-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifying signature with Cosign v2 fails due to Transparency Log #44362
Comments
The missing gcr.io/istio-release/pilot:1.17.0 was a one-of, 1.17.1 and all other versions are present on gcr.io. Not sure about the rest |
So, it does pass when you add What's the objective, here? Fix it moving forward, or figure out how to backfill existing signatures to Rekor (which I think is the default transparency log)? |
It would be nice to backfill if its feasible. If not forward fix. So I guess - whatever we can :-) |
ACK. Let me do some investigation and testing, to see if I can figure out how to do backfill. |
I see the version mentioned is One other difference might be cosign versions. |
1.17.1 also has issues (but less than 1.17.0). As does 1.18.0-alpha.0 which I think uses cosign 2? |
Ahh, OK, so I wasn't going crazy. I couldn't remember when that swapover happened. The alpha images use release-builder, right? So they should be getting signed? Do we have the logs stashed somewhere other than Prow? Or can I rerun another alpha release to get log output? |
For the 1.18 builds (now from the main branch for a few more day(s)), I hopefully fixed with a change in release-builder as we were incorrectly not signing due to a command error: istio/release-builder#1455 |
@stewartbutler I only know of the logs in prow, which is where I found the 1.18 issue. |
Rgr. Lets get that PR in and rebuild the alpha, check if that fixes it. I don't think that we should try to backfill, though. Let's just add some documentation saying that prior to 1.18, you have to pass the flag that disables transparency log validation, since it was experimental in the versions of the tool that sign those images. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2023-04-13. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Bug Description
Version 2 of Cosign enables its "Transparency Log" feature by default. Using Cosign to verify Istio images returns the following error:
I'm guessing signing the latest Istio images with Cosign v2 would push the signature to the transparency log.
Also the image referred to on the website appears to have moved (I'm happy to raise this on the istio.io repo):
Version
Additional Information
No response
Affected product area
The text was updated successfully, but these errors were encountered: