Pluto's cosign checksum verification for releases is broken

[NickVCBS]

What happened?

Following the guide to verify signed FairwindOps releases for pluto with cosign, I was unable to verify the signatures in the public transparency log provided by Sigstore.

What did you expect to happen?

I expected the signatures to be found

How can we reproduce this?

Below are the steps I took to try and reproduce the issue

❯ wget "https://github.com/FairwindsOps/pluto/releases/download/v5.15.0/checksums.txt" \
  "https://github.com/FairwindsOps/pluto/releases/download/v5.15.0/checksums.txt.sig" \
  "https://github.com/FairwindsOps/pluto/releases/download/v5.15.0/pluto_5.15.0_darwin_amd64.tar.gz"

❯ pwd
/tmp/pluto

❯ ll
total 24992
-rw-r--r--  1   wheel   990B Feb 22 16:09 checksums.txt
-rw-r--r--  1   wheel   184B Feb 22 16:08 checksums.txt.sig
-rw-r--r--  1   wheel    12M Feb 22 16:08 pluto_5.15.0_darwin_amd64.tar.gz

❯ cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Error: verifying blob [checksums.txt]: signature not found in transparency log
main.go:74: error during command execution: verifying blob [checksums.txt]: signature not found in transparency log

Version

5.15.0

Search

• [X] I did search for other open and closed issues before opening this.

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

Additional context

Writing a tool to fetch specific pluto binary version and want to verify the signature of every download.

[NickVCBS]

I could very well be doing something wrong in the process of verifying so I'm sorry in advance :)

[sudermanjr]

No worries! I think you'll need to download the signature and the txt file:

home/Downloads
▶ cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Verified OK
home/Downloads
▶ ls checksum*
checksums.txt           checksums.txt.sig

[NickVCBS]

@sudermanjr Hmm, would they by chance need to be absolute paths to both files?

[sudermanjr]

If they're in a separate directory, I would guess you would need two absolute paths. I really haven't tried it though.

[sudermanjr]

Yeah, seems like it. Here's from another directory. Note the use of = seems to mess it up a bit too. Probably need some quotes somewhere to make that work

▶ cosign verify-blob ~/Downloads/checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Error: verifying blob [/Users/asuderma/Downloads/checksums.txt]: invalid signature when validating ASN.1 encoded signature
main.go:62: error during command execution: verifying blob [/Users/asuderma/Downloads/checksums.txt]: invalid signature when validating ASN.1 encoded signature
home
✗ cosign verify-blob ~/Downloads/checksums.txt --signature=~/Downloads/checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Error: verifying blob [/Users/asuderma/Downloads/checksums.txt]: invalid signature when validating ASN.1 encoded signature
main.go:62: error during command execution: verifying blob [/Users/asuderma/Downloads/checksums.txt]: invalid signature when validating ASN.1 encoded signature
home
✗ cosign verify-blob ~/Downloads/checksums.txt --signature ~/Downloads/checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Verified OK

[NickVCBS]

Hmm, I'm still unable to verify with everything installed in the same directory even with absolute path reference

❯ ls -l
total 24992
-rw-r--r--  1 nick  wheel       990 Feb 22 16:09 checksums.txt
-rw-r--r--  1 nick  wheel       184 Feb 22 16:08 checksums.txt.sig
-rw-r--r--  1 nick  wheel   12318986 Feb 22 16:08 pluto_5.15.0_darwin_amd64.tar.gz

# Relative
❯ cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Error: verifying blob [checksums.txt]: signature not found in transparency log
main.go:74: error during command execution: verifying blob [checksums.txt]: signature not found in transparency log

# Absolute path
❯ cosign verify-blob /tmp/pluto/checksums.txt --signature=/tmp/pluto/checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Error: verifying blob [/tmp/pluto/checksums.txt]: signature not found in transparency log
main.go:74: error during command execution: verifying blob [/tmp/pluto/checksums.txt]: signature not found in transparency log

Here's my cosign version

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    2.0.0
GitCommit:     d6b9001f8e6ed745fb845849d623274c897d55f2
GitTreeState:  "clean"
BuildDate:     2023-02-23T19:26:35Z
GoVersion:     go1.20.1
Compiler:      gc
Platform:      darwin/amd64

Out of curiosity, what version of cosign are you using?

[sudermanjr]

Looks like i'm still on a 1.x version. I haven't tried out 2.x yet.

GitVersion:    v1.13.1
GitCommit:     d1c6336475b4be26bb7fb52d97f56ea0a1767f9f
GitTreeState:  clean
BuildDate:     2022-10-17T18:00:05Z
GoVersion:     go1.19.2
Compiler:      gc
Platform:      darwin/arm64

[sudermanjr]

I can confirm that updating to 2.0.0 breaks this. Not sure what the major change was.

✗ cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
Error: verifying blob [checksums.txt]: signature not found in transparency log
main.go:74: error during command execution: verifying blob [checksums.txt]: signature not found in transparency log

[sudermanjr]

Looks like we will need to look into setting up a transparency log. Right now, you can use 2.0.0 to validate using the flag --insecure-ignore-tlog

[NickVCBS]

@sudermanjr Awesome, that will suffice for the time being. Thanks for looking into this 👍