Open zackbradys opened 8 months ago
Additional testing with different registry, image, and oci artifacts:
cosign save and cosign load
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree gcr.io/projectsigstore/cosign:v1.13.0
📦 Supply Chain Security Related artifacts for an image: gcr.io/projectsigstore/cosign:v1.13.0
└── 🔐 Signatures for an image tag: gcr.io/projectsigstore/cosign:sha256-398f441c46e58906dc6d3aaaad22fe63f018dc30acbe13b326e5a016e711301c.sig
├── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
└── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
└── 📦 SBOMs for an image tag: gcr.io/projectsigstore/cosign:sha256-398f441c46e58906dc6d3aaaad22fe63f018dc30acbe13b326e5a016e711301c.sbom
└── 🍒 sha256:7bef2e21cdf8b14af2f17577e801999129e48ad71aff2adcdf19453bea611da8
### cosign save
[root@ip-172-31-44-121 rancher]# cosign save --dir "images" gcr.io/projectsigstore/cosign:v1.13.0
[root@ip-172-31-44-121 rancher]# cd images/
[root@ip-172-31-44-121 images]# ls -la
total 8
drwxr-xr-x. 3 root root 55 Oct 21 20:04 .
drwxr-xr-x. 4 root root 83 Oct 21 20:04 ..
drwxr-xr-x. 3 root root 20 Oct 21 20:04 blobs
-rwxr-xr-x. 1 root root 710 Oct 21 20:04 index.json
-rwxr-xr-x. 1 root root 37 Oct 21 20:04 oci-layout
### cosign load
[root@ip-172-31-44-121 rancher]# cosign load --dir "images" harbor.ranchers.io/projectsigstore/cosign:v1.13.0
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree harbor.ranchers.io/projectsigstore/cosign:v1.13.0
📦 Supply Chain Security Related artifacts for an image: harbor.ranchers.io/projectsigstore/cosign:v1.13.0
└── 🔐 Signatures for an image tag: harbor.ranchers.io/projectsigstore/cosign:sha256-398f441c46e58906dc6d3aaaad22fe63f018dc30acbe13b326e5a016e711301c.sig
├── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
└── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
cosign copy
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree gcr.io/projectsigstore/cosign:v1.12.0
📦 Supply Chain Security Related artifacts for an image: gcr.io/projectsigstore/cosign:v1.12.0
└── 🔐 Signatures for an image tag: gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig
├── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
└── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
└── 📦 SBOMs for an image tag: gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom
└── 🍒 sha256:280f6b3e9b982e70bc50e668783aa8ad7b8fe143ecd96f37b502cecfa3fd694c
### cosign copy gcr.io/projectsigstore/cosign:v1.12.0 harbor.ranchers.io/projectsigstore/cosign:v1.12.0
[root@ip-172-31-44-121 rancher]# cosign copy gcr.io/projectsigstore/cosign:v1.12.0 harbor.ranchers.io/projectsigstore/cosign:v1.12.0
Copying gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig...
Copying gcr.io/projectsigstore/cosign@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0 to harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0...
Copying gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom...
Copying gcr.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sig...
Copying gcr.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d to harbor.ranchers.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d...
Copying gcr.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sig...
Copying gcr.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60 to harbor.ranchers.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60...
Copying gcr.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sig...
Copying gcr.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86 to harbor.ranchers.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86...
Copying gcr.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sig...
Copying gcr.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73 to harbor.ranchers.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73...
Copying gcr.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sig...
Copying gcr.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228 to harbor.ranchers.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228...
Copying gcr.io/projectsigstore/cosign@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0 to harbor.ranchers.io/projectsigstore/cosign:v1.12.0...
### cosign tree harbor.ranchers.io/projectsigstore/cosign:v1.12.0
[root@ip-172-31-44-121 rancher]# cosign tree harbor.ranchers.io/projectsigstore/cosign:v1.12.0
📦 Supply Chain Security Related artifacts for an image: harbor.ranchers.io/projectsigstore/cosign:v1.12.0
└── 🔐 Signatures for an image tag: harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig
├── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
└── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
└── 📦 SBOMs for an image tag: harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom
└── 🍒 sha256:280f6b3e9b982e70bc50e668783aa8ad7b8fe143ecd96f37b502cecfa3fd694c
Is there any update on this issue?
Description When using
cosign save
(and additionallycosign load
) to download and upload images with oci artifacts,cosign save
does not include the all oci artifacts.cosign copy
from registry to registry does copy the image and all oci artifacts. I'm not sure of a use case forcosign save
(and additionallycosign load
) to not include all oci artifacts, so I assume it is bug/error andcosign save
andcosign copy
should have the same functionalities. I've tried this with many different images and produced the same result. Please let me know if you need any additional information, troubleshooting, or validation from me!Version [root@ip-172-31-44-121 rancher]# cosign version GitVersion: v2.2.0 GitCommit: 546f1c5b91ef58d6b034a402d0211d980184a0e5 GitTreeState: clean BuildDate: 2023-08-31T18:52:52Z GoVersion: go1.21.0 Compiler: gc Platform: linux/amd64
cosign save and cosign load
cosign copy