Describe the bug
The distroless image gcr.io/distroless/python3-debian11:debug is not signed with cosign.
To Reproduce
I ran this script:
#!/bin/bash
GOOGLE_COSIGN_PUB_KEY=google_cosign.pub
rm -rf cosign.pub
wget https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
mv cosign.pub $GOOGLE_COSIGN_PUB_KEY
GOOGLE_DISTROLESS_IMAGES='
gcr.io/distroless/python3-debian11'
TAGS='
latest
nonroot
debug
debug-nonroot'
for IMAGE in $GOOGLE_DISTROLESS_IMAGES; do
for TAG in $TAGS; do
echo Verifying $IMAGE:$TAG
cosign verify --key $GOOGLE_COSIGN_PUB_KEY $IMAGE:$TAG
echo
done
done
And this was the output:
--2022-11-13 17:12:17-- https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178 [text/plain]
Saving to: ‘cosign.pub’
cosign.pub 100%[===========================================================================>] 178 --.-KB/s in 0s
2022-11-13 17:12:17 (11.1 MB/s) - ‘cosign.pub’ saved [178/178]
Verifying gcr.io/distroless/python3-debian11:latest
Verification for gcr.io/distroless/python3-debian11:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:d78a749034380426dd6cec6a0db139459ca701630533ffce112adbcdd996fddd"},"type":"cosign container image signature"},"optional":null}]
Verifying gcr.io/distroless/python3-debian11:nonroot
Verification for gcr.io/distroless/python3-debian11:nonroot --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:16a3e673c2138d1896a20664659c5d0d225be429fe374bb1d38a2a8a94a9b260"},"type":"cosign container image signature"},"optional":null}]
Verifying gcr.io/distroless/python3-debian11:debug
Error: no matching signatures:
main.go:62: error during command execution: no matching signatures:
Verifying gcr.io/distroless/python3-debian11:debug-nonroot
Verification for gcr.io/distroless/python3-debian11:debug-nonroot --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:fa3db2ffa927c8ef3a71e91dcf2d0905cb38106167bace3bcba11c80f61405a3"},"type":"cosign container image signature"},"optional":null}]
Expected behavior
The signature for distroless/python3-debian11:debug should have been verified successfully.
Describe the bug The distroless image gcr.io/distroless/python3-debian11:debug is not signed with cosign.
To Reproduce I ran this script:
And this was the output:
Expected behavior The signature for
distroless/python3-debian11:debug
should have been verified successfully.