Not able to verify images that are signed with annotations that have ":".

[sangee2004]

acorn version - v0.8.0-44-g29175718+29175718
Steps to reproduce the problem:

1. Sign an image with key and annotation

 acorn image sign sangeetha/newimage:v1.0.0 --key ~/sangeegh1 -a qatag:ok
  •  Signing Image sangeetha/newimage:v1.0.0 (digest: index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70) using key /Users/sangeethahariharan/sangeegh1
? Enter password for private key /Users/sangeethahariharan/sangeegh1: *********
  ✔  Created signature sha256:20e7ddccdb7129ba5baeae97bb8dd997191d014218a837116c302d3160df6dbc

2. Verify the image with key and annotation. It fails .

 acorn images verify sangeetha/newimage:v1.0.0 --key ~/sangeegh1.pub -a qatag:ok
  •  Verifying Image sangeetha/newimage:v1.0.0 (digest: index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70) using key /Users/sangeethahariharan/sangeegh1.pub
  ✗  ERROR:  failed to find valid signature for index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70 matching given identity and 2 annotation rules using 1 loaded verifiers/keys

Note - Verifying the image with key only succeeds.

acorn images verify sangeetha/newimage:v1.0.0 --key ~/sangeegh1.pub            
  •  Verifying Image sangeetha/newimage:v1.0.0 (digest: index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70) using key /Users/sangeethahariharan/sangeegh1.pub
  ✔  Signature verified

[iwilltry42]

Hey @sangee2004 !
You're using the wrong delimiter there for the annotation: -a qatag:ok should be -a qatag=ok (= instead of :).
In your case, you end up with an annotation with a key but no value: {"foo:bar":""}.
In my testing, verifying with that annotation fails with an error message indicating that it's an impossible annotation key:

acorn image verify --key ~/.ssh/id_rsa.pub -a foo:bar my.reg.io/public/acorn/perms:rootappv1
  •  Verifying Image harbor.thklein.dev/public/acorn/perms:rootappv1 (digest: my.reg.io/perms@sha256:c953a8f8cab8212705f193d205232bd7a8b573b2b37cc6a5b49192fb389f54ab) using key /home/thklein/.ssh/id_rsa.pub
  ✗  ERROR:  failed to parse annotation rule: key: Invalid value: "foo:bar": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')

Let me see if I can add that validation for signing right away, so we don't end up with unusable annotations.

Update: PR is up to add validation on signing

[sangee2004]

@iwilltry42 In my case , there was no error message presented about "failed to parse annotation rule:" .
Is there anything different in the way you have tested this scenario to see the errors relating to "failed to parse annotation rule:" ?

 acorn images verify sangeetha/newimage:v1.0.0 --key ~/sangeegh1.pub -a qatag:ok
  •  Verifying Image sangeetha/newimage:v1.0.0 (digest: index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70) using key /Users/sangeethahariharan/sangeegh1.pub
  ✗  ERROR:  failed to find valid signature for index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70 matching given identity and 2 annotation rules using 1 loaded verifiers/keys

[iwilltry42]

@iwilltry42 In my case , there was no error message presented about "failed to parse annotation rule:" . Is there anything different in the way you have tested this scenario to see the errors relating to "failed to parse annotation rule:" ?

 acorn images verify sangeetha/newimage:v1.0.0 --key ~/sangeegh1.pub -a qatag:ok
  •  Verifying Image sangeetha/newimage:v1.0.0 (digest: index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70) using key /Users/sangeethahariharan/sangeegh1.pub
  ✗  ERROR:  failed to find valid signature for index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70 matching given identity and 2 annotation rules using 1 loaded verifiers/keys

Even if I'm using your command I get that error 🤔 (though I may have a CLI with unmerged changes)

acorn images verify sangeetha/newimage:v1.0.0 --key ~/sangeegh1.pub -a qatag:ok
  •  Verifying Image sangeetha/newimage:v1.0.0 (digest: index.docker.io/sangeetha/newimage@sha256:e3a18f57e136271c7cd0dbf2a4eec734e0079b26330aaa2728040aa8fc3f2e70) using key /home/thklein/sangeegh1.pub
  ✗  ERROR:  failed to parse annotation rule: key: Invalid value: "qatag:ok": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')

[sangee2004]

Tested with acorn version - v0.8.0-55-g630df18f+630df18f

When we attempt to sign with invalid annotations, user is presented with the following error messages:

  ✗  ERROR:  failed to parse provided annotations: key: Invalid value: "qatag:ok": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')