openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
116 stars 21 forks source link

Getting error while attesting the image #139

Open anilMishra opened 11 months ago

anilMishra commented 11 months ago

When I am trying to attest image in a public repository it is resulting into an error 'has no digest' meanwhile we are giving required digest in query. I am attaching image with the executed queries with all permutations.please help me on this issue

anilMishra commented 11 months ago
image001
puerco commented 11 months ago

Hey @anilMishra thanks for the report, unfortunately I could not catch the image before ttl.sh removed it. Can you push it again to see what's going on ? Thanks!!

wagoodman commented 10 months ago

I ran into the same issue, an initial look shows that there is some processing missing when passing a raw image reference

vexctl attest --attach --sign vex.json ghcr.io/wagoodman/test-ctr-images/alpine@sha256:d98f53941d04a2c76b454064c27dd9ffc30cdb07c34001f45015752bdf1e4ecb

around here: https://github.com/openvex/vexctl/blob/57f62c5b17bd25f4b89339d795ff1a55e16e06a8/pkg/ctl/implementation.go#L593

The reference is parsed (name.ParseReference(pref.Name)) but the value is thrown away and instead perf is used. However, there is no code path to populate perf.Hashes... as done with the package URL parsing in the first if block.

A workaround in the meantime @anilMishra would be to craft an OCI package URL.