search

sigstore / sigstore-rs

An experimental Rust crate for sigstore
https://sigstore.github.io/sigstore-rs/sigstore/
Apache License 2.0
167 stars 51 forks source link

Better error message when OCI artifact doesn't have a sigstore manifest #19

Open flavio opened 2 years ago

flavio commented 2 years ago

The error message returned when an OCI artifact doesn't have a sigstore manifest should be improved.

How to reproduce

Attempt the verification of a container image that has not been signed with cosign:

cargo run --example verify -- --rekor-pub-key ~/.sigstore/root/targets/rekor.pub --fulcio-crt fulcio.crt.pem registry-testing.svc.lan/kubewarden/secure-pod-images --cert-email 'flavio@castelli.me'

The verification will fail because the registry-testing.svc.lan/kubewarden/secure-pod-images:<cosign triangulation result> does not exist.

However the error message is not clear:

Image verification failed: Cannot pull manifest for image registry-testing.svc.lan/kubewarden/secure-pod-images:sha256-72b4569c3daee67abeaa64192fb53895d0edb2d44fa6e1d9d4c5d3f8ece09f6e.sig: OCI API error: manifest unknown on https://registry-testing.svc.lan/v2/kubewarden/secure-pod-images/manifests/sha256-72b4569c3daee67abeaa64192fb53895d0edb2d44fa6e1d9d4c5d3f8ece09f6e.sig

A better error message could be:

Image verification filed: the image hasn't been signed with cosign. The <registry/image:triangulation> OCI object could not be found

flavio commented 2 years ago

Thinking more about that issue, I think this needs oci-distribution to implement better error reporting.