Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cosign attest --replace fails to create attestations on random.Image() generated images #1378

Closed
bburky opened this issue Jan 31, 2022 · 0 comments · Fixed by #2014
Closed

cosign attest --replace fails to create attestations on random.Image() generated images #1378

bburky opened this issue Jan 31, 2022 · 0 comments · Fixed by #2014
Labels
bug Something isn't working

Comments

@bburky
Copy link
Contributor

bburky commented Jan 31, 2022
edited
Loading

While implementing the unit test for #1366, I discovered that cosign attest --replace silently fails to create any attestations on images created by go-containerregistry's random.Image(). That PR added a failing TestAttestationReplace() test which is currently skipped because the replace option doesn't create any attestations.

This can be reproduced outside the unit tests like this (using the v1.5.0 release binary):

>random.go <<EOF
package main

import (
	"context"
	"log"

	"github.com/google/go-containerregistry/pkg/authn"
	"github.com/google/go-containerregistry/pkg/name"
	"github.com/google/go-containerregistry/pkg/v1/random"
	"github.com/google/go-containerregistry/pkg/v1/remote"
)

func main() {
	n := "localhost:5000/x/y"

	ref, err := name.ParseReference(n, name.WeakValidation)
	if err != nil {
		log.Fatal(err)
	}
	img, err := random.Image(512, 5)
	if err != nil {
		log.Fatal(err)
	}

	regClientOpts := registryClientOpts(context.Background())

	if err := remote.Write(ref, img, regClientOpts...); err != nil {
		log.Fatal(err)
	}
}

func registryClientOpts(ctx context.Context) []remote.Option {
	return []remote.Option{
		remote.WithAuthFromKeychain(authn.DefaultKeychain),
		remote.WithContext(ctx),
	}
}
EOF
# Create an image localhost:5000/x/y using random.Image()
go run random.go
# The --replace option silently fails to create any attestations on images created by random.Image()
cosign attest --replace --predicate predicate.json localhost:5000/x/y --key cosign.key
# The following command shows no attestations exist
cosign download attestation "localhost:5000/x/y"

The cosign attest --replace option works fine on other images. I tested using images copied from Docker Hub using skopeo, and was able to create and replace attestations.
@bburky bburky added the bug Something isn't working label Jan 31, 2022
@bburky bburky mentioned this issue Jan 31, 2022
Merged
Syquel added a commit to Syquel/cosign that referenced this issue Jun 22, 2022
@Syquel
Fix sigstore#1378 create new attestation signature in replace mode if…
afff170 
… not existent
@Syquel Syquel mentioned this issue Jun 22, 2022
Merged
Syquel added a commit to Syquel/cosign that referenced this issue Jun 22, 2022
@Syquel
Fix sigstore#1378 create new attestation signature in replace mode if…
d4616e4 
… not existent

Signed-off-by: Frederik Boster <[email protected]>
dlorenc pushed a commit that referenced this issue Jun 30, 2022
@Syquel
Fix #1378 create new attestation signature in replace mode if not exi…
6501693 
…stent (#2014)

Signed-off-by: Frederik Boster <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #1378 create new attestation signature in replace mode if not existent Syquel/cosign
1 participant
@bburky