetZhouJ do you have any updates on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Todo
Development

No branches or pull requests

3 participants