Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cosign keyless mode verification not working #2184

Closed
ningziwen opened this issue Apr 15, 2023 · 1 comment
Closed

Cosign keyless mode verification not working #2184

ningziwen opened this issue Apr 15, 2023 · 1 comment
Labels
kind/unconfirmed-bug-claim Unconfirmed bug claim

Comments

@ningziwen
Copy link
Contributor

ningziwen commented Apr 15, 2023
edited
Loading

Description

Cosign keyless mode verification not working because --certificate-identity or --certificate-identity-regexp are required for keyless verification, which was introduced in sigstore/cosign#2411.

As nerdctl didn't package or specify Cosign 2.0.0, maybe this is not necessarily a regression. It can be a step to move forward to Cosign 2.0.0.

Steps to reproduce the issue

$ sudo ./_output/nerdctl push --sign=cosign <image>
$ sudo ./_output/nerdctl pull --verify=cosign <image>
INFO[0001] cosign: Error: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode 
INFO[0001] cosign: main.go:74: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

Describe the results you received and expected

Expect it succeeds.

What version of nerdctl are you using?

$ ./_output/nerdctl version
Client:
 Version:       v1.3.1
 OS/Arch:       linux/amd64
 Git commit:    b224b280ff3086516763c7335fc0e0997aca617a
 buildctl:
  Version:      v0.11.3
  GitCommit:    4ddee42a32aac4cd33bf9c2be4c87c2ffd34747b

Server:
 containerd:
  Version:      1.6.16
  GitCommit:    31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:      1.1.4
  GitCommit:    v1.1.4-0-g5fd4c4d

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

$ ./_output/nerdctl info
Client:
 Namespace:     default
 Debug Mode:    false

Server:
 Server Version: 1.6.16
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file syslog
  Storage: aufs native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: default
  rootless
 Kernel Version: 5.4.0-1099-aws
 Operating System: Ubuntu 18.04.6 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.565GiB
 Name: ip-172-31-84-158
 ID: 9c5e3b7f-301a-48cf-82f3-133f608b8185

WARNING: AppArmor profile "nerdctl-default" is not loaded.
         Use 'sudo nerdctl apparmor load' if you prefer to use AppArmor with rootless mode.
         This warning is negligible if you do not intend to use AppArmor.
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
@ningziwen ningziwen added the kind/unconfirmed-bug-claim Unconfirmed bug claim label Apr 15, 2023
This was referenced Apr 15, 2023
Merged
Open
@ningziwen ningziwen mentioned this issue Apr 27, 2023
Merged
@ningziwen
Copy link
Contributor Author

Close as PRs are merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/unconfirmed-bug-claim Unconfirmed bug claim
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ningziwen