Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The verifierReports did not include signature digest #1454

Closed
1 task
yizha1 opened this issue May 7, 2024 · 2 comments
Closed
1 task

The verifierReports did not include signature digest #1454

yizha1 opened this issue May 7, 2024 · 2 comments
Labels
enhancement New feature or request triage Needs investigation

Comments

@yizha1
Copy link
Collaborator

yizha1 commented May 7, 2024

What would you like to be added?

The current verifierReports did not include the digest for a signature manifest. If an image has multiple signatures, it will be very hard to know which signature failed verification. It's better to show the digest of every OCI artifact that was verified, so that it can be correlated later for different purposes.

An example of current verifierReports in the Ratify logs:

  "verifierReports": [
    {
      "subject": "***.azurecr.io/fromado@sha256:9bd300b50747ff122cf5c2fb47f1e29a162604e85f37659cde09d6358221a1d4",
      "isSuccess": true,
      "name": "verifier-cosign",
      "type": "cosign",
      "message": "cosign verification success. valid signatures found. please refer to extensions field for verifications performed.",
      "extensions": {
        "signatures": [
          {
            "signature": "*****",
            "verifications": [
              {
                "isSuccess": false,
                "bundleVerified": false,
                "error": "crypto/rsa: verification error",
                "keyInformation": {
                  "provider": "keymanagementprovider-akv",
                  "name": "test-cosign",
                  "version": "849bc742cb674e0aa4cc5573e692209a"
                }
              }
            ]
          },
          {
            "signature": "*****",
            "verifications": [
              {
                "isSuccess": true,
                "bundleVerified": false,
                "keyInformation": {
                  "provider": "keymanagementprovider-akv",
                  "name": "test-cosign",
                  "version": "849bc742cb674e0aa4cc5573e692209a"
                }
              }
            ]
          }
        ]
      },
      "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
    }
  ]
} component-type=server go.version=go1.21.9 trace-id=d38178b1-7dd7-46c3-95d7-c3b57236b40d

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • Yes, I am willing to implement it.
@yizha1 yizha1 added enhancement New feature or request triage Needs investigation labels May 7, 2024
@akashsinghal
Copy link
Collaborator

@yizha1 Can you provide an example scenario where each signature will have a different layer digest? From my testing, I notice that the payload that is signed does not change between various signatures. As a result, the signature digest stays the same. Discussion can be found here: #1381 (comment)

@binbin-li
Copy link
Collaborator

Per discussion in the community meeting, the digest is same across different cosign signatures. But we have unique signature hash in the report. Closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triage Needs investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@binbin-li @akashsinghal @yizha1