Signing with 3rd party tool

[zosocanuck]

Hi,

I'm attempting to sign with another tool and using the output of:

cosign generate xxx/yyy to produce the JSON payload.

Shoud I be sending the entire payload for signature?

If so I then attach the signature using:

cosign attach signature -signature xyz xxx/yyy

The end result is when I attempt to verify I get:

error: no matching signatures:
failed to verify signature
 failed to verify signature
 failed to verify signature
 failed to verify signature
 failed to verify signature

cosign version is v1.0.0

[dlorenc]

Could you share the full command you used to sign the image? Depending on what it is, cosign might not be able to directly verify it. You'd have to use cosign download signature, similar to cosign attach signature to fetch them then verify again with that tool.

[zosocanuck]

I'm using a REST API to sign payloads, and the backend system is performing EcdsaSha256 for signatures. I assume cosign verify also does EcdsaSha256?

[dlorenc]

That's correct - it uses ECDSA with the P256 curve, and the SHA-256 hash. Have you been able to verify the signatures manually with something like openssl?

[zosocanuck]

Yes, I'm using a commercial tool to sign and verify successfully.

I also just tested with openssl (LibreSSL 2.8.3) with new keypair and same result.

`% ~/go/bin/cosign -d verify -key openssl.pub -a tag=0.1 -check-claims=false zosocanuck/cert-manager-dashboard:0.1 | jq
2021/08/18 12:59:12 --> GET https://index.docker.io/v2/
2021/08/18 12:59:12 GET /v2/ HTTP/1.1
Host: index.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Accept-Encoding: gzip

2021/08/18 12:59:12 <-- 401 https://index.docker.io/v2/ (485.719655ms)
2021/08/18 12:59:12 HTTP/1.1 401 Unauthorized
Content-Length: 87
Content-Type: application/json
Date: Wed, 18 Aug 2021 19:59:12 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

2021/08/18 12:59:12 --> GET https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials]
2021/08/18 12:59:12 GET /token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io HTTP/1.1
Host: auth.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Authorization:
Accept-Encoding: gzip

2021/08/18 12:59:12 <-- 200 https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io (396.262536ms) [body redacted: basic token response contains credentials]
2021/08/18 12:59:12 HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json
Date: Wed, 18 Aug 2021 19:59:12 GMT
Strict-Transport-Security: max-age=31536000

2021/08/18 12:59:12 --> GET https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/0.1
2021/08/18 12:59:12 GET /v2/zosocanuck/cert-manager-dashboard/manifests/0.1 HTTP/1.1
Host: index.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization:
Accept-Encoding: gzip

2021/08/18 12:59:13 <-- 200 https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/0.1 (211.464889ms)
2021/08/18 12:59:13 HTTP/1.1 200 OK
Content-Length: 739
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Date: Wed, 18 Aug 2021 19:59:13 GMT
Docker-Content-Digest: sha256:e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9"
Ratelimit-Limit: 200;w=21600
Ratelimit-Remaining: 188;w=21600
Strict-Transport-Security: max-age=31536000

{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 1138,
"digest": "sha256:3fa831dfc0f9d2fbd7d7499fed0cebfa5d06b34dc250fe0375fe57aadc13cab4"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 657696,
"digest": "sha256:b49b96595fd4bd6de7cb7253fe5e89d242d0eb4f993b2b8280c0581c3a62ddc2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 15764374,
"digest": "sha256:bde32e490a65011f9972704e1b7ea0c614e232b92b8b2536cb346af74e63eb00"
}
]
}
2021/08/18 12:59:13 --> GET https://index.docker.io/v2/
2021/08/18 12:59:13 GET /v2/ HTTP/1.1
Host: index.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Accept-Encoding: gzip

2021/08/18 12:59:13 <-- 401 https://index.docker.io/v2/ (85.84028ms)
2021/08/18 12:59:13 HTTP/1.1 401 Unauthorized
Content-Length: 87
Content-Type: application/json
Date: Wed, 18 Aug 2021 19:59:13 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

2021/08/18 12:59:13 --> GET https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials]
2021/08/18 12:59:13 GET /token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io HTTP/1.1
Host: auth.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Authorization:
Accept-Encoding: gzip

2021/08/18 12:59:13 <-- 200 https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io (113.743145ms) [body redacted: basic token response contains credentials]
2021/08/18 12:59:13 HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json
Date: Wed, 18 Aug 2021 19:59:13 GMT
Strict-Transport-Security: max-age=31536000

2021/08/18 12:59:13 --> GET https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/sha256-e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9.sig
2021/08/18 12:59:13 GET /v2/zosocanuck/cert-manager-dashboard/manifests/sha256-e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9.sig HTTP/1.1
Host: index.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization:
Accept-Encoding: gzip

2021/08/18 12:59:13 <-- 200 https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/sha256-e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9.sig (148.233999ms)
2021/08/18 12:59:13 HTTP/1.1 200 OK
Content-Length: 501
Content-Type: application/vnd.oci.image.manifest.v1+json
Date: Wed, 18 Aug 2021 19:59:13 GMT
Docker-Content-Digest: sha256:4dd9ffebaf47c105376a4264cf84f3ea76a56340fc9b4625970e9e7ace0db732
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:4dd9ffebaf47c105376a4264cf84f3ea76a56340fc9b4625970e9e7ace0db732"
Ratelimit-Limit: 200;w=21600
Ratelimit-Remaining: 188;w=21600
Strict-Transport-Security: max-age=31536000

{"schemaVersion":2,"config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:7eb3346e734de59f83c27060a672b8440d372a25b6a589c5be068e557afb4726"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":265,"digest":"sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf","annotations":{"dev.cosignproject.cosign/signature":"MEYCIQCooltez7qe6plXxaWCn2FanWQI/f2etq3yT4/DrRghmgIhAJFRbC3QmVr6PVxt7XzkbFiYS5oxQuQCJZQF7Nxm5TUo"}}]}
2021/08/18 12:59:13 --> GET https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/blobs/sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf [body redacted: omitting binary blobs from logs]
2021/08/18 12:59:13 GET /v2/zosocanuck/cert-manager-dashboard/blobs/sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf HTTP/1.1
Host: index.docker.io
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Authorization:
Accept-Encoding: gzip

2021/08/18 12:59:13 <-- 307 https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/blobs/sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf (93.181303ms) [body redacted: omitting binary blobs from logs]
2021/08/18 12:59:13 HTTP/1.1 307 Temporary Redirect
Content-Type: application/octet-stream
Date: Wed, 18 Aug 2021 19:59:13 GMT
Docker-Distribution-Api-Version: registry/2.0
Location: https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/3c/3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf/data?verify=1629319753-7psDOt2UNYyFPL%2F3cM4M8vjIxFQ%3D
Strict-Transport-Security: max-age=31536000
Content-Length: 0

2021/08/18 12:59:13 --> GET https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/3c/3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf/data?verify=1629319753-7psDOt2UNYyFPL%2F3cM4M8vjIxFQ%3D [body redacted: omitting binary blobs from logs]
2021/08/18 12:59:13 GET /registry-v2/docker/registry/v2/blobs/sha256/3c/3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf/data?verify=1629319753-7psDOt2UNYyFPL%2F3cM4M8vjIxFQ%3D HTTP/1.1
Host: production.cloudflare.docker.com
User-Agent: cosign/unknown go-containerregistry/v0.5.1
Referer: https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/blobs/sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf
Accept-Encoding: gzip

2021/08/18 12:59:13 <-- 200 https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/3c/3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf/data?verify=1629319753-7psDOt2UNYyFPL%2F3cM4M8vjIxFQ%3D (87.738087ms) [body redacted: omitting binary blobs from logs]
2021/08/18 12:59:13 HTTP/2.0 200 OK
Content-Length: 265
Accept-Ranges: bytes
Age: 93679
Cache-Control: public, max-age=14400
Cf-Cache-Status: HIT
Cf-Ray: 680db8af3fd92544-SJC
Content-Type: application/octet-stream
Date: Wed, 18 Aug 2021 19:59:13 GMT
Etag: "e5d5f8c8a3a8d51a1075a287c1372baa"
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Wed, 18 Aug 2021 23:59:13 GMT
Last-Modified: Tue, 17 Aug 2021 17:28:25 GMT
Server: cloudflare
Vary: Accept-Encoding
X-Amz-Id-2: t0z1O9HqlUj6LKtBqPiutp1KWjziv+JoNKNMfL37Ayc4wutKOb4Fm0UrX0ipi6SoPJlHQuUYBuk=
X-Amz-Request-Id: QBXRTH87B9A47BDF
X-Amz-Version-Id: jILHuY6bMu_vghvPBB6gdCVBzr7LQRHV

error: no matching signatures:
failed to verify signature
`

[dlorenc]

I wrote up a gist yesterday on how to sign with openssl and verify with cosign, does this help at all? https://gist.github.com/dlorenc/919210e3e5531c50b573467b8c252533

[zosocanuck]

Yes, this was helpful. Closing this issue for now as I need to investigate why a 3rd party utility is not producing compatible signatures.