search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.23k stars 506 forks source link

cosign save fails with oci artifacts #3316

Open zackbradys opened 8 months ago

zackbradys commented 8 months ago

Description When using cosign save (and additionally cosign load) to download and upload images with oci artifacts, cosign save does not include the all oci artifacts.

cosign copy from registry to registry does copy the image and all oci artifacts. I'm not sure of a use case for cosign save (and additionally cosign load) to not include all oci artifacts, so I assume it is bug/error and cosign save and cosign copy should have the same functionalities. I've tried this with many different images and produced the same result. Please let me know if you need any additional information, troubleshooting, or validation from me!

Version [root@ip-172-31-44-121 rancher]# cosign version GitVersion: v2.2.0 GitCommit: 546f1c5b91ef58d6b034a402d0211d980184a0e5 GitTreeState: clean BuildDate: 2023-08-31T18:52:52Z GoVersion: go1.21.0 Compiler: gc Platform: linux/amd64

cosign save and cosign load

### Install Cosign
mkdir -p /opt/rancher/cosign
cd /opt/rancher/cosign
curl -#OL https://github.com/sigstore/cosign/releases/download/v2.2.0/cosign-linux-amd64
mv cosign-linux-amd64 /usr/bin/cosign
chmod 755 /usr/bin/cosign
### cosign login
[root@ip-172-31-44-121 rancher]# cosign login rgcrprod.azurecr.us -u $USER1 -p $PW2
auth.go:274: logged in via /root/.docker/config.json
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree rgcrprod.azurecr.us/rancher/rke2-runtime:v1.25.14-rke2r1
📦 Supply Chain Security Related artifacts for an image: rgcrprod.azurecr.us/rancher/rke2-runtime:v1.25.14-rke2r1
└── 💾 Attestations for an image tag: rgcrprod.azurecr.us/rancher/rke2-runtime:sha256-ca3044c1157c8d535ad48630740c328b558cba9e78d85315e5c6552df5cc286a.att
   └── 🍒 sha256:ea26d7bf6f46242e8705a83a19a8a5d9ffeb1ef7fa84f9a73f7a9f0085382fef
└── 🔐 Signatures for an image tag: rgcrprod.azurecr.us/rancher/rke2-runtime:sha256-ca3044c1157c8d535ad48630740c328b558cba9e78d85315e5c6552df5cc286a.sig
   └── 🍒 sha256:0fe4ed9488a0a1ab3d0b060694984fb04648f42ce8df8b731d74003507ca5524
└── 📦 SBOMs for an image tag: rgcrprod.azurecr.us/rancher/rke2-runtime:sha256-ca3044c1157c8d535ad48630740c328b558cba9e78d85315e5c6552df5cc286a.sbom
   └── 🍒 sha256:31d6e436e97cf2c712d7445acce1772e5126b66ca54b4a4b03e60aee4b8aad63
### cosign save
[root@ip-172-31-44-121 rancher]# cosign save --dir "images" rgcrprod.azurecr.us/rancher/rke2-runtime:v1.25.14-rke2r1
[root@ip-172-31-44-121 rancher]# cd images/
[root@ip-172-31-44-121 images]# ls -la
total 8
drwxr-xr-x. 3 root root  55 Oct 21 19:03 .
drwxr-xr-x. 4 root root  83 Oct 21 19:03 ..
drwxr-xr-x. 3 root root  20 Oct 21 19:03 blobs
-rwxr-xr-x. 1 root root 998 Oct 21 19:03 index.json
-rwxr-xr-x. 1 root root  37 Oct 21 19:03 oci-layout
### cosign login
[root@ip-172-31-44-121 rancher]# cosign login harbor.ranchers.io -u $USER2 -p $PW2
auth.go:274: logged in via /root/.docker/config.json
### cosign load
[root@ip-172-31-44-121 rancher]# cosign load --dir "images" harbor.ranchers.io/rancher/rke2-runtime:v1.25.14-rke2r1
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree harbor.ranchers.io/rancher/rke2-runtime:v1.25.14-rke2r1
📦 Supply Chain Security Related artifacts for an image: harbor.ranchers.io/rancher/rke2-runtime:v1.25.14-rke2r1
└── 🔐 Signatures for an image tag: harbor.ranchers.io/rancher/rke2-runtime:sha256-ca3044c1157c8d535ad48630740c328b558cba9e78d85315e5c6552df5cc286a.sig
   └── 🍒 sha256:0fe4ed9488a0a1ab3d0b060694984fb04648f42ce8df8b731d74003507ca5524
└── 💾 Attestations for an image tag: harbor.ranchers.io/rancher/rke2-runtime:sha256-ca3044c1157c8d535ad48630740c328b558cba9e78d85315e5c6552df5cc286a.att
   └── 🍒 sha256:ea26d7bf6f46242e8705a83a19a8a5d9ffeb1ef7fa84f9a73f7a9f0085382fef

cosign copy

### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree rgcrprod.azurecr.us/rancher/rancher:v2.7.8
📦 Supply Chain Security Related artifacts for an image: rgcrprod.azurecr.us/rancher/rancher:v2.7.8
└── 💾 Attestations for an image tag: rgcrprod.azurecr.us/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.att
   └── 🍒 sha256:9d80ce6222cbf6ce499013f5baf0ce069b6d0c2a750c72814517a15744aa5d8f
└── 🔐 Signatures for an image tag: rgcrprod.azurecr.us/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sig
   └── 🍒 sha256:293210338487c2af911929c8b84142cf8abeb0cb47435631298c32c3e6aba753
└── 📦 SBOMs for an image tag: rgcrprod.azurecr.us/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sbom
   └── 🍒 sha256:aa5d5a20a79659aacfc7b1a877e48ee5fa21598e462a31e8e1c46a90f7740c37
### cosign copy
[root@ip-172-31-44-121 rancher]# cosign copy rgcrprod.azurecr.us/rancher/rancher:v2.7.8 harbor.ranchers.io/rancher/rancher:v2.7.8
Copying rgcrprod.azurecr.us/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sig to harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sig...
Copying rgcrprod.azurecr.us/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sbom to harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sbom...
Copying rgcrprod.azurecr.us/rancher/rancher@sha256:e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646 to harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646...
Copying rgcrprod.azurecr.us/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.att to harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.att...
Copying rgcrprod.azurecr.us/rancher/rancher:sha256-eb827c2b0dca1b065ee4eb62721cd9153279f7b4aa00a3d7d1142b986b7e7be3.sig to harbor.ranchers.io/rancher/rancher:sha256-eb827c2b0dca1b065ee4eb62721cd9153279f7b4aa00a3d7d1142b986b7e7be3.sig...
Copying rgcrprod.azurecr.us/rancher/rancher@sha256:eb827c2b0dca1b065ee4eb62721cd9153279f7b4aa00a3d7d1142b986b7e7be3 to harbor.ranchers.io/rancher/rancher:sha256-eb827c2b0dca1b065ee4eb62721cd9153279f7b4aa00a3d7d1142b986b7e7be3...
Copying rgcrprod.azurecr.us/rancher/rancher:sha256-5f86b9949727f3856a3493c723449b88654dc70efce22c200497a30f11197558.sig to harbor.ranchers.io/rancher/rancher:sha256-5f86b9949727f3856a3493c723449b88654dc70efce22c200497a30f11197558.sig...
Copying rgcrprod.azurecr.us/rancher/rancher@sha256:5f86b9949727f3856a3493c723449b88654dc70efce22c200497a30f11197558 to harbor.ranchers.io/rancher/rancher:sha256-5f86b9949727f3856a3493c723449b88654dc70efce22c200497a30f11197558...
Copying rgcrprod.azurecr.us/rancher/rancher:sha256-14c5c9027d0ba954023cc840ca87a02c27f79f4ec5c987a75ed391eba16794e0.sig to harbor.ranchers.io/rancher/rancher:sha256-14c5c9027d0ba954023cc840ca87a02c27f79f4ec5c987a75ed391eba16794e0.sig...
Copying rgcrprod.azurecr.us/rancher/rancher@sha256:14c5c9027d0ba954023cc840ca87a02c27f79f4ec5c987a75ed391eba16794e0 to harbor.ranchers.io/rancher/rancher:sha256-14c5c9027d0ba954023cc840ca87a02c27f79f4ec5c987a75ed391eba16794e0...
Copying rgcrprod.azurecr.us/rancher/rancher@sha256:e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646 to harbor.ranchers.io/rancher/rancher:v2.7.8...
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree harbor.ranchers.io/rancher/rancher:v2.7.8
📦 Supply Chain Security Related artifacts for an image: harbor.ranchers.io/rancher/rancher:v2.7.8
└── 💾 Attestations for an image tag: harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.att
   └── 🍒 sha256:9d80ce6222cbf6ce499013f5baf0ce069b6d0c2a750c72814517a15744aa5d8f
└── 🔐 Signatures for an image tag: harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sig
   └── 🍒 sha256:293210338487c2af911929c8b84142cf8abeb0cb47435631298c32c3e6aba753
└── 📦 SBOMs for an image tag: harbor.ranchers.io/rancher/rancher:sha256-e0c0ebf1cbb10fbfd59e2dee181c2a084f1dd5c137d635a73a571b8543130646.sbom
   └── 🍒 sha256:aa5d5a20a79659aacfc7b1a877e48ee5fa21598e462a31e8e1c46a90f7740c37
zackbradys commented 8 months ago

Additional testing with different registry, image, and oci artifacts:

cosign save and cosign load

### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree gcr.io/projectsigstore/cosign:v1.13.0
📦 Supply Chain Security Related artifacts for an image: gcr.io/projectsigstore/cosign:v1.13.0
└── 🔐 Signatures for an image tag: gcr.io/projectsigstore/cosign:sha256-398f441c46e58906dc6d3aaaad22fe63f018dc30acbe13b326e5a016e711301c.sig
   ├── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
   └── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
└── 📦 SBOMs for an image tag: gcr.io/projectsigstore/cosign:sha256-398f441c46e58906dc6d3aaaad22fe63f018dc30acbe13b326e5a016e711301c.sbom
   └── 🍒 sha256:7bef2e21cdf8b14af2f17577e801999129e48ad71aff2adcdf19453bea611da8
### cosign save
[root@ip-172-31-44-121 rancher]# cosign save --dir "images" gcr.io/projectsigstore/cosign:v1.13.0
[root@ip-172-31-44-121 rancher]# cd images/
[root@ip-172-31-44-121 images]# ls -la
total 8
drwxr-xr-x. 3 root root  55 Oct 21 20:04 .
drwxr-xr-x. 4 root root  83 Oct 21 20:04 ..
drwxr-xr-x. 3 root root  20 Oct 21 20:04 blobs
-rwxr-xr-x. 1 root root 710 Oct 21 20:04 index.json
-rwxr-xr-x. 1 root root  37 Oct 21 20:04 oci-layout
### cosign load
[root@ip-172-31-44-121 rancher]# cosign load --dir "images" harbor.ranchers.io/projectsigstore/cosign:v1.13.0
### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree harbor.ranchers.io/projectsigstore/cosign:v1.13.0
📦 Supply Chain Security Related artifacts for an image: harbor.ranchers.io/projectsigstore/cosign:v1.13.0
└── 🔐 Signatures for an image tag: harbor.ranchers.io/projectsigstore/cosign:sha256-398f441c46e58906dc6d3aaaad22fe63f018dc30acbe13b326e5a016e711301c.sig
   ├── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f
   └── 🍒 sha256:0f047e53f9630c3c5e1d49e679395f9b6ca6511d6543e610de6e5239c4addf9f

cosign copy

### cosign tree
[root@ip-172-31-44-121 rancher]# cosign tree gcr.io/projectsigstore/cosign:v1.12.0
📦 Supply Chain Security Related artifacts for an image: gcr.io/projectsigstore/cosign:v1.12.0
└── 🔐 Signatures for an image tag: gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig
   ├── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
   └── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
└── 📦 SBOMs for an image tag: gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom
   └── 🍒 sha256:280f6b3e9b982e70bc50e668783aa8ad7b8fe143ecd96f37b502cecfa3fd694c
### cosign copy gcr.io/projectsigstore/cosign:v1.12.0 harbor.ranchers.io/projectsigstore/cosign:v1.12.0
[root@ip-172-31-44-121 rancher]# cosign copy gcr.io/projectsigstore/cosign:v1.12.0 harbor.ranchers.io/projectsigstore/cosign:v1.12.0
Copying gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig...
Copying gcr.io/projectsigstore/cosign@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0 to harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0...
Copying gcr.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom...
Copying gcr.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sig...
Copying gcr.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d to harbor.ranchers.io/projectsigstore/cosign:sha256-5998902669bb0b5dd38f2c029354f9f98b62e82350e7dec161ae2f7e7df83e9d...
Copying gcr.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sig...
Copying gcr.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60 to harbor.ranchers.io/projectsigstore/cosign:sha256-69f6ebd1f0bfc8adb6e336ee4a777f3fc5ee4900e6a1102709efc9cf123e2a60...
Copying gcr.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sig...
Copying gcr.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86 to harbor.ranchers.io/projectsigstore/cosign:sha256-b7c30fbf9760a883caba99c93521a2e86f3ca1dccca66f1adec1d6776f94cd86...
Copying gcr.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sig...
Copying gcr.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73 to harbor.ranchers.io/projectsigstore/cosign:sha256-6aa75f53426b3ea3a5bee991963e55c49f60472899d16c02bbae4b9a89450e73...
Copying gcr.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sig to harbor.ranchers.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sig...
Copying gcr.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sbom to harbor.ranchers.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228.sbom...
Copying gcr.io/projectsigstore/cosign@sha256:5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228 to harbor.ranchers.io/projectsigstore/cosign:sha256-5176ab77ae0299e516e83f4593ab5215d48841b1f5a75b9eab3c8ddce9a9a228...
Copying gcr.io/projectsigstore/cosign@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0 to harbor.ranchers.io/projectsigstore/cosign:v1.12.0...
### cosign tree harbor.ranchers.io/projectsigstore/cosign:v1.12.0
[root@ip-172-31-44-121 rancher]# cosign tree harbor.ranchers.io/projectsigstore/cosign:v1.12.0
📦 Supply Chain Security Related artifacts for an image: harbor.ranchers.io/projectsigstore/cosign:v1.12.0
└── 🔐 Signatures for an image tag: harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sig
   ├── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
   └── 🍒 sha256:168d7b7b18becf62f058b2b9c7def45cefc29d388a638a67b4081e3ca7d1b043
└── 📦 SBOMs for an image tag: harbor.ranchers.io/projectsigstore/cosign:sha256-880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0.sbom
   └── 🍒 sha256:280f6b3e9b982e70bc50e668783aa8ad7b8fe143ecd96f37b502cecfa3fd694c
clemenko commented 8 months ago

adding https://github.com/sigstore/cosign/issues/2705

zackbradys commented 7 months ago

Is there any update on this issue?