Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in offline validation when using additional annotations #4024

Open
cck1860 opened this issue Jan 29, 2025 · 0 comments
Open

Error in offline validation when using additional annotations #4024

cck1860 opened this issue Jan 29, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@cck1860
Copy link

cck1860 commented Jan 29, 2025

Description

When using annotations, I am able to validate them by using the signature being stored in the registry but not when using the offline validation capability.

For being able to recreate the tasks I did:

cosign sign --upload=false --key awskms:///arn:aws:kms:eu-west-3:xxxxxx:alias/cosign-key -a appname=myapp --output-signature=mysig1.sig xxx/yyy:latest

cosign verify -a appname=myapp --key cosign.pub --signature mysig1.sig xxx/yyy:latest

I'm getting the following error message:
WARNING: using obsolete implied signature payload data (with digested reference index.docker.io/xxx/bla@sha256:db071ebcec3e74bfb9a6e0358a233f7b4cc38585d3201239b9239d2e287d7e9a); specify it explicitly with --payload instead
Error: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest &{Code:400 Message:verifying signature: crypto/rsa: verification error}
main.go:69: error during command execution: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest &{Code:400 Message:verifying signature: crypto/rsa: verification error}

When doing the validation online without having specified --upload=false or not specifying any annotation and doing then the offline validation by using --signature=mysig1.sig the validation is successful.

I am not sure if this is actually a bug but when reading the documentation my expectation is that cosign verify -a appname=myapp --key cosign.pub --signature mysig1.sig xxx/yyy:latest should work in general.

Version

______ ______ . __ _______ . .
/ | / __ \ / || | / || \ | |
| ,----'| | | | | (----| | | | __ | \| | | | | | | | \ \ | | | | |_ | | . |
| ----.| --' | .----) | | | | || | | |\ |
_| ______/ |_/ || __| || _|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion: 2.4.1
GitCommit: 9a4cfe1
GitTreeState: "clean"
BuildDate: 2024-10-03T17:01:50Z
GoVersion: go1.23.2
Compiler: gc
Platform: darwin/arm64
@cck1860 cck1860 added the bug Something isn't working label Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cck1860