Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7355

Quay 3.12 Cosign sign image tag with annotation "quay.expires-after=2d" can't set expiration date

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • quay-v3.12.0
    • documentation, quay

      Description:

      This is an issue found in Quay 3.12 new feature "Annotation Parsing", when use Cosign to sign image from Quay 3.12 and give annotation "quay.expires-after=2d" to the expiration date of image tag, found it doesn't work, while use ORAS it works well, pls review this issue.

      Expected deliverable:

      1. A user is able to use Cosign to annotate and store an artifact in Quay that can then be parsed by Quay to set expiration date

      Quay:  quay-operator-bundle-container-v3.12.0-1

      Cosign Version: Latest v2.2.4

      https://github.com/sigstore/cosign/releases/tag/v2.2.4 

      ./cosign-linux-amd64 version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.


GitVersion:    v2.2.4
GitCommit:     fb651b4ddd8176bd81756fca2d988dd8611f514d
GitTreeState:  clean
BuildDate:     2024-04-10T21:57:27Z
GoVersion:     go1.21.8
Compiler:      gc
Platform:      linux/amd64

./cosign-linux-amd64 sign -key cosign.key quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation:redis -a "quay.expires-after=2d" -y
WARNING: the -key flag is deprecated and will be removed in a future release. Please use the --key flag instead.
Enter password for private key: 
Pushing signature to: quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation

      ORAS:

      oras push --annotation "quay.expires-after=2d" quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation:newtag Dockerfile --insecure --username quay --password password
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Uploading 3edb3c00b1fd Dockerfile
Uploaded  3edb3c00b1fd Dockerfile
Pushed [registry] quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation:newtag
Digest: sha256:a089a203b30a2774c99666a19a4f2a48e82ebc56e77f5e5c0e78023053006ba5
      Quay 3.12 Console:

        1. image-2024-06-21-17-42-05-780.png
          image-2024-06-21-17-42-05-780.png
          371 kB

            rhn-support-stevsmit Steven Smith
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: