Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7355

Quay 3.12 Cosign sign image tag with annotation "quay.expires-after=2d" can't set expiration date

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • quay-v3.12.0
    • documentation, quay

      Description:

      This is an issue found in Quay 3.12 new feature "Annotation Parsing", when use Cosign to sign image from Quay 3.12 and give annotation "quay.expires-after=2d" to the expiration date of image tag, found it doesn't work, while use ORAS it works well, pls review this issue.

      Expected deliverable:

      1. A user is able to use Cosign to annotate and store an artifact in Quay that can then be parsed by Quay to set expiration date

      Quay:  quay-operator-bundle-container-v3.12.0-1

      Cosign Version: Latest v2.2.4

      https://github.com/sigstore/cosign/releases/tag/v2.2.4 

      ./cosign-linux-amd64 version
        ______   ______        _______. __    _______ .__   __.
       /      | /  __  \      /       ||  |  /  _____||  \ |  |
      |  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
      |  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
      |  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
       \______| \______/  |_______/    |__|  \______| |__| \__|
      cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
      
      
      GitVersion:    v2.2.4
      GitCommit:     fb651b4ddd8176bd81756fca2d988dd8611f514d
      GitTreeState:  clean
      BuildDate:     2024-04-10T21:57:27Z
      GoVersion:     go1.21.8
      Compiler:      gc
      Platform:      linux/amd64
      
      ./cosign-linux-amd64 sign -key cosign.key quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation:redis -a "quay.expires-after=2d" -y
      WARNING: the -key flag is deprecated and will be removed in a future release. Please use the --key flag instead.
      Enter password for private key: 
      Pushing signature to: quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation 

      ORAS:

      oras push --annotation "quay.expires-after=2d" quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation:newtag Dockerfile --insecure --username quay --password password
      WARNING! Using --password via the CLI is insecure. Use --password-stdin.
      Uploading 3edb3c00b1fd Dockerfile
      Uploaded  3edb3c00b1fd Dockerfile
      Pushed [registry] quay-quay-quay312.apps.quaytest-2665.qe.devcluster.openshift.com/qateam/annotation:newtag
      Digest: sha256:a089a203b30a2774c99666a19a4f2a48e82ebc56e77f5e5c0e78023053006ba5 
      Quay 3.12 Console:

            rhn-support-stevsmit Steven Smith
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: