Multi-arch images created by podman and signed by cosign can not be pulled and the signature verified by podman, but they are reported valid by cosign verify.
# Valid signatures according to cosign
$ cosign verify --key quay.io-travier-containers.pub quay.io/travier/cosign-example:latest-cosign
$ cosign verify --key quay.io-travier-containers.pub quay.io/travier/cosign-example:latest-cosign-x86_64
# Works
$ podman pull --log-level=debug quay.io/travier/cosign-example:latest-cosign-x86_64
# Fails
$ podman pull --log-level=debug quay.io/travier/cosign-example:latest-cosign
INFO[0000] podman filtering at log level debug
DEBU[0000] Called pull.PersistentPreRunE(podman pull --log-level=debug quay.io/travier/cosign-example:latest-cosign)
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using boltdb as database backend
DEBU[0000] Initializing boltdb state at /var/home/tim/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/home/tim/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /var/home/tim/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /var/home/tim/.local/share/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is not being used
DEBU[0000] Cached value indicated that native-diff is usable
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
INFO[0000] Setting parallel job count to 25
DEBU[0000] Pulling image quay.io/travier/cosign-example:latest-cosign (policy: always)
DEBU[0000] Looking up image "quay.io/travier/cosign-example:latest-cosign" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Trying "quay.io/travier/cosign-example:latest-cosign" ...
DEBU[0000] reference "[overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]quay.io/travier/cosign-example:latest-cosign" does not resolve to an image ID
DEBU[0000] Trying "quay.io/travier/cosign-example:latest-cosign" ...
DEBU[0000] reference "[overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]quay.io/travier/cosign-example:latest-cosign" does not resolve to an image ID
DEBU[0000] Trying "quay.io/travier/cosign-example:latest-cosign" ...
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Attempting to pull candidate quay.io/travier/cosign-example:latest-cosign for quay.io/travier/cosign-example:latest-cosign
DEBU[0000] parsed reference into "[overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]quay.io/travier/cosign-example:latest-cosign"
Trying to pull quay.io/travier/cosign-example:latest-cosign...
DEBU[0000] Copying source image //quay.io/travier/cosign-example:latest-cosign to destination image [overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]quay.io/travier/cosign-example:latest-cosign
DEBU[0000] Using registries.d directory /etc/containers/registries.d
DEBU[0000] Trying to access "quay.io/travier/cosign-example:latest-cosign"
DEBU[0000] No credentials matching quay.io/travier/cosign-example found in /run/user/1000/containers/auth.json
DEBU[0000] No credentials matching quay.io/travier/cosign-example found in /var/home/tim/.config/containers/auth.json
DEBU[0000] Found credentials for quay.io/travier/cosign-example in credential helper containers-auth.json in file /var/home/tim/.docker/config.json
DEBU[0000] Lookaside configuration: using "docker" namespace quay.io/travier
DEBU[0000] No signature storage configuration found for quay.io/travier/cosign-example:latest-cosign, using built-in default file:///var/home/tim/.local/share/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/quay.io
DEBU[0000] Sigstore attachments: using "docker" namespace quay.io/travier
DEBU[0000] GET https://quay.io/v2/
DEBU[0000] Ping https://quay.io/v2/ status 401
DEBU[0000] GET https://quay.io/v2/auth?account=openshift-release-dev%2Bocm_access_c273414d3a374a04b57d071678c1f310&scope=repository%3Atravier%2Fcosign-example%3Apull&service=quay.io
DEBU[0000] Increasing token expiration to: 60 seconds
DEBU[0000] GET https://quay.io/v2/travier/cosign-example/manifests/latest-cosign
DEBU[0001] Content-Type from manifest GET is "application/vnd.oci.image.index.v1+json"
DEBU[0001] Using SQLite blob info cache at /var/home/tim/.local/share/containers/cache/blob-info-cache-v1.sqlite
DEBU[0001] Source is a manifest list; copying (only) instance sha256:3c3d35273a04751de96ba2e1bd2e57b06f69329cd7f42c0d80454e90dfa0e44d for current system
DEBU[0001] GET https://quay.io/v2/travier/cosign-example/manifests/sha256:3c3d35273a04751de96ba2e1bd2e57b06f69329cd7f42c0d80454e90dfa0e44d
DEBU[0001] Content-Type from manifest GET is "application/vnd.oci.image.manifest.v1+json"
DEBU[0001] IsRunningImageAllowed for image docker:quay.io/travier/cosign-example:latest-cosign
DEBU[0001] Using transport "docker" specific policy section quay.io/travier
DEBU[0001] Reading /var/home/tim/.local/share/containers/sigstore/travier/cosign-example@sha256=3c3d35273a04751de96ba2e1bd2e57b06f69329cd7f42c0d80454e90dfa0e44d/signature-1
DEBU[0001] Looking for sigstore attachments in quay.io/travier/cosign-example:sha256-3c3d35273a04751de96ba2e1bd2e57b06f69329cd7f42c0d80454e90dfa0e44d.sig
DEBU[0001] GET https://quay.io/v2/travier/cosign-example/manifests/sha256-3c3d35273a04751de96ba2e1bd2e57b06f69329cd7f42c0d80454e90dfa0e44d.sig
DEBU[0001] Content-Type from manifest GET is "application/json"
DEBU[0001] Fetching sigstore attachment manifest failed, assuming it does not exist: reading manifest sha256-3c3d35273a04751de96ba2e1bd2e57b06f69329cd7f42c0d80454e90dfa0e44d.sig in quay.io/travier/cosign-example: manifest unknown
DEBU[0001] Requirement 0: denied, done
DEBU[0001] Error pulling candidate quay.io/travier/cosign-example:latest-cosign: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
DEBU[0001] Shutting down engines
Describe the results you received
Pulling multi-arch container images signed with cosign fails with podman.
Describe the results you expected
Pulling multi-arch container images signed with cosign succeeds with podman.
Issue Description
Multi-arch images created by podman and signed by cosign can not be pulled and the signature verified by podman, but they are reported valid by
cosign verify
.Pushing and signing the image via podman works.
Steps to reproduce the issue
Exemple test repo to reproduce the issue: https://github.com/travier/cosign-test Container images: https://quay.io/repository/travier/cosign-example?tab=tags
Describe the results you received
Pulling multi-arch container images signed with cosign fails with podman.
Describe the results you expected
Pulling multi-arch container images signed with cosign succeeds with podman.
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Fedora Kinoite 39
$ podman version Client: Podman Engine Version: 4.8.2 API Version: 4.8.2 Go Version: go1.21.4 Built: Mon Dec 11 14:23:04 2023 OS/Arch: linux/amd64
Additional information
It looks like there is a difference in how podman and cosign sign and push signatures for multi-arch images.
Initially reported in https://github.com/toolbx-images/images/issues/113.