search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.38k stars 537 forks source link

cosign download sbom fails when the remote image is absent #2603

Closed thesayyn closed 11 months ago

thesayyn commented 1 year ago

Description

This is related to https://github.com/sigstore/cosign/issues/1905

Currently, when trying to download a sbom attached to an image via a digest, it fails trying to look up for the original image.

Error; 

Error: entity not found in registry
main.go:46: error during command execution: entity not found in registry

Ideally, this command shouldn't go look up to see if the image really exists.

What I am trying to do;

1 - build an image locally 2 - get its digest 3 - call cosign sign repo@digest and sign the image at remote 4 - call cosign attach sbom repo@digest --sbom <path> 5 - call cosign download sbom repo@digest (for verifying purposes) 6 - push the image

Version

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    1.8.0
GitCommit:     9ef6b207218572b3257a5b4251418d75569baaae
GitTreeState:  "clean"
BuildDate:     2022-04-27T13:40:34Z
GoVersion:     go1.18.1
Compiler:      gc
Platform:      darwin/arm64
paolomainardi commented 1 year ago

I can try to take this one if it is still available.

paolomainardi commented 1 year ago

cc @znewman01 sorry for bothering you, just wanted to know if this one is still available and useful, i can try to do it.

znewman01 commented 1 year ago

Go for it! Thanks 😄

paolomainardi commented 1 year ago

Thanks!

paolomainardi commented 1 year ago

I think this is not more reproducible since #1905 does not allow the signing of not existing images.

This an image I built locally and not yet pushed to the registry:

Error: signing [ghcr.io/paolomainardi/idi2023-sigstore-demo@sha256:0de516ea0f07af1b3e86dda35283f2cb00eeb34df08399978af177109d666a0d]: accessing image: entity not fo
und in registry
main.go:62: error during command execution: signing [ghcr.io/paolomainardi/idi2023-sigstore-demo@sha256:0de516ea0f07af1b3e86dda35283f2cb00eeb34df08399978af177109d666a0d]: accessing image: entity not found in registry
znewman01 commented 1 year ago

You don't need to fix #1905 to repro this:

$ DIGEST=$(crane digest cgr.dev/chainguard/static)
$ crane copy cgr.dev/chainguard/static@$DIGEST ttl.sh/zjn-test:1h
$ cosign sign ttl.sh/zjn-test@$DIGEST
$ cosign attach sbom ttl.sh/zjn-test@$DIGEST  --sbom <(echo "{}")
$ cosign download sbom ttl.sh/zjn-test@$DIGEST  # works
$ crane delete ttl.sh/zjn-test@$DIGEST
$ cosign download sbom ttl.sh/zjn-test@$DIGEST
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Error: entity not found in registry
main.go:74: error during command execution: entity not found in registry
vishal-chdhry commented 1 year ago

@znewman01 @paolomainardi I have created a PR that will close this