Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cosign verify-blob fails in experimental mode (keyless) #1390

Open
cardil opened this issue Feb 2, 2022 · 3 comments
Open

cosign verify-blob fails in experimental mode (keyless) #1390

cardil opened this issue Feb 2, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@cardil
Copy link

cardil commented Feb 2, 2022

Description

The cosign verify-blob fails to verify a blob using keyless mode (in COSIGN_EXPERIMENTAL mode):

$ cosign verify-blob --verbose --key release-cosign.pub --signature cosign-linux-amd64.sig cosign-linux-amd64
Verified OK

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --verbose --signature cosign-linux-amd64.sig cosign-linux-amd64    
Error: verifying blob [cosign-linux-amd64]: failed to verify signature
main.go:46: error during command execution: verifying blob [cosign-linux-amd64]: failed to verify signature

Version

$ cosign version --json
{
  "GitVersion": "v1.5.1",
  "GitCommit": "c3e4d8b7cd2f6f065941510b260f173b70c695fa",
  "GitTreeState": "clean",
  "BuildDate": "'2022-01-30T20:05:28Z'",
  "GoVersion": "go1.17.6",
  "Compiler": "gc",
  "Platform": "linux/amd64"
}
@cardil cardil added the bug Something isn't working label Feb 2, 2022
@mattmoor
Copy link
Member

mattmoor commented Feb 2, 2022

Generally the .sig files for keyless and keyfull(?) signing will be different files, and you are passing the same .sig to both of these, which is likely the issue.

If you just sign with keyless, and then verify that signature, do you still see an issue?

@cardil
Copy link
Author

cardil commented Feb 2, 2022
edited
Loading

Nice. It works for the -keyless.sig file:

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --verbose --signature cosign-linux-amd64-keyless.sig cosign-linux-amd64 
tlog entry verified with uuid: "30833cb58667ffc5949e7365fd22e0212b1d64fec94931d588bb22ba7fa42384" index: 1216646
Verified OK

However:

  • The UI is bad, as cosign should inform the user that signature type is wrong, and keyless signature is required.
  • Why the signature can't be the same file? It should be possible to have multiple signatures in a single sig file. Also, maybe it could be possible to the keyless, and keyfull to generate the same signature.

@cardil cardil mentioned this issue Feb 8, 2022
Closed
3 tasks
@znewman01
Copy link
Contributor

Why the signature can't be the same file? It should be possible to have multiple signatures in a single sig file. Also, maybe it could be possible to the keyless, and keyfull to generate the same signature.

This is tracked here:
#2131

Leaving the issue open to make sure our error message is better here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cardil @znewman01 @mattmoor