search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.51k stars 547 forks source link

cosign download sbom from ghcr.io throw Error: MANIFEST_UNKNOWN: manifest unknown #1542

Open xmlking opened 2 years ago

xmlking commented 2 years ago

Getting MANIFEST_UNKNOWN: manifest unknown error 

cosign download sbom ghcr.io/xmlking/grpc-starter-kit/greeter:latest --output-file=sbom.spdx

Error

Error: GET https://ghcr.io/v2/xmlking/grpc-starter-kit/greeter/manifests/sha256-4ae72f03d893bae528ae69048360d9cf674552688f76fc59940132d4175a90fc.sbom: MANIFEST_UNKNOWN: manifest unknown
main.go:46: error during command execution: GET https://ghcr.io/v2/xmlking/grpc-starter-kit/greeter/manifests/sha256-4ae72f03d893bae528ae69048360d9cf674552688f76fc59940132d4175a90fc.sbom: MANIFEST_UNKNOWN: manifest unknown
dlorenc commented 2 years ago

Maybe a silly question, but are you sure there is an SBOM for that image? Did you push one using cosign?

xmlking commented 2 years ago

Yes you can check here https://github.com/xmlking/grpc-starter-kit/pkgs/container/grpc-starter-kit%2Fgreeter

vaikas commented 2 years ago

Just an FYI, looks like maybe there's just not an sbom for that tag. Looks like when you fetch the sbom using a sha that does exist, it works (using one for the images from link you sent):

vaikas@villes-mbp eventing % cosign download sbom ghcr.io/xmlking/grpc-starter-kit/greeter@sha256:eaef37a8b9422d50dbf5c5b6366ea4a3e1cce2b0d4b5632998cf1ed842aad578
--output-file=/tmp/sbom.spdx
Found SBOM of media type: text/spdx
vaikas@villes-mbp eventing % ls -l /tmp/sbom.spdx
-rw-r--r--  1 vaikas  wheel  50921 Mar 11 09:50 /tmp/sbom.spdx
marcofranssen commented 2 years ago

Can confirm the same.

Following works:

Downloading the signature ✅ 

$ cosign download signature ghcr.io/philips-labs/slsa-provenance:v0.7.2
{"Base64Signature":"MEUCIQCXfQeeQE77CdZkKVaBZa474eTIZR4uUQHoQ+W/2+uatgIgXKty8HA9NYzK40rYoQ1ebs1yrECUnp/BmLNsp9oMUPw=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiZ2hjci5pby9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlIn0sImltYWdlIjp7ImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiJzaGEyNTY6ZTMzNzhhZWYyMzgyMWZkNmUyMTAyMjllNWI5OGI1YmVhZDI4NTg1ODFiMmQ1OTBkOWUzYjQ5ZDUzYzNmNzFlNyJ9LCJ0eXBlIjoiY29zaWduIGNvbnRhaW5lciBpbWFnZSBzaWduYXR1cmUifSwib3B0aW9uYWwiOm51bGx9","Cert":null,"Chain":null,"Bundle":null}

Downloading the attestations ✅ both the sbom and build provenance are here as an attestation…

$ cosign download attestation ghcr.io/philips-labs/slsa-provenance:v0.7.2
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiZTMzNzhhZWYyMzgyMWZkNmUyMTAyMjllNWI5OGI1YmVhZDI4NTg1ODFiMmQ1OTBkOWUzYjQ5ZDUzYzNmNzFlNyJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkYjQwZTE5OWFlMjhkNGNkMmYxN2JhZDdmMzE1NDU1NTZmZGQzZCJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NjM4ODQ4NDUiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE4VDEwOjM5OjU5WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGRiNDBlMTk5YWUyOGQ0Y2QyZjE3YmFkN2YzMTU0NTU1NmZkZDNkIn19XX19","signatures":[{"keyid":"","sig":"MEQCID/JCfK+FyPekzuhc/BA0axFp52ssQ/DNgSJK3Dkl2zoAiAYKsBZy8sbmGOHr+rsiQ/YkW7YGSCEHfXevZLF9s1HNw=="}]}
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3NwZHguZGV2L0RvY3VtZW50Iiwic3ViamVjdCI6W3sibmFtZSI6ImdoY3IuaW8vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiJlMzM3OGFlZjIzODIxZmQ2ZTIxMDIyOWU1Yjk4YjViZWFkMjg1ODU4MWIyZDU5MGQ5ZTNiNDlkNTNjM2Y3MWU3In19XSwicHJlZGljYXRlIjp7IkRhdGEiOiJ7XG4gXCJTUERYSURcIjogXCJTUERYUmVmLURPQ1VNRU5UXCIsXG4gXCJuYW1lXCI6IFwiZ2hjci5pby9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWRkZGI0MGUxOTlhZTI4ZDRjZDJmMTdiYWQ3ZjMxNTQ1NTU2ZmRkM2RcIixcbiBcInNwZHhWZXJzaW9uXCI6IFwiU1BEWC0yLjJcIixcbiBcImNyZWF0aW9uSW5mb1wiOiB7XG4gIFwiY3JlYXRlZFwiOiBcIjIwMjItMDItMThUMTA6NDA6MDkuNDAzNjYwODYxWlwiLFxuICBcImNyZWF0b3JzXCI6IFtcbiAgIFwiT3JnYW5pemF0aW9uOiBBbmNob3JlLCBJbmNcIixcbiAgIFwiVG9vbDogc3lmdC0wLjMzLjBcIlxuICBdLFxuICBcImxpY2Vuc2VMaXN0VmVyc2lvblwiOiBcIjMuMTVcIlxuIH0sXG4gXCJkYXRhTGljZW5zZVwiOiBcIkNDMC0xLjBcIixcbiBcImRvY3VtZW50TmFtZXNwYWNlXCI6IFwiaHR0cHM6Ly9hbmNob3JlLmNvbS9zeWZ0L2ltYWdlL2doY3IuaW8vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1kZGRiNDBlMTk5YWUyOGQ0Y2QyZjE3YmFkN2YzMTU0NTU1NmZkZDNkLWI4Mzg2OWUwLWM2ODUtNGYyNy05MTVlLTc5ODgzYWViYWE1N1wiLFxuIFwicGFja2FnZXNcIjogW1xuICB7XG4gICBcIlNQRFhJRFwiOiBcIlNQRFhSZWYtZjM3NTE5NGYwMWQ3YzBmNlwiLFxuICAgXCJuYW1lXCI6IFwiYmFzZS1maWxlc1wiLFxuICAgXCJsaWNlbnNlQ29uY2x1ZGVkXCI6IFwiTk9BU1NFUlRJT05cIixcbiAgIFwiZG93bmxvYWRMb2NhdGlvblwiOiBcIk5PQVNTRVJUSU9OXCIsXG4gICBcImV4dGVybmFsUmVmc1wiOiBbXG4gICAge1xuICAgICBcInJlZmVyZW5jZUNhdGVnb3J5XCI6IFwiU0VDVVJJVFlcIixcbiAgICAgXCJyZWZlcmVuY2VMb2NhdG9yXCI6IFwiY3BlOjIuMzphOmJhc2UtZmlsZXM6YmFzZS1maWxlczoxMS4xK2RlYjExdTI6KjoqOio6KjoqOio6KlwiLFxuICAgICBcInJlZmVyZW5jZVR5cGVcIjogXCJjcGUyM1R5cGVcIlxuICAgIH0sXG4gICAge1xuICAgICBcInJlZmVyZW5jZUNhdGVnb3J5XCI6IFwiU0VDVVJJVFlcIixcbiAgICAgXCJyZWZlcmVuY2VMb2NhdG9yXCI6IFwiY3BlOjIuMzphOmJhc2UtZmlsZXM6YmFzZV9maWxlczoxMS4xK2RlYjExdTI6KjoqOio6KjoqOio6KlwiLFxuICAgICBcInJlZmVyZW5jZVR5cGVcIjogXCJjcGUyM1R5cGVcIlxuICAgIH0sXG4gICAge1xuICAgICBcInJlZmVyZW5jZUNhdGVnb3J5XCI6IFwiU0VDVVJJVFlcIixcbiAgICAgXCJyZWZlcmVuY2VMb2NhdG9yXCI6IFwiY3BlOjIuMzphOmJhc2VfZmlsZXM6YmFzZS1maWxlczoxMS4xK2RlYjExdTI6KjoqOio6KjoqOio6KlwiLFxuICAgICBcInJlZmVyZW5jZVR5cGVcIjogXCJjcGUyM1R5cGV
…

Following doesn't:

$ cosign download sbom ghcr.io/philips-labs/slsa-provenance:v0.7.2
Error: image not found in registry
main.go:46: error during command execution: image not found in registry

We are using cosign v1.6.0.

The SBOM and provenance are attached like this.

cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ghcr.io/philips-labs/slsa-provenance:v0.7.2
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ghcr.io/philips-labs/slsa-provenance:v0.7.2
hectorj2f commented 2 years ago

@marcofranssen Have you tried with cosign attach sbom --type cyclonedx --sbom file.json ghcr.io/philips-labs/slsa-provenance:v0.7.2 ? It looks like you simply attached the attestations (one with a SBOM), you didn't add a sbom based on your comments.

marcofranssen commented 2 years ago

@hectorj2f you are right. Using the cosign attach sbom command I can download the sbom.

Now just a bit confused on when to use cosign attest vs cosign attach when it comes to SBOMs. Maybe that needs some documentation/writeup to clarify the usecases for the community.

dlorenc commented 2 years ago

+1 on clarifying that.

hectorj2f commented 2 years ago

@marcofranssen Yes, you're right.