sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.54k stars 546 forks source link

Cosign can't verify by local key exported from HashiVault #3751

Open GarrykZ opened 5 months ago

GarrykZ commented 5 months ago

Description

I'm using HashiVault Corp for secure storing signing keys. Then i want to use image verify in K8S using kyverno-plugin (1.12). In Kyverno-policy i want to use Public Key (not integration with HashiVault)

Before deploying i'm testing it on local:

get public key from hashivault and save it to key.pub sign image by private key from hashivault verify image by stored key.pub And...there is error - no matching signatures. What i'm doing wrong?

In log below i see signature digest: Docker-Content-Digest: sha256:00677649ad1e48a0b52e0848e7968f62d077c80c93f38815b92672b425004f6f but cosign can't find and verify it :C

Version 2.2.4

Full log: $ cosign -version WARNING: the -version flag is deprecated and will be removed in a future release. Please use the version subcommand instead. __ __ _. _ . . / | / \ / || | / ___|| \ | | | ,----'| | | | | (----`| | | | | | | | | | | | | \ \ | | | | |_ | | . | |----.| `--' | .----) | | | | || | | |\ | _| _____/ |___/ || ____| || \| cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion: v2.2.4 GitCommit: fb651b4ddd8176bd81756fca2d988dd8611f514d GitTreeState: clean BuildDate: 2024-04-10T21:57:27Z GoVersion: go1.21.11 Compiler: gc Platform: linux/amd64

$ cosign sign --key hashivault://cosign harbor.domain.local/kb/test/tomcat:latest --tlog-upload=false -y WARNING: Image reference harbor.domain.local/kb/test/tomcat:latest uses a tag, not a digest, to identify the image to sign. This can lead you to sign a different image than the intended one. Please use a digest (example.com/ubuntu@sha256:abc123...) rather than tag (example.com/ubuntu:latest) for the input to cosign. The ability to refer to images by tag will be removed in a future release.

Pushing signature to: harbor.domain.local/kb/test/tomcat $ cosign public-key --key hashivault://cosign > key.pub $ cat key.pub -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy1XfHdS/xzpIVYD1sWy9 zWrsZg6P/+NIxGI/ncUTURo0CUw07JcZtsNduevtaZtaQLWwyJi6+Ad1Ru0xQ6LW fTfVrAyAickZ+lrOh01PH9H6DQxAPy+PFEt+KKIHlckqrxeUJUVINGZg3ZDpqp0p CoweK3d1de3m7+MtQAxBkV4HtL4xT7zs10v0oOFGrsMMVnZljWrjKA/SPqnTmnOG zTFLVFOjjQvD2slzMaN/3gHgE40cdi/GVIPIQuPMqHJxRgvHZRyty8SwUu37fIbp /7Rz/TVqFdxfBjhEYuhCiljhDOnpKY4jPr4cokw6T/oT7fI7ojcH3WeRCDMI+39w lNBY7xczHkkfQmCzbCstdBMCc89KXbFf2xGYByHlx5S14IImQ7DoS1AFfts+iMwJ SUVkIiYYOGvnTHNpzODTPgYF5SEYzksHNFVboCrwSquPIJSH4EwEIgv/S6iEZVOX +yo2KHWgVjusb8By6Zs7MFqWcf8Oy2B9S9+5fQ80a/R4tTodnXbcwYp6cSkNwmE9 U3tw24tHfcGRiuDzt0hwXFssEvfAKzFGE1RZDKmOnkZTfIL+80Kri2PhVO8QSpJk ThMb7/wHDiXYfkvDeed6eX64tmpp4h0hiDViItIbqk5XNh4v9ZNq+gXtvk3K2uoY ueE2m/klQOm8gvan8xyXcq8CAwEAAQ== -----END PUBLIC KEY----- $ cosign verify --key key.pub harbor.domain.local/kb/test/tomcat:latest --private-infrastructure Error: no matching signatures: crypto/rsa: verification error main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error $ cosign verify --key key.pub harbor.domain.local/kb/test/tomcat:latest --private-infrastructure -d 2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/ 2024/06/26 15:41:14 GET /v2/ HTTP/1.1 Host: harbor.domain.local User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1 Accept-Encoding: gzip

2024/06/26 15:41:14 <-- 401 https://harbor.domain.local/v2/ (82.568621ms) 2024/06/26 15:41:14 HTTP/1.1 401 Unauthorized Content-Length: 76 Connection: keep-alive Content-Type: application/json; charset=utf-8 Date: Wed, 26 Jun 2024 15:41:14 GMT Docker-Distribution-Api-Version: registry/2.0 Server: nginx Set-Cookie: sid=e4e4774df7ba2e7d86f2a6c04e1de90e; Path=/; HttpOnly Www-Authenticate: Bearer realm="https://harbor.domain.local/service/token",service="harbor-registry" X-Request-Id: e6f45bc6-dffe-4351-9f1e-db13a1f61d24

{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}

2024/06/26 15:41:14 --> GET https://harbor.domain.local/service/token?scope=repository%3Akb%2Ftest%2Ftomcat%3Apull&service=harbor-registry [body redacted: basic token response contains credentials] 2024/06/26 15:41:14 GET /service/token?scope=repository%3Akb%2Ftest%2Ftomcat%3Apull&service=harbor-registry HTTP/1.1 Host: harbor.domain.local User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1 Authorization: Accept-Encoding: gzip

2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/service/token?scope=repository%3Akb%2Ftest%2Ftomcat%3Apull&service=harbor-registry (37.001894ms) [body redacted: basic token response contains credentials] 2024/06/26 15:41:14 HTTP/1.1 200 OK Connection: keep-alive Content-Security-Policy: frame-ancestors 'none' Content-Type: application/json; charset=utf-8 Date: Wed, 26 Jun 2024 15:41:14 GMT Server: nginx Set-Cookie: sid=a6a306ea49bec6c9c88c17eb08348c4c; Path=/; Secure; HttpOnly Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: DENY X-Request-Id: fa30a788-9054-4c79-acc2-26e8b5d83b2b

2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/kb/test/tomcat/manifests/latest 2024/06/26 15:41:14 GET /v2/kb/test/tomcat/manifests/latest HTTP/1.1 Host: harbor.domain.local User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1 Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json Authorization: Accept-Encoding: gzip

2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/v2/kb/test/tomcat/manifests/latest (20.546238ms) 2024/06/26 15:41:14 HTTP/1.1 200 OK Content-Length: 1995 Connection: keep-alive Content-Security-Policy: frame-ancestors 'none' Content-Type: application/vnd.docker.distribution.manifest.v2+json Date: Wed, 26 Jun 2024 15:41:14 GMT Docker-Content-Digest: sha256:5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228 Docker-Distribution-Api-Version: registry/2.0 Etag: "sha256:5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228" Server: nginx Set-Cookie: sid=9412769ad8cbdb005a40227c486c3d0c; Path=/; HttpOnly Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: DENY X-Request-Id: ea44b5ea-ce68-4ecb-a870-903d675e74fe

{ "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 12747, "digest": "sha256:4a75d8ec8312d825325205062d916278b101f9a77dc98120575caf0eec021ad9" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 30447114, "digest": "sha256:df2fac849a4581b035132d99e203fd83dc65590ea565435a266cb0e14a508838" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 17458145, "digest": "sha256:c506251a0ae0b836353578bafa8d6aeb266158d3291ba4abbc2f5f8ccda6f742" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 158640089, "digest": "sha256:127f7734cc88e82b85a490a49b02364f4d665cc4c27941587f3901bf99619f7a" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 175, "digest": "sha256:eabc79a4d7f6c11b002a51dfc68bb7fad2da17d31c984428e0affaba1e88fda3" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 732, "digest": "sha256:cb0704fc9e8298f8c6371c3324c792282950ba0fab31dd49ac8e3c994f7318b2" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 174, "digest": "sha256:9ea8abad4482081cf1412b1df46db5866d432dc63fb270c468eeb7df96cab329" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 12796135, "digest": "sha256:ee2a7cc21b5d96aad46514b457b700e0e24431ac0caea07fbbd0ba4450ff125c" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 130, "digest": "sha256:bc84b42ed1a9a8b758ca0b3626784df34d572e22265d4aa3a9fcd5b6e05c0c0b" } ] } 2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/kb/test/tomcat/manifests/sha256-5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228.sig 2024/06/26 15:41:14 GET /v2/kb/test/tomcat/manifests/sha256-5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228.sig HTTP/1.1 Host: harbor.domain.local User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1 Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json Authorization: Accept-Encoding: gzip

2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/v2/kb/test/tomcat/manifests/sha256-5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228.sig (12.664503ms) 2024/06/26 15:41:14 HTTP/1.1 200 OK Content-Length: 1146 Connection: keep-alive Content-Security-Policy: frame-ancestors 'none' Content-Type: application/vnd.oci.image.manifest.v1+json Date: Wed, 26 Jun 2024 15:41:14 GMT Docker-Content-Digest: sha256:00677649ad1e48a0b52e0848e7968f62d077c80c93f38815b92672b425004f6f Docker-Distribution-Api-Version: registry/2.0 Etag: "sha256:00677649ad1e48a0b52e0848e7968f62d077c80c93f38815b92672b425004f6f" Server: nginx Set-Cookie: sid=80b6f827eb337c122f5f73e1b8204fd3; Path=/; HttpOnly Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: DENY X-Request-Id: 715988b6-fd03-4e2f-9c7f-b18af50a0efd

{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:be18391083c58c19f3e3b8057577f7b4c75e518a0252d600f59ec80bbe459cfa"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":247,"digest":"sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625","annotations":{"dev.cosignproject.cosign/signature":"pWRzcLWTUm0w6064SFGGycMf+R3oOBUxL1fVRr8D/At5YIQ3Aq1UpbPjnT+X2+NpH1Ppzbg5a4+adY19zqJThgkM6x+lsh1Ak8Up7A+WlTtn9OGVU97lPDPtTSpQbTlYYytfesMHJWjIb3UqzgiPAz7Xy+Oue52nktWmygS2wB4feYUrXvhOr9g5iuhwP7NvEvAZ2n285/PPUJAHG7fRj6zhpAlGA69y+Q50xFQ3CRL3gzxk4OYnLGZSurehX1o6WFqXRl+R8NqLvZExoqWBMm+n0Dp/W2gNQvfdvr2aYgevYLfACD/ZE7IaU9/Tju9u0JVV41c/KwmylNRmmPkp6S76l3+T+3Tle9rmlrySp/cKQGO4gZSwUJDF39mLY0df14OSzlY7taAP/rvwSB9exzTeBrAHUOG31CJ7SFzATDezJHYxqn5lsNZajHo2tThML3k+3F5tqTTZwyHjabNfiQP207HeoG4SbGSBU5rOXw+rtlyUPhbBSrUIr37zteYnytXu8zutTHRtbhXAnIycy3j9QKMb9xsm6j1ysCsdjc1c0Y2Fgh8/8qxkVE+8eJLbJdntykRLtdz54GvrDELRwY9njtpwpszs6rx5/+biB50MyMhG9RUF7CQiOZzjBghUuTn7Ap7jR+ELEyl+t4o6oSmUHdpa74zzc57o1Kpu4lI="}}]} 2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/kb/test/tomcat/blobs/sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 [body redacted: omitting binary blobs from logs] 2024/06/26 15:41:14 GET /v2/kb/test/tomcat/blobs/sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 HTTP/1.1 Host: harbor.domain.local User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1 Authorization: Accept-Encoding: gzip

2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/v2/kb/test/tomcat/blobs/sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 (18.632553ms) [body redacted: omitting binary blobs from logs] 2024/06/26 15:41:14 HTTP/1.1 200 OK Content-Length: 247 Accept-Ranges: bytes Cache-Control: max-age=31536000 Connection: keep-alive Content-Security-Policy: frame-ancestors 'none' Content-Type: application/octet-stream Date: Wed, 26 Jun 2024 15:41:14 GMT Docker-Content-Digest: sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 Docker-Distribution-Api-Version: registry/2.0 Etag: "sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625" Server: nginx Set-Cookie: sid=10e4ec18aa379c27cb0e2bbf8fb89d2a; Path=/; HttpOnly Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: DENY X-Request-Id: fd1e66b0-58aa-4d6c-81f0-8ade124bb2fd

Error: no matching signatures: crypto/rsa: verification error main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error

GarrykZ commented 5 months ago

Keys stored in Hashicorp in transit-engine