Description
I am coding an application that verifies attestations but when calling the func verifiedAttestations, _, err := cosign.VerifyImageAttestations(ctx, ref, &cosign.CheckOpts...) I get :
unable to verify bundle: matching bundle to payload: invalid kind value: "dsse".
The code is like this:
func processAttestations(ctx context.Context, keys []string) ([]externaldata.Item, error) {
results := []externaldata.Item{}
verifier, err := loadPublicKeyVerifier()
if err != nil {
return nil, err
}
for _, key := range keys {
ref, err := name.ParseReference(key)
if err != nil {
return appendError(results, key, fmt.Sprintf("Error parsing reference: %v", err))
}
verifiedAttestations, _, err := cosign.VerifyImageAttestations(ctx, ref, &cosign.CheckOpts{
SigVerifier: verifier,
ClaimVerifier: cosign.IntotoSubjectClaimVerifier, // Do I need this?
})
log.Printf("Verified attestations %v ", verifiedAttestations)
if err != nil {
return appendError(results, key, fmt.Sprintf("Failed to verify attestation: %v", err))
}
[...]
func loadPublicKeyVerifier() (signature.Verifier, error) {
pubKeyBytes, err := os.ReadFile("/etc/cosign/cosign.pub")
if err != nil {
return nil, fmt.Errorf("error reading public key file: %v", err)
}
block, _ := pem.Decode(pubKeyBytes)
if block == nil || block.Type != "PUBLIC KEY" {
return nil, fmt.Errorf("failed to decode PEM block containing public key or incorrect type")
}
pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, fmt.Errorf("error parsing PKIX public key: %v", err)
}
verifier, err := signature.LoadVerifier(pubKey, crypto.SHA256)
if err != nil {
return nil, fmt.Errorf("failed to load verifier: %v", err)
}
return verifier, nil
}
[...]
Description I am coding an application that verifies attestations but when calling the func
verifiedAttestations, _, err := cosign.VerifyImageAttestations(ctx, ref, &cosign.CheckOpts...)
I get :unable to verify bundle: matching bundle to payload: invalid kind value: "dsse"
.The code is like this:
The attestation is generated in this way:
and then I can verify it without issues by calling:
that returns a json like this:
If I run
oras manifest fetch docker.io/jpolidor/goat-jdk:sha256-3c0cf95856d49303347b9f8aa352ccad9e97f138384577c3334d80751f3ebfe6.att | jq
I get the detail of the attestation and I can see that the bundle is enclosed in a DSSE Envelope:
Am I missing something here?
Version Cosign CLI version:
Go Module version for
github.com/sigstore/sigstore
: v1.8.3