Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Issues with Signature Generation and Verification in cosign v2.4.0 #3980

Open
srinics opened this issue Dec 19, 2024 · 0 comments
Open

Issues with Signature Generation and Verification in cosign v2.4.0 #3980

srinics opened this issue Dec 19, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@srinics
Copy link

srinics commented Dec 19, 2024
edited
Loading

Description:

Hello,
I am facing two issues with cosign v2.4.0.
Issue 1: Signature Generation and Verification
Signature generation and verification are successful in Registry 1. I have a container image and used cosign to sign the image using the following command. I am using a PKCS11 module and an RSA 3072 key.

cosign sign --key "pkcs11:token=xxxx;slot-id=0001;id=%2e%10;object=test?module-path=/usr/lib/libedssp11.so&pin-value=xxx" --tlog-upload=false --output-signature=acb.sig --output-payload=acb.json $IMAGE_DIGEST

Signature generation is successful, and I can verify the signature using the following command:

cosign verify <image-with-repo-1-url>:<tag> --key <publickey.pem> --insecure-ignore-tlog=true --allow-insecure-registry
Verification for <image>:<tag>: The following checks were performed on each of these signatures:
The cosign claims were validated
The signatures were verified against the specified public key
JSON
[{"critical":{"identity":{"docker-reference":"image"},"image":{"docker-manifest-digest":"sha256:95157a044eeee7077e3bb0302a7da8c9838f6a489435cc90e4c775c93708aa98"},"type":"cosign container image signature"},"optional":{"Subject":""}}]

Saving Image from Registry 1

docker save <image-with-repo-1-url>:<tag> -o <image-name>.tar.gz
cosign download signature <image-with-repo-1-url>:<tag> --output <signature.json>

Importing Image to Registry 2
docker load -i <image-name>.tar.gz

Pushing the Image to Registry 2

docker tag <load-img-id> <image-with-repo-2-url>:<tag>
docker push <image-with-repo-2-url>:<tag>

Kindly note that Registry 2 is a local (http) registry.
Issue 1: Attaching Signature
I tried to attach the signature with the following command but encountered an issue:

cosign attach signature --allow-insecure-registry --payload '<signature.json>' <image-with-repo-2-url>:<tag>
Error: read .: is a directory
main.go:74: error during command execution: read .: is a directory

I was able to attach the signature using the following command:
cat /tmp/acb2.json | jq '.Base64Signature' | sed -e 's#"##g' > signature.txt
`cosign attach signature --allow-insecure-registry --payload '<signature.json>' --signature <signature.txt> :

`Issue 2: Verification Failure
Verification of the signature is failing with the following command:

cosign verify <image-with-repo-2-url>:<tag> --key publickey.pem --insecure-ignore-tlog=true --allow-insecure-registry
Error: no matching signatures: crypto/rsa: verification error
main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error

Can anyone help with any steps or missing parts in the flow? Kindly help.

Thanks,
Srini
@srinics srinics added the enhancement New feature or request label Dec 19, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@srinics