search

chainguard-dev / edu

Educational Resources for Software Supply Chain Security
https://edu.chainguard.dev
Other
76 stars 68 forks source link

Verifying SBOM reference with cosign verify-attestation returns error #1105

Closed garrying closed 1 year ago

garrying commented 1 year ago

Describe the bug The command to verify SBOMs using cosign verify-attestation returns an saying that --platform is an unknown flag.

To Reproduce Steps to reproduce the behavior:

  1. Go to https://edu.chainguard.dev/chainguard/chainguard-images/reference/go/provenance_info/#downloading-and-verifying-sboms (applicable to all images with provenance_info I think)
  2. Copy 
    cosign verify-attestation \
--type https://spdx.dev/Document \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main \
--platform=linux/amd64 \
cgr.dev/chainguard/go
  3. Run command
  4. Error: 
    Error: unknown flag: --platform
main.go:74: error during command execution: unknown flag: --platform

Expected behavior Should display verification without error.

Additional context Reproduced using cosign 2.2.0

ltagliaferri commented 1 year ago

This is a dupe of this issue, I'll close + link to this to track there: https://github.com/chainguard-dev/internal/issues/3362