search

notaryproject / notation

A CLI tool to sign and verify artifacts
https://notaryproject.dev/
Apache License 2.0
351 stars 84 forks source link

Container image verification failed #1031

Open JanetZhouJ opened 2 months ago

JanetZhouJ commented 2 months ago

What is not working as expected?

When verifying the signed container image with notation I am getting the error

What did you expect to happen?

I just test notation for a new build image and it work error and the reason describe is mismatch Content-Length, but I check nginx for harbor, it has not error and the request code is 200, so what means about mismatch Content-Length

How can we reproduce it?

First notation cert generate-test --default "registry-ops.cokutau.com" notation sign --signature-format cose registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 --- it works goods

notation ls registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 registry-ops.cokutau.com/dev-pjcxa/botstudio@sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030 └── application/vnd.cncf.notary.signature └── sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a

notation verify registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011 -v -- it work errors INFO Allowed to access the referrers API, fallback if not supported INFO Reference 20240906_152011 resolved to manifest descriptor: {MediaType:application/vnd.docker.distribution.manifest.v2+json Digest:sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030 Size:1786 URLs:[] Annotations:map[] Data:[] Platform: ArtifactType:} Warning: Always verify the artifact using digest(@sha256:...) rather than a tag(:20240906_152011) because resolved digest may not point to the same signed artifact, as tags are mutable. INFO Checking whether signature verification should be skipped or not INFO Trust policy configuration: &{Name:registry-ops.cokutau.com RegistryScopes:[] SignatureVerification:{VerificationLevel:strict Override:map[] VerifyTimestamp:} TrustStores:[ca:registry-ops.cokutau.com] TrustedIdentities:[]} INFO Check over. Trust policy is not configured to skip signature verification INFO Processing signature with manifest mediaType: application/vnd.oci.image.manifest.v1+json and digest: sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a Error: signature verification failed: unable to retrieve digital signature with digest "sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a" associated with "registry-ops.cokutau.com/dev-pjcxa/botstudio@sha256:a76d65b5dc0012652c3bf216da300edc6719902b25732de6a465f536e96be030" from the Repository, error : GET "https://registry-ops.cokutau.com/v2/dev-pjcxa/botstudio/manifests/sha256:c5902769d1f3414e4a388c25aa9f981564cf18f6d53962d268091d9e5183a49a": mismatch Content-Length

Describe your environment

root@1b81bd31a2ce:/tmp# uname -a Linux 1b81bd31a2ce 5.14.0-427.13.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 30 18:22:29 EDT 2024 x8664 GNU/Linux I use wget notation$NOTATION_VERSION_linux_amd64.tar.gz and tar > /usr/local/bin/notation to use

What is the version of your Notation CLI or Notation Library?

Version: 1.2.0 Go version: go1.23.0 Git commit: 4700ad6f1bef13e411772d7ae4399f891fc3a6ae

FeynmanZhou commented 2 months ago

Hi @JanetZhouJ ,

To troubleshoot the verification issue, can you please share the manifest metadata of your signed image? Maybe you can use ORAS tool to get the manifest metadata:


oras manifest fetch registry-ops.cokutau.com/dev-pjcxa/botstudio:20240906_152011