amd64 and arm64 1.28.2 kubernetes images fail the cosign signature verification #120930
Labels
kind/bug
Categorizes issue or PR as related to a bug.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
What happened?
When following the image verification guidelines (as in https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/), most 1.28.2 amd64 and arm64 images fail the verification with cosign.
E.g.:
This is the cosign version:
I've used this script to iterate and verify:
This is the output:
What did you expect to happen?
I would expect all official images passing the verification with the latest cosign version.
How can we reproduce it (as minimally and precisely as possible)?
cosign verify registry.k8s.io/kube-apiserver-amd64:v1.28.2
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com
--certificate-oidc-issuer https://accounts.google.com
Anything else we need to know?
No response
Kubernetes version
v1.28.2, other image verification fails also for 1.28.1 images for
Cloud provider
OS version
No response
Install tools
No response
Container runtime (CRI) and version (if applicable)
No response
Related plugins (CNI, CSI, ...) and versions (if applicable)
No response
The text was updated successfully, but these errors were encountered: