New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing with 3rd party tool #548
Comments
Could you share the full command you used to sign the image? Depending on what it is, cosign might not be able to directly verify it. You'd have to use |
I'm using a REST API to sign payloads, and the backend system is performing EcdsaSha256 for signatures. I assume cosign verify also does EcdsaSha256? |
That's correct - it uses ECDSA with the P256 curve, and the SHA-256 hash. Have you been able to verify the signatures manually with something like openssl? |
Yes, I'm using a commercial tool to sign and verify successfully. I also just tested with openssl (LibreSSL 2.8.3) with new keypair and same result. `% ~/go/bin/cosign -d verify -key openssl.pub -a tag=0.1 -check-claims=false zosocanuck/cert-manager-dashboard:0.1 | jq 2021/08/18 12:59:12 <-- 401 https://index.docker.io/v2/ (485.719655ms) {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]} 2021/08/18 12:59:12 --> GET https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials] 2021/08/18 12:59:12 <-- 200 https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io (396.262536ms) [body redacted: basic token response contains credentials] 2021/08/18 12:59:12 --> GET https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/0.1 2021/08/18 12:59:13 <-- 200 https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/0.1 (211.464889ms) { 2021/08/18 12:59:13 <-- 401 https://index.docker.io/v2/ (85.84028ms) {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]} 2021/08/18 12:59:13 --> GET https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials] 2021/08/18 12:59:13 <-- 200 https://auth.docker.io/token?scope=repository%3Azosocanuck%2Fcert-manager-dashboard%3Apull&service=registry.docker.io (113.743145ms) [body redacted: basic token response contains credentials] 2021/08/18 12:59:13 --> GET https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/sha256-e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9.sig 2021/08/18 12:59:13 <-- 200 https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/manifests/sha256-e4736f8a3b6eb208ac5b9f52a935443ef83bd983cd9c974c6d17c3bfb6a999c9.sig (148.233999ms) {"schemaVersion":2,"config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:7eb3346e734de59f83c27060a672b8440d372a25b6a589c5be068e557afb4726"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":265,"digest":"sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf","annotations":{"dev.cosignproject.cosign/signature":"MEYCIQCooltez7qe6plXxaWCn2FanWQI/f2etq3yT4/DrRghmgIhAJFRbC3QmVr6PVxt7XzkbFiYS5oxQuQCJZQF7Nxm5TUo"}}]} 2021/08/18 12:59:13 <-- 307 https://index.docker.io/v2/zosocanuck/cert-manager-dashboard/blobs/sha256:3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf (93.181303ms) [body redacted: omitting binary blobs from logs] 2021/08/18 12:59:13 --> GET https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/3c/3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf/data?verify=1629319753-7psDOt2UNYyFPL%2F3cM4M8vjIxFQ%3D [body redacted: omitting binary blobs from logs] 2021/08/18 12:59:13 <-- 200 https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/3c/3c94722190a9d46d02c9cfeff4d413add30369bb675321e45faeed67235799bf/data?verify=1629319753-7psDOt2UNYyFPL%2F3cM4M8vjIxFQ%3D (87.738087ms) [body redacted: omitting binary blobs from logs] error: no matching signatures: |
I wrote up a gist yesterday on how to sign with openssl and verify with cosign, does this help at all? https://gist.github.com/dlorenc/919210e3e5531c50b573467b8c252533 |
Yes, this was helpful. Closing this issue for now as I need to investigate why a 3rd party utility is not producing compatible signatures. |
Hi,
I'm attempting to sign with another tool and using the output of:
cosign generate xxx/yyy
to produce the JSON payload.Shoud I be sending the entire payload for signature?
If so I then attach the signature using:
cosign attach signature -signature xyz xxx/yyy
The end result is when I attempt to verify I get:
cosign version is v1.0.0
The text was updated successfully, but these errors were encountered: