Cosign can't verify by local key exported from HashiVault #3751
Labels
bug
Something isn't working
Comments
|
Keys stored in Hashicorp in transit-engine |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I'm using HashiVault Corp for secure storing signing keys.
Then i want to use image verify in K8S using kyverno-plugin (1.12). In Kyverno-policy i want to use Public Key (not integration with HashiVault)
Before deploying i'm testing it on local:
In log below i see signature digest:
Docker-Content-Digest: sha256:00677649ad1e48a0b52e0848e7968f62d077c80c93f38815b92672b425004f6f
but cosign can't find and verify it :C
Version
2.2.4
Full log:
$ cosign -version
WARNING: the -version flag is deprecated and will be removed in a future release. Please use the version subcommand instead.
______ ______ . __ _______ . .
/ | / __ \ / || | / || \ | |
| ,----'| | | | | (----
| | | | __ | \| | | | | | | | \ \ | | | | |_ | | .||
----.|--' | .----) | | | | || | | |\ |_| ______/ |_/ || __| || _|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v2.2.4
GitCommit: fb651b4
GitTreeState: clean
BuildDate: 2024-04-10T21:57:27Z
GoVersion: go1.21.11
Compiler: gc
Platform: linux/amd64
$ cosign sign --key hashivault://cosign harbor.domain.local/kb/test/tomcat:latest --tlog-upload=false -y
WARNING: Image reference harbor.domain.local/kb/test/tomcat:latest uses a tag, not a digest, to identify the image to sign.
This can lead you to sign a different image than the intended one. Please use a
digest (example.com/ubuntu@sha256:abc123...) rather than tag
(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
images by tag will be removed in a future release.
Pushing signature to: harbor.domain.local/kb/test/tomcat
$ cosign public-key --key hashivault://cosign > key.pub
$ cat key.pub
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy1XfHdS/xzpIVYD1sWy9
zWrsZg6P/+NIxGI/ncUTURo0CUw07JcZtsNduevtaZtaQLWwyJi6+Ad1Ru0xQ6LW
fTfVrAyAickZ+lrOh01PH9H6DQxAPy+PFEt+KKIHlckqrxeUJUVINGZg3ZDpqp0p
CoweK3d1de3m7+MtQAxBkV4HtL4xT7zs10v0oOFGrsMMVnZljWrjKA/SPqnTmnOG
zTFLVFOjjQvD2slzMaN/3gHgE40cdi/GVIPIQuPMqHJxRgvHZRyty8SwUu37fIbp
/7Rz/TVqFdxfBjhEYuhCiljhDOnpKY4jPr4cokw6T/oT7fI7ojcH3WeRCDMI+39w
lNBY7xczHkkfQmCzbCstdBMCc89KXbFf2xGYByHlx5S14IImQ7DoS1AFfts+iMwJ
SUVkIiYYOGvnTHNpzODTPgYF5SEYzksHNFVboCrwSquPIJSH4EwEIgv/S6iEZVOX
+yo2KHWgVjusb8By6Zs7MFqWcf8Oy2B9S9+5fQ80a/R4tTodnXbcwYp6cSkNwmE9
U3tw24tHfcGRiuDzt0hwXFssEvfAKzFGE1RZDKmOnkZTfIL+80Kri2PhVO8QSpJk
ThMb7/wHDiXYfkvDeed6eX64tmpp4h0hiDViItIbqk5XNh4v9ZNq+gXtvk3K2uoY
ueE2m/klQOm8gvan8xyXcq8CAwEAAQ==
-----END PUBLIC KEY-----
$ cosign verify --key key.pub harbor.domain.local/kb/test/tomcat:latest --private-infrastructure
Error: no matching signatures: crypto/rsa: verification error
main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error
$ cosign verify --key key.pub harbor.domain.local/kb/test/tomcat:latest --private-infrastructure -d
2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/
2024/06/26 15:41:14 GET /v2/ HTTP/1.1
Host: harbor.domain.local
User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1
Accept-Encoding: gzip
2024/06/26 15:41:14 <-- 401 https://harbor.domain.local/v2/ (82.568621ms)
2024/06/26 15:41:14 HTTP/1.1 401 Unauthorized
Content-Length: 76
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Wed, 26 Jun 2024 15:41:14 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx
Set-Cookie: sid=e4e4774df7ba2e7d86f2a6c04e1de90e; Path=/; HttpOnly
Www-Authenticate: Bearer realm="https://harbor.domain.local/service/token",service="harbor-registry"
X-Request-Id: e6f45bc6-dffe-4351-9f1e-db13a1f61d24
{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2024/06/26 15:41:14 --> GET https://harbor.domain.local/service/token?scope=repository%3Akb%2Ftest%2Ftomcat%3Apull&service=harbor-registry [body redacted: basic token response contains credentials]
2024/06/26 15:41:14 GET /service/token?scope=repository%3Akb%2Ftest%2Ftomcat%3Apull&service=harbor-registry HTTP/1.1
Host: harbor.domain.local
User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1
Authorization:
Accept-Encoding: gzip
2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/service/token?scope=repository%3Akb%2Ftest%2Ftomcat%3Apull&service=harbor-registry (37.001894ms) [body redacted: basic token response contains credentials]
2024/06/26 15:41:14 HTTP/1.1 200 OK
Connection: keep-alive
Content-Security-Policy: frame-ancestors 'none'
Content-Type: application/json; charset=utf-8
Date: Wed, 26 Jun 2024 15:41:14 GMT
Server: nginx
Set-Cookie: sid=a6a306ea49bec6c9c88c17eb08348c4c; Path=/; Secure; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
X-Request-Id: fa30a788-9054-4c79-acc2-26e8b5d83b2b
2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/kb/test/tomcat/manifests/latest
2024/06/26 15:41:14 GET /v2/kb/test/tomcat/manifests/latest HTTP/1.1
Host: harbor.domain.local
User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization:
Accept-Encoding: gzip
2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/v2/kb/test/tomcat/manifests/latest (20.546238ms)
2024/06/26 15:41:14 HTTP/1.1 200 OK
Content-Length: 1995
Connection: keep-alive
Content-Security-Policy: frame-ancestors 'none'
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Date: Wed, 26 Jun 2024 15:41:14 GMT
Docker-Content-Digest: sha256:5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228"
Server: nginx
Set-Cookie: sid=9412769ad8cbdb005a40227c486c3d0c; Path=/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
X-Request-Id: ea44b5ea-ce68-4ecb-a870-903d675e74fe
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 12747,
"digest": "sha256:4a75d8ec8312d825325205062d916278b101f9a77dc98120575caf0eec021ad9"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 30447114,
"digest": "sha256:df2fac849a4581b035132d99e203fd83dc65590ea565435a266cb0e14a508838"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 17458145,
"digest": "sha256:c506251a0ae0b836353578bafa8d6aeb266158d3291ba4abbc2f5f8ccda6f742"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 158640089,
"digest": "sha256:127f7734cc88e82b85a490a49b02364f4d665cc4c27941587f3901bf99619f7a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 175,
"digest": "sha256:eabc79a4d7f6c11b002a51dfc68bb7fad2da17d31c984428e0affaba1e88fda3"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 732,
"digest": "sha256:cb0704fc9e8298f8c6371c3324c792282950ba0fab31dd49ac8e3c994f7318b2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 174,
"digest": "sha256:9ea8abad4482081cf1412b1df46db5866d432dc63fb270c468eeb7df96cab329"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 12796135,
"digest": "sha256:ee2a7cc21b5d96aad46514b457b700e0e24431ac0caea07fbbd0ba4450ff125c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 130,
"digest": "sha256:bc84b42ed1a9a8b758ca0b3626784df34d572e22265d4aa3a9fcd5b6e05c0c0b"
}
]
}
2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/kb/test/tomcat/manifests/sha256-5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228.sig
2024/06/26 15:41:14 GET /v2/kb/test/tomcat/manifests/sha256-5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228.sig HTTP/1.1
Host: harbor.domain.local
User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization:
Accept-Encoding: gzip
2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/v2/kb/test/tomcat/manifests/sha256-5ce070ad13a28c1e398ca62b1a7c34b2d0a5e59a158cd18d5a7f660f32b7f228.sig (12.664503ms)
2024/06/26 15:41:14 HTTP/1.1 200 OK
Content-Length: 1146
Connection: keep-alive
Content-Security-Policy: frame-ancestors 'none'
Content-Type: application/vnd.oci.image.manifest.v1+json
Date: Wed, 26 Jun 2024 15:41:14 GMT
Docker-Content-Digest: sha256:00677649ad1e48a0b52e0848e7968f62d077c80c93f38815b92672b425004f6f
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:00677649ad1e48a0b52e0848e7968f62d077c80c93f38815b92672b425004f6f"
Server: nginx
Set-Cookie: sid=80b6f827eb337c122f5f73e1b8204fd3; Path=/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
X-Request-Id: 715988b6-fd03-4e2f-9c7f-b18af50a0efd
{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","size":233,"digest":"sha256:be18391083c58c19f3e3b8057577f7b4c75e518a0252d600f59ec80bbe459cfa"},"layers":[{"mediaType":"application/vnd.dev.cosign.simplesigning.v1+json","size":247,"digest":"sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625","annotations":{"dev.cosignproject.cosign/signature":"pWRzcLWTUm0w6064SFGGycMf+R3oOBUxL1fVRr8D/At5YIQ3Aq1UpbPjnT+X2+NpH1Ppzbg5a4+adY19zqJThgkM6x+lsh1Ak8Up7A+WlTtn9OGVU97lPDPtTSpQbTlYYytfesMHJWjIb3UqzgiPAz7Xy+Oue52nktWmygS2wB4feYUrXvhOr9g5iuhwP7NvEvAZ2n285/PPUJAHG7fRj6zhpAlGA69y+Q50xFQ3CRL3gzxk4OYnLGZSurehX1o6WFqXRl+R8NqLvZExoqWBMm+n0Dp/W2gNQvfdvr2aYgevYLfACD/ZE7IaU9/Tju9u0JVV41c/KwmylNRmmPkp6S76l3+T+3Tle9rmlrySp/cKQGO4gZSwUJDF39mLY0df14OSzlY7taAP/rvwSB9exzTeBrAHUOG31CJ7SFzATDezJHYxqn5lsNZajHo2tThML3k+3F5tqTTZwyHjabNfiQP207HeoG4SbGSBU5rOXw+rtlyUPhbBSrUIr37zteYnytXu8zutTHRtbhXAnIycy3j9QKMb9xsm6j1ysCsdjc1c0Y2Fgh8/8qxkVE+8eJLbJdntykRLtdz54GvrDELRwY9njtpwpszs6rx5/+biB50MyMhG9RUF7CQiOZzjBghUuTn7Ap7jR+ELEyl+t4o6oSmUHdpa74zzc57o1Kpu4lI="}}]}
2024/06/26 15:41:14 --> GET https://harbor.domain.local/v2/kb/test/tomcat/blobs/sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 [body redacted: omitting binary blobs from logs]
2024/06/26 15:41:14 GET /v2/kb/test/tomcat/blobs/sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 HTTP/1.1
Host: harbor.domain.local
User-Agent: cosign/v2.2.4 (linux; amd64) go-containerregistry/v0.19.1
Authorization:
Accept-Encoding: gzip
2024/06/26 15:41:14 <-- 200 https://harbor.domain.local/v2/kb/test/tomcat/blobs/sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625 (18.632553ms) [body redacted: omitting binary blobs from logs]
2024/06/26 15:41:14 HTTP/1.1 200 OK
Content-Length: 247
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Connection: keep-alive
Content-Security-Policy: frame-ancestors 'none'
Content-Type: application/octet-stream
Date: Wed, 26 Jun 2024 15:41:14 GMT
Docker-Content-Digest: sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:c71c3a876276a838045c709e84697da6aade195609d280a39c55060b38540625"
Server: nginx
Set-Cookie: sid=10e4ec18aa379c27cb0e2bbf8fb89d2a; Path=/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
X-Request-Id: fd1e66b0-58aa-4d6c-81f0-8ade124bb2fd
Error: no matching signatures: crypto/rsa: verification error
main.go:69: error during command execution: no matching signatures: crypto/rsa: verification error
The text was updated successfully, but these errors were encountered: