Open xmlking opened 2 years ago
jandubois
commented
2 years ago The problem is that nerdctl runs inside the VM, so the cosign binary has to be installed inside the VM as well.
On macOS you can do this manually with:
LIMA_HOME="$HOME/Library/Application Support/rancher-desktop/lima" "/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl" shell 0 sudo apk add cosign --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community
xmlking
commented
2 years ago if I install nerdctl via brew install nerdctl and desable Rancher's nerdctl, will it work ?
xmlking
commented
2 years ago still not working
nerdctl push --sign=cosign ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:5fb3c48f82a1d4a53d5e2d25e9daf8e8a35bdbf97847c40212bdb04b38dd485d)
manifest-sha256:5fb3c48f82a1d4a53d5e2d25e9daf8e8a35bdbf97847c40212bdb04b38dd485d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:b57a234d56c602ed0ffb767c6782a1836f8b43b267ba0f799fbd8488eecfbcfe: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:39b0b4c4587fbfa6f0755490bb53175932c8f0348926efd629b5e26b281aaa57: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:fed9433fc6d8e566eec66aee9ebc5da9ac21d7d778ab84cd14bf6d72f922d370: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:0737e68e4ee86ac8d2a8aa22d80614528a5898719ff6f2daecca562573202969: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:5bb4e89e20d01c234649ebaa583999c8bbbc2b1d1e1071696c2d424a592b617f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:63bc71a7e8dd1d9668121710be981aa07a74660d94ff3bc08a49ec70e7654c7f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a5e44472bb1f0d721d23f82fa10a4c3d25994790238a173c1de950a649eb9a90: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.9 s total: 163.2 (181.3 MiB/s)
INFO[0001] cosign: Enter the verification code HPCD-KPVR in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=HPCD-KPVR
INFO[0001] cosign: Code will be valid for 300 seconds
INFO[0026] cosign: Token received!
INFO[0036] cosign: Generating ephemeral keys...
INFO[0036] cosign: Retrieving signed certificate...
INFO[0036] cosign: Non-interactive mode detected, using device flow.
INFO[0036] cosign: Successfully verified SCT...
INFO[0036] cosign: tlog entry created with index: 1806761
INFO[0036] cosign: Pushing signature to: ghcr.io/xmlking/grpc-starter-kit/base
INFO[0036] cosign: Error: signing [ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0]: recursively signing: signing digest: POST https://ghcr.io/v2/xmlking/grpc-starter-kit/base/blobs/uploads/: DENIED: unauthenticated: User cannot be authenticated with the token provided.
INFO[0036] cosign: main.go:46: error during command execution: signing [ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0]: recursively signing: signing digest: POST https://ghcr.io/v2/xmlking/grpc-starter-kit/base/blobs/uploads/: DENIED: unauthenticated: User cannot be authenticated with the token provided. nerdctl push --sign=cosign ghcr.io/xmlking/grpc-starter-kit/account-service:v0.1.2
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:8fe7090e2fb7e6cd14abb1d1c2b15f2c759534168e0809caa0947cc0cd3a51dd)
manifest-sha256:8fe7090e2fb7e6cd14abb1d1c2b15f2c759534168e0809caa0947cc0cd3a51dd: waiting |--------------------------------------|
layer-sha256:5e1d8167d6c0a4b75ac14a35e67f98464b298f88a94ba9468dbc439241653231: waiting |--------------------------------------|
layer-sha256:db7f1fa03bb881527321a6406cf63ffe824128059e1f3969170d73f80a9f7ad6: waiting |--------------------------------------|
layer-sha256:2382bb977bdfc45ae3b29d8a5f15c7a61e69aaf0334e67a570b418a4bba07ee6: waiting |--------------------------------------|
config-sha256:92325ca314742e08a903e83001d71673c7840e263a20ed41ba396f85c9c100ff: waiting |--------------------------------------|
layer-sha256:5559ad684159b121106498732c6b823031d6ad5bd6258b697c9e27c092018c13: waiting |--------------------------------------|
layer-sha256:dbcab61d5a5a806aee6156f2e22c601a52119ca8eaeb8fcd08187f22c35d9b88: waiting |--------------------------------------|
layer-sha256:f67e96ba44068641523389f261c2169964a176d8078a20f6d4d98df2f8612116: waiting |--------------------------------------|
elapsed: 0.4 s total: 0.0 B (0.0 B/s)
FATA[0000] failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden
please ignore my above comment. I have to login to ghcr.io . it worked after that
echo $GITHUB_PACKAGES_TOKEN | nerdctl login ghcr.io -u xmlking --password-stdin
Login Succeedednerdctl push --sign=cosign ghcr.io/xmlking/grpc-starter-kit/base:v0.2.1
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:e9ea6a64409f1a3ad968cc15e2389efd5a01ed52c8085ab034d32dba6d9bdc28)
manifest-sha256:e9ea6a64409f1a3ad968cc15e2389efd5a01ed52c8085ab034d32dba6d9bdc28: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:23b229a82e2dbe9c52c739729bfec7af12ac99dc96d1045551546f1ee4b65509: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:87f36d860bddefd3003bb941621b784ec7841c9775927d7fe61df91bd1524509: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a5e44472bb1f0d721d23f82fa10a4c3d25994790238a173c1de950a649eb9a90: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:39b0b4c4587fbfa6f0755490bb53175932c8f0348926efd629b5e26b281aaa57: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:63bc71a7e8dd1d9668121710be981aa07a74660d94ff3bc08a49ec70e7654c7f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:fed9433fc6d8e566eec66aee9ebc5da9ac21d7d778ab84cd14bf6d72f922d370: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:0737e68e4ee86ac8d2a8aa22d80614528a5898719ff6f2daecca562573202969: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:829e70cb55cc3717f9752d0e7a901fe2d0b72a1f9a66451ac94bc37306a7f872: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 4.1 s total: 163.2 (39.8 MiB/s)
INFO[0004] cosign: Enter the verification code NPTB-KXPR in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=NPTB-KXPR
INFO[0004] cosign: Code will be valid for 300 seconds
INFO[0014] cosign: Token received!
INFO[0023] cosign: Generating ephemeral keys...
INFO[0023] cosign: Retrieving signed certificate...
INFO[0023] cosign: Non-interactive mode detected, using device flow.
INFO[0023] cosign: Successfully verified SCT...
INFO[0023] cosign: tlog entry created with index: 1807331
INFO[0023] cosign: Pushing signature to: ghcr.io/xmlking/grpc-starter-kit/base
Actual Behavior
Unable to
nerdctl push --sign=cosignThrow cosign executable not found in path $PATHSteps to Reproduce
https://github.com/containerd/nerdctl/issues/943#issuecomment-1079794867
❯ nerdctl images REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE ghcr.io/xmlking/grpc-starter-kit/base latest 324e109cc7be 8 minutes ago linux/arm64 510.9 MiB 163.2 MiB ghcr.io/xmlking/grpc-starter-kit/base v0.2.0 324e109cc7be About an hour ago linux/arm64 510.9 MiB 163.2 MiB
grpc-starter-kit on develop [!?] via v1.18 ❯ nerdctl push --sign=cosign ghcr.io/xmlking/grpc-starter-kit/base:v0.2.0 INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:324e109cc7be4da6b75472a8bcad17e2d26321c1555d42f45f200c5efa7dd96c) manifest-sha256:324e109cc7be4da6b75472a8bcad17e2d26321c1555d42f45f200c5efa7dd96c: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:5fa59ceebdc83ddb6d2f9d89dbbff1b2c9c993b1a1462bb391247f904d2c48e7: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:39b0b4c4587fbfa6f0755490bb53175932c8f0348926efd629b5e26b281aaa57: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:63bc71a7e8dd1d9668121710be981aa07a74660d94ff3bc08a49ec70e7654c7f: done |++++++++++++++++++++++++++++++++++++++| config-sha256:2181fcbd23f5e0713060e43861d743633976a8d285a397d13d27b814d260a9b1: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:a5e44472bb1f0d721d23f82fa10a4c3d25994790238a173c1de950a649eb9a90: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:fed9433fc6d8e566eec66aee9ebc5da9ac21d7d778ab84cd14bf6d72f922d370: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:0737e68e4ee86ac8d2a8aa22d80614528a5898719ff6f2daecca562573202969: done |++++++++++++++++++++++++++++++++++++++| elapsed: 1.3 s total: 163.2 (125.5 MiB/s) ERRO[0001] cosign executable not found in path $PATH error="exec: "cosign": executable file not found in $PATH" INFO[0001] you might consider installing cosign from: https://docs.sigstore.dev/cosign/installation FATA[0001] exec: "cosign": executable file not found in $PATH
grpc-starter-kit on develop [!?] via v1.18 ❯ which cosign /opt/homebrew/bin/cosign
grpc-starter-kit on develop [!?] via v1.18 ❯ nerdctl --version nerdctl version 0.17.1
grpc-starter-kit on develop [!?] via v1.18 ❯ cosign version
/ | / \ / | | | / | | \ | | | | | | | | \ | | | | | | | | | | || | ) | | | | || | | |\ | | _/ |/ || _| || | cosign
GitVersion: 1.6.0 GitCommit: 4b2c3c0c8ee97f31b9dac3859b40e0a48b8648ee GitTreeState: "clean" BuildDate: 2022-03-03T17:59:06Z GoVersion: go1.17.8 Compiler: gc Platform: darwin/arm64
Result
ERRO[0001] cosign executable not found in path $PATH error="exec: "cosign": executable file not found in $PATH" INFO[0001] you might consider installing cosign from: https://docs.sigstore.dev/cosign/installation FATA[0001] exec: "cosign": executable file not found in $PATH
Expected Behavior
no error
Additional Information
No response
Rancher Desktop Version
1.2.1
Rancher Desktop K8s Version
1.23.4
Which container runtime are you using?
containerd (nerdctl)
What operating system are you using?
macOS
Operating System / Build Version
12.3
What CPU architecture are you using?
arm64 (Apple Silicon)
Linux only: what package format did you use to install Rancher Desktop?
AppImage
Windows User Only
No response