search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.39k stars 537 forks source link

Cosign 2.2.1 breaks verify with KMS key #3362

Closed philwelz closed 9 months ago

philwelz commented 10 months ago

Description

Cosign 2.2.1 seems to have an issue with verify:

cosign verify --key azurekms://<AZUREKEYVAULT>/signtest <REGISTRY>.azurecr.io/bla:bla

Error: no matching signatures
main.go:69: error during command execution: no matching signatures

Howeber, running the same command with 2.2.0 works

cosign verify --key azurekms://<AZUREKEYVAULT>/signtest <REGISTRY>.azurecr.io/bla:bla

Verification for <REGISTRY>.azurecr.io/bla:bla --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"<REGISTRY>.azurecr.io/bla"},.....]

Version

GitVersion:    2.2.1
GitCommit:     12cbf9ea177d22bbf5cf028bcb4712b5f174ebc6
GitTreeState:  "clean"
BuildDate:     2023-11-07T12:39:46Z
GoVersion:     go1.21.3
Compiler:      gc
Platform:      darwin/arm64
hectorj2f commented 10 months ago

@haydentherapper Any thoughts of what changed in v2.2.1 ?

haydentherapper commented 10 months ago

@malancas any guesses if anything changed with the azure code?

SecH0us3 commented 10 months ago

The same problem?

Error: no matching signatures: unable to verify RFC3161 timestamp bundle: no TSA root certificate(s) provided to verify timestamp
main.go:69: error during command execution: no matching signatures: unable to verify RFC3161 timestamp bundle: no TSA root certificate(s) provided to verify timestamp

Not sure, but maybe this code broke us https://github.com/sigstore/cosign/compare/v2.2.0...v2.2.1#diff-8a85c8e688d61e16b8af8e09832ed2bef89c1163b0e9601a8363c782c387c006L651

image
malancas commented 10 months ago

@haydentherapper I'm only seeing minor and patch updates to the underlying Azure dependencies but I'll take a look at what changed and see if anything stands out.

haydentherapper commented 9 months ago

@philwelz Are you still having this issue with the latest version of Cosign?

haydentherapper commented 9 months ago

I am unable to replicate this, if this issue continues, feel free to reopen.