Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syft attest --output cyclonedx-json incompatible with cosign #1268

Closed
lehors opened this issue Oct 17, 2022 · 4 comments
Closed

syft attest --output cyclonedx-json incompatible with cosign #1268

lehors opened this issue Oct 17, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@lehors
Copy link
Contributor

lehors commented Oct 17, 2022

What happened:
Produced an attestation with syft but cosign verify-attestation couldn't find it.

What you expected to happen:

cosign verify-attestation should successfully verify the attestation produced by syft

How to reproduce it (as minimally and precisely as possible):

$ syft attest --output cyclonedx-json localhost:5000/hello:latest

$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation --allow-insecure-registry --type cyclonedx localhost:5000/hello:latest
Error: none of the attestations matched the predicate type: cyclonedx
main.go:62: error during command execution: none of the attestations matched the predicate type: cyclonedx

Anything else we need to know?:

The problem comes from syft using "https://cyclonedx.org/bom" as the predicate while cosign uses "https://cyclonedx.org/schema" defined in-toto-golang

Environment:

  • Output of syft version:
    Application: syft
    Version: 0.58.0
    JsonSchemaVersion: 4.0.0
    BuildDate: 2022-09-29T19:59:22Z
    GitCommit: b9b13d5
    GitDescription: v0.58.0
    Platform: darwin/amd64
    GoVersion: go1.18.6
    Compiler: gc
  • OS (e.g: cat /etc/os-release or similar):
    MacOs
@lehors lehors added the bug Something isn't working label Oct 17, 2022
@lehors
Copy link
Contributor Author

lehors commented Oct 17, 2022

See related comment: in-toto/attestation#82 (comment)

lehors added a commit to lehors/syft that referenced this issue Oct 17, 2022
@lehors
Copy link
Contributor Author

lehors commented Oct 17, 2022

It turns out that syft is using the predicate the CycloneDX project has selected (see CycloneDX/specification#132) so the issue ends up being more on the cosign side. I submitted a PR to update in-toto after which the incompatibility will disappear.

It would still be good for syft to pull the definition from the in-toto project directly rather than have its own definition so I suggest keeping this open until that change is made with PR #1270

@lehors
Copy link
Contributor Author

lehors commented Oct 19, 2022

Fixed with PR #1270

@lehors lehors closed this as completed Oct 19, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Oct 19, 2022

Thank you @lehors for all the help on this one!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants