Closed RockRich closed 5 months ago
Description
Wrong timestamp inside signature.
Gitlab shows that the Signature is over 23 Years old.
Does it only happen on Darwin binaries? No
Last Version, when it worked: Cosign 2.1.1
When I crated a signature in version 2.1.1
./cosign-V2.1.1 sign --key=./cosign.key --tlog-upload=false randomImage
Then I get a Manifest like this:
{ "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "size": 245, "digest": "sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851" }, "layers": [{ "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", "size": 263, "digest": "sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4", "annotations": { "dev.cosignproject.cosign/signature": "MEUCIHhv13rSPbq2+qq5ziKQWEQQI6vmcXcEyD19zUTZknoSAiEA0smYpWnFBIR/cgk+JwEPvFYVZW/yYv6DS+tm2TwOsEA=" } }] }
The timestamp in sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851 file is correct At least one of it.
created":"2024-04-08T18:08:39.635084+02:00
{"architecture":"","created":"2024-04-08T18:08:39.635084+02:00","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4"]},"config":{}}
The error is since Cosign version2.2.0
When I crated a signature in version 2.2.0
./cosign-V2.2.0 sign --key=./cosign.key --tlog-upload=false randomImage
{ "schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": { "mediaType": "application/vnd.oci.image.config.v1+json", "size": 233, "digest": "sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6" }, "layers": [{ "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json", "size": 263, "digest": "sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4", "annotations": { "dev.cosignproject.cosign/signature": "MEUCIQD2LxlidsEOsqex2NVIwwXzMIo1BbMUPB8mvKaP+LRjFwIgT8l+9eTG+6slCtmc3XQwGt6L0ZmmVTHkYaXIV8QASKY=" } }] }
The timestamp in sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6 file is incorrect
created":"0001-01-01T00:00:00Z
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4"]},"config":{}}
As you can see. The timestamp changed to a nonsense value.
From 2024-04-08T18:08:39.635084+02:00 to 0001-01-01T00:00:00Z
2024-04-08T18:08:39.635084+02:00
0001-01-01T00:00:00Z
I hope you can reproduce this issue
Best wishes
Dup of https://github.com/sigstore/cosign/issues/3298 - This is working as intended for reproducibility
Description
Wrong timestamp inside signature.
Gitlab shows that the Signature is over 23 Years old.
Does it only happen on Darwin binaries? No
Last Version, when it worked: Cosign 2.1.1
When I crated a signature in version 2.1.1
./cosign-V2.1.1 sign --key=./cosign.key --tlog-upload=false randomImage
Then I get a Manifest like this:
The timestamp in sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851 file is correct At least one of it.
created":"2024-04-08T18:08:39.635084+02:00
The error is since Cosign version2.2.0
When I crated a signature in version 2.2.0
./cosign-V2.2.0 sign --key=./cosign.key --tlog-upload=false randomImage
Then I get a Manifest like this:
The timestamp in sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6 file is incorrect
created":"0001-01-01T00:00:00Z
As you can see. The timestamp changed to a nonsense value.
From
2024-04-08T18:08:39.635084+02:00
to0001-01-01T00:00:00Z
I hope you can reproduce this issue
Best wishes