Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign() should receive the digest from Push() #2135

Closed
AkihiroSuda opened this issue Mar 28, 2023 · 2 comments · Fixed by #2136
Closed

Sign() should receive the digest from Push() #2135

AkihiroSuda opened this issue Mar 28, 2023 · 2 comments · Fixed by #2136
Labels
area/cosign cosign bug Something isn't working

Comments

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Mar 28, 2023
edited

nerdctl/pkg/cmd/image/push.go

Line 151 in 8a1f227

if err = signutil.Sign(rawRef, options.GOptions.Experimental, options.SignOptions); err != nil {

not related to this PR. Just notice when pushing an image, sign (line 152) happens after push (line 133-150). Is this expected?

IIUC signing after pushing is ok (for cosign, at least), but the current implementation is wrong anyway; the Sign() function should receive the digest from the Push() function to prohibit TOCTOU.

(I'm mentioning this bug publicly because the cosign integration is still experimental for nerdctl)

Originally posted by @AkihiroSuda in #2132 (comment)
@AkihiroSuda AkihiroSuda mentioned this issue Mar 28, 2023
Merged
@AkihiroSuda AkihiroSuda added bug Something isn't working area/cosign cosign labels Mar 28, 2023
@AkihiroSuda
Copy link
Member Author

cc @developer-guy

@developer-guy
Copy link
Contributor

yes, you are right we should rely on digests, not on the tags. I'll fix this

@developer-guy developer-guy mentioned this issue Mar 28, 2023
Merged
@ningziwen ningziwen mentioned this issue Apr 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cosign cosign bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use digest instead of a tag while signing developer-guy/nerdctl
2 participants
@AkihiroSuda @developer-guy