search

GoogleContainerTools / distroless

🥑 Language focused docker images, minus the operating system.
Apache License 2.0
18.8k stars 1.15k forks source link

distroless/python3-debian11:debug is not signed with cosign #1177

Open griggheo opened 1 year ago

griggheo commented 1 year ago

Describe the bug The distroless image gcr.io/distroless/python3-debian11:debug is not signed with cosign.

To Reproduce I ran this script:

#!/bin/bash

GOOGLE_COSIGN_PUB_KEY=google_cosign.pub
rm -rf cosign.pub
wget https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
mv cosign.pub $GOOGLE_COSIGN_PUB_KEY

GOOGLE_DISTROLESS_IMAGES='
gcr.io/distroless/python3-debian11'

TAGS='
latest
nonroot
debug
debug-nonroot'

for IMAGE in $GOOGLE_DISTROLESS_IMAGES; do
    for TAG in $TAGS; do
        echo Verifying $IMAGE:$TAG
        cosign verify --key $GOOGLE_COSIGN_PUB_KEY $IMAGE:$TAG
        echo
    done
done

And this was the output:

--2022-11-13 17:12:17--  https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178 [text/plain]
Saving to: ‘cosign.pub’

cosign.pub                             100%[===========================================================================>]     178  --.-KB/s    in 0s      

2022-11-13 17:12:17 (11.1 MB/s) - ‘cosign.pub’ saved [178/178]

Verifying gcr.io/distroless/python3-debian11:latest

Verification for gcr.io/distroless/python3-debian11:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:d78a749034380426dd6cec6a0db139459ca701630533ffce112adbcdd996fddd"},"type":"cosign container image signature"},"optional":null}]

Verifying gcr.io/distroless/python3-debian11:nonroot

Verification for gcr.io/distroless/python3-debian11:nonroot --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:16a3e673c2138d1896a20664659c5d0d225be429fe374bb1d38a2a8a94a9b260"},"type":"cosign container image signature"},"optional":null}]

Verifying gcr.io/distroless/python3-debian11:debug
Error: no matching signatures:

main.go:62: error during command execution: no matching signatures:

Verifying gcr.io/distroless/python3-debian11:debug-nonroot

Verification for gcr.io/distroless/python3-debian11:debug-nonroot --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:fa3db2ffa927c8ef3a71e91dcf2d0905cb38106167bace3bcba11c80f61405a3"},"type":"cosign container image signature"},"optional":null}]

Expected behavior The signature for distroless/python3-debian11:debug should have been verified successfully.

loosebazooka commented 1 year ago

can you try this with the latest cosign? I'm fairly certain we do sign all python images.

griggheo commented 1 year ago

Same error with the latest cosign version 1.13.1.