Skip to content

Update cosign to 2.2.3 per problems starting at 202403191800

Jason Plum requested to merge cosign-223 into master

Summary

Update cosign to 2.2.3 to "fix" pipelines broken by apparent change of upstream keys, now using unsupported formats to older cosign.

Details

Update cosign to 2.2.3 per problems starting at 202403191800

$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    2.2.3
GitCommit:     493e6e29e2ac830aaf05ec210b36d0a5a60c3b32
GitTreeState:  "clean"
BuildDate:     2024-01-31T17:54:40Z
GoVersion:     go1.21.6
Compiler:      gc
Platform:      darwin/arm64
$ cosign verify --key pub.key dev.gitlab.org:5005/gitlab/charts/components/images/kubectl:6fd98ba3db9a6fae6fa74abf2d7e36429257957a

Verification for dev.gitlab.org:5005/gitlab/charts/components/images/kubectl:6fd98ba3db9a6fae6fa74abf2d7e36429257957a --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"dev.gitlab.org:5005/gitlab/charts/components/images/kubectl"},"image":{"docker-manifest-digest":"sha256:d71289048ab7d2df4b9f6a59a878a57433f2dc9a130d26a9f0ea9aba1422a110"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEYCIQCEMGqBBS0hMzdiz41skp0rOiEGZA8uZoGNQ2WneOl6cQIhAJyhxIk9EUmkAT95jbcvAnx6VryKVcNAkwzYTCEfqRl9","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3ZTQ4ZjkyNjQ1NzgyMzRlNmNmMDQ4NDFhOWI5ZjQyYzI1YTNiYTVhNmYyNzcyMmFmMzM2YmMzODgxNGJjYjRkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUR4S1RSU3MycFNaYVF2QkNYQ1ZXVCtLQms0c1c2bHR5aHRFM01PRVFScW13SWhBUEdCSW1xTFRLVEIySk9TRzRZRVlSa2FxcVM2SDVoK1dNZDZuZmFxVkJ3SSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGYnpGQk5tbEZjbXhrSzFoRU5WSTBiVXRNU1VGNU4wVXhOMlV3WXdwV1VWSldlVEpoTmpoSlRESklSaXRXV1VKeWFqRkpjbHAyT0ZsdU5UUTVaU3RUUVRVeVpVZHZLMEpIU1RWSWJVeGxVbXR2Wm5Ob1MxaG5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1710874857,"logIndex":79585592,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]
$ curl -JLO https://github.com/sigstore/cosign/releases/download/v2.1.1/cosign-darwin-arm64
$ ./cosign-darwin-arm64 verify -d --key pub.key dev.gitlab.org:5005/gitlab/charts/components/images/kubectl@sha256:d71289048ab7d2df4b9f6a59a878a57433f2dc9a130d26a9f0ea9aba1422a110
Error: getting Rekor public keys: unable to initialize client, local cache may be corrupt: invalid key
main.go:74: error during command execution: getting Rekor public keys: unable to initialize client, local cache may be corrupt: invalid key
Edited by Jason Plum

Merge request reports