Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why calling v2 referrers api and including all signature layer in new signature manifest #3659

Open
MinerYang opened this issue Apr 9, 2024 · 5 comments
Labels
question Further information is requested

Comments

@MinerYang
Copy link

Question
step 1 sign image with regular cosign
step2 sign image with COSIGN_EXPERIMENTAL=1 and --registry-referrers-mode oci-1-1
step3 get new signature manifest, will including all preceding signatures layers

/data/registry/docker/registry/v2/blobs/sha256$ cat eb/ebc4372c9fe2bff1a0ba3c15857cab9ba97174c8ca64a8168a4b2f85cbc6700d/data  | jq .
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.dev.cosign.artifact.sig.v1+json",
    "size": 451,
    "digest": "sha256:24e41e6b63095501c8c9d0b7021b79fcf23ffdb295fba17af443f95205448939"
  },
  "layers": [
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEQCIHqac+pViFr85AikUF78koAK5ELvZ9zpSYie+i8XiRD/AiAdOXycSHfAujPel3QH9GnnNfLSyygglSzpyUJwMuuTaw==",
        "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEUCIQDf4eY/DVX21rZIZJUWrpk7MQAcNNwRZuMlnWFdd/pfegIgLR3Z3EF2ohSCC0lIFINcdiyLO1AJJGeCr33qYt+73A8=\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJSHFhYytwVmlGcjg1QWlrVUY3OGtvQUs1RUx2Wjl6cFNZaWUraThYaVJEL0FpQWRPWHljU0hmQXVqUGVsM1FIOUdubk5mTFN5eWdnbFN6cHlVSndNdXVUYXc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712641884,\"logIndex\":84292486,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
      }
    },
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEQCIF9XqjuO8dMIqQTg6gomrYoGp5ukVN1T9UC8sc4noOfgAiADfrki8OBV36KjckR2X75LWCDrCRLH4NIXy1aWI4+kXg==",
        "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEYCIQD9FvimCVi5KMkjYkkLIFC7ISTr86rxqcxSJYUN2ix4RAIhAL4s62geCxqHF0NOmE30J3UsfCtNDzzd+/fTVSfwtusQ\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRjlYcWp1TzhkTUlxUVRnNmdvbXJZb0dwNXVrVk4xVDlVQzhzYzRub09mZ0FpQURmcmtpOE9CVjM2S2pja1IyWDc1TFdDRHJDUkxINE5JWHkxYVdJNCtrWGc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712649737,\"logIndex\":84307241,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
      }
    },
    {
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      "size": 250,
      "digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
      "annotations": {
        "dev.cosignproject.cosign/signature": "MEUCIC4OJ4fcPET7AxS3ZMNeYtxDdSXY1jqVY30KQcqS73sCAiEAkK+R2/cQlYexmq7/avRXLTZ1/SRlaAomfVGwuG+fat0=",
        "dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEYCIQD9ImUx+SrChaql3SKKJeWOeDYEUetHfIwUcECUc94ZmgIhAMEA2ZCbqT1MT5MO9K40LlZKmrhSXYutnpw+wxJwXxgT\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQzRPSjRmY1BFVDdBeFMzWk1OZVl0eERkU1hZMWpxVlkzMEtRY3FTNzNzQ0FpRUFrSytSMi9jUWxZZXhtcTcvYXZSWExUWjEvU1JsYUFvbWZWR3d1RytmYXQwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712649852,\"logIndex\":84307411,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
      }
    }
  ],
  "subject": {
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "size": 524,
    "digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"
  }
}
@MinerYang MinerYang added the question Further information is requested label Apr 9, 2024
@bobcallaway
Copy link
Member

I'm not following your question, can you please clarify?

@MinerYang
Copy link
Author

MinerYang commented Apr 11, 2024

Hi @bobcallaway ,
What I wondering is including all the signature layers in the new signature manifest when I sign a image using --registry-referrers-mode oci-1-1
If I sign a image, what we expected for the layer of signature manifest is this signature itself.
However, signing by this experimental mode would including all the old signatures that referenced to this image. e.g. there are 3 descriptors in the above manifest layers.

@MinerYang
Copy link
Author

Hi @bobcallaway ,

Any updated here?

@Silvanoc
Copy link

I cannot reproduce it. I have created an image with two layers and the manifest of the referrer providing the signature does not list them.

@bobcallaway
Copy link
Member

@jonjohnsonjr @hectorj2f any thoughts here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants