-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cosign attach
command couldn't attach the rekor-bundle
to an image
#3458
Comments
This feature was added in #2904. Is there a formatting issue with the rekor response you’re trying to attach? |
Yeah @haydentherapper , I did already looked at that PR and figuring out why it wasn't working then, and find out that there is small bug. With current parsing which is: cosign/cmd/cosign/cli/attach/sig.go Line 109 in 60254d3
the value of rekorBundle is nil . If there was logic to handle nil value of rekorBundle , then it would have an easy catch.
So, it needs small changes to parse the bundle correctly and that is: err = json.Unmarshal(rekorBundleByte, &localCosignPayload.Bundle) |
No, it wasn't case of formatting issue btw. |
At present, I had to build a $ cat rekor_bundle.json | jq
{
"SignedEntryTimestamp": "MEYCIQDCBEsMQKGMopTKw9/NNnxUNqEPcmJotc7VuRlkcSaS2gIhAIoHOgkFXIOy2rI843w79yLVYc6/M/QMUApLvbFcF7Qj",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoicmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0ODEwZmQ5YjEzODdlNDZhZWMyM2NmNTYwNjU3OTcxOTllZmU3NzM3YmQ0NmNiMTViYzI0Y2VkMjY5MGNhYzUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6IkdPOUlIcCsyemkvNUI4SEZWWkVYQStIN0JIVGxBZm1OQ2FMbGNxeFhLaENMQmdmazZjNFo4UkFGUnFodGVOWGMxNzlIaXkweSsvbjR5d0tyc2Q4UFh2Y3VObmlLM2tneXhXYzJHNWowTjJBRE85QStZY2U2NkUrcTN4MkQyU0FveWVMcnpkby9Qa2lmVDR1dnVZK0o1NVlMUW9XRG5nMExid1NVVGVGOGpHRXdMN3pKUTRzZzhOSnhvMFMyVStWdlZLSVNoRzFFQWlBOUMxZ2M1NWhHT29yTmFhZjhEL3JTM0V5THFIS3EzL1N1REhseHAzUVk2clU4QlZJTlVWZ2lUbWJ6WHY2eW83NnJVMmsyampwOWFaWlRiK1F2UWdWbGV6WGwrVld5U0thb0pxQ3RRNy9mMk5FdFplZ1VUSnJRQTdnMERrbXoyMUFDMzk4YlZpMHRmUDF2aXZEelh4TkMxNXBtL2tYdWk2ejcxOUtHazhxN3NRMDVyY3ZaZm9pMERmRmNZbDB0aFA4K1dsRU5kdU5zRnJtK1ZQditaYjBCbnFHM0twTkZ0Ymdtc092WXFvNHAyZjFlb1IwTFNEMlp3cEFRNERUd3dRRGh5UEk3MzdWT2ZJc1hObHg2T0srVml5Vmg4cGhRZHJrK2doRXJJVEM0WFllYVlRaUNvWTgySWNDcEh3Mmw3QS9SeDdiNXdVMDhnVkg2S1JjWmJFNm9mVStmSFFTcTQ4OHhvNnQrUHdLWHVDN1RtUFhJLzB4Uys4aDJ4bXRqOCtXOHRRQzFZRHcwU3JGZzIyelBFMkRjR3Z5KytIQXNpazd6VmEzNlovN2VzcndSOWpxdE8vd1M3UnAwQVMvenNjZVdiWTFoVEhVcXNsbE9FYU9DYThoN2NnUCtQTWdSV0dZPSIsImZvcm1hdCI6Ing1MDkiLCJwdWJsaWNLZXkiOnsiY29udGVudCI6IkxTMHRMUzFDUlVkSlRpQlFWVUpNU1VNZ1MwVlpMUzB0TFMwS1RVbEpRMGxxUVU1Q1oydHhhR3RwUnpsM01FSkJVVVZHUVVGUFEwRm5PRUZOU1VsRFEyZExRMEZuUlVGdFRsVk9SRWxVZHpKcVUzWmpZbEVyYjBwMU5ncGlaMWN2Tm5ZNFdHTk9WRmRoTHpKdWRUbFVVbVJTYldONmJtVnZWMVE1VGtKclZWcEZPV2hZYVU1U0t5OUNOVTVyTlZwa2RtSjJWVEUwYmtFNVJqSmtDalZJVURKS1UxUkNTVVZ5Y0hSblNVVnpTMHRaYkhKblJrRjVUSEYxWWtGbllYSXJZWEJLY0U5QmFHOXZXa1pIV1ZOTlRDOXZVWGxXTVdoUlYwdEdiRkFLTUd4aldFazNPRFJNU0dwemNubE9iM2xCUmxoR1JuazBhR1pCUXpaVE4zTTVVRTFQUjFWU1RVNXdibU5YYkZseFpqaFFUMVJCUlZSaVRETjRVa0lyUkFwU1QxQk1Za3ROVjNoNVVIbFRTR0ZuVW5JMlJHUktOVUZyYW5oMVUwWldUelFyZG1Kb2ExaFlURTUxTkZKcWFFVlVibE5LVDNJMVYzWjZiREF5T0ZjekNqVk1haTkyV0ZWNFoyMUNjV1F2Y0dKS01EQklNVko0Ym14V0wwOHlOV3B2Tm1aNVRXUmlPVzFxTjNKUlpHUnVWMUpqVVhGU0szQTJjVWR2Ukd4NU5UY0tSRFIzVm1SaWJGVk9WbWRyTUd4T1NrOWplbkl2WTB3dmNHSllTa28yYW5kMEt6UkNhbGxYVjA1VmVIUTNNM2hDTkhSTE4yZE9aVWN3ZUZReWNGSklNQW81U2pGWVZrWTViblJtUjNWcVJuTm1VeXRVTUhCemFYbHpNRFJ2V2twWE0xRlBUbE15UkRFek9IWTFRVWhaVDJsVGJXMUNSakJtUVdOUE5qUm9iMDA1Q2pJNVJFdE9URTlEUldsbWIydFBkMjlyVkROQmVrMHZaREl4WlZBd2MxbHZOV05ZT1hKR1NGSmxhVGdyZEVGWWF6aGpVMnBZWjI5eE1rRXdabEZNVFdJS2RFWjZWVXA1YkU5elltSjJTV3N6VUV0S2VXeFpSMDVDZG5rek56SkdkRlV3ZWtaTVVWQlRiMW93TWxaSFVTODBWbXR0YVZScU5GcFRkakZaYlV4UVNRcFhiVE01ZUVkd2FEaFpVbVpGUVhKR1JWRlNOeTlLV2tad2JVc3pPV1ZwTkZsWmVsRndjRXhqVW1sRVdHUjBia0pEV1VSTE0ydHVSekZzWnpKWVIyRnpDazF0V0VsdFFYQlFTMWcwTDA5a1RVdzVaVXMwY0dZd1EwRjNSVUZCVVQwOUNpMHRMUzB0UlU1RUlGQlZRa3hKUXlCTFJWa3RMUzB0TFFvPSJ9fX19",
"integratedTime": 1704106175,
"logIndex": 60606559,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
|
/assign |
Description
Basically when we sign the Image using
Cosign
signing tool, then by default, it adds therekor-bundle
to an image in form of annotation as a value of a keydev.sigstore.cosign/bundle
.But when we customize things, like using
OpenSSL
tool as a signing tool, in such case user need to manually add those things. For the same,cosign attach
command provide the functionally to attachpayload
,signature
,rekor-response
,tsr
, etc. Although, the command properly works forpayload
,signature
,--tsr
, but fails to attachrekor-response
.Command ran:
cosign attach signature --payload payload.json --signature payload.json.base64.sig --rekor-response rekor_bundle.json $IMAGE_DIGEST
Version
cosign version: 2.2.1
Solution:
Cosign attach should attach the rekor-bundle if
rekor-response
flag is provided by the user.Discussion at #3457
The text was updated successfully, but these errors were encountered: