Closed thesayyn closed 11 months ago
I can try to take this one if it is still available.
cc @znewman01 sorry for bothering you, just wanted to know if this one is still available and useful, i can try to do it.
Go for it! Thanks 😄
Thanks!
I think this is not more reproducible since #1905 does not allow the signing of not existing images.
This an image I built locally and not yet pushed to the registry:
Error: signing [ghcr.io/paolomainardi/idi2023-sigstore-demo@sha256:0de516ea0f07af1b3e86dda35283f2cb00eeb34df08399978af177109d666a0d]: accessing image: entity not fo
und in registry
main.go:62: error during command execution: signing [ghcr.io/paolomainardi/idi2023-sigstore-demo@sha256:0de516ea0f07af1b3e86dda35283f2cb00eeb34df08399978af177109d666a0d]: accessing image: entity not found in registry
You don't need to fix #1905 to repro this:
$ DIGEST=$(crane digest cgr.dev/chainguard/static)
$ crane copy cgr.dev/chainguard/static@$DIGEST ttl.sh/zjn-test:1h
$ cosign sign ttl.sh/zjn-test@$DIGEST
$ cosign attach sbom ttl.sh/zjn-test@$DIGEST --sbom <(echo "{}")
$ cosign download sbom ttl.sh/zjn-test@$DIGEST # works
$ crane delete ttl.sh/zjn-test@$DIGEST
$ cosign download sbom ttl.sh/zjn-test@$DIGEST
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Error: entity not found in registry
main.go:74: error during command execution: entity not found in registry
@znewman01 @paolomainardi I have created a PR that will close this
Description
This is related to https://github.com/sigstore/cosign/issues/1905
Currently, when trying to download a sbom attached to an image via a digest, it fails trying to look up for the original image.
Error;
Ideally, this command shouldn't go look up to see if the image really exists.
What I am trying to do;
1 - build an image locally 2 - get its digest 3 - call
cosign sign repo@digest
and sign the image at remote 4 - callcosign attach sbom repo@digest --sbom <path>
5 - callcosign download sbom repo@digest
(for verifying purposes) 6 - push the imageVersion