-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
Incidents & Support
-
2
-
False
-
-
False
-
-
Hi Quay team,
Image registry.redhat.io/ubi9/php-82@sha256:779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd was signed by "cosign sign" a few times with different --sign-container-identity to add multiple image references to signature.
The resulted signature has references:
$ cosign verify --key sigstore.pub --insecure-ignore-tlog=true registry.redhat.io/ubi9/php-82@sha256:779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd | jq .[].critical.identity.'"docker-reference"' "registry.redhat.io/ubi9/php-82:1-1751529126" "registry.access.redhat.com/ubi9/php-82:9.6" "registry.access.redhat.com/ubi9/php-82:9.6-1751529126" "registry.access.redhat.com/ubi9/php-82:latest" "registry.access.redhat.com/ubi9/php-82:1" "registry.access.redhat.com/ubi9/php-82:1-1751529126"
Some other references are expected but not exist in the signature:
registry.redhat.io/ubi9/php-82:9.6 registry.redhat.io/ubi9/php-82:9.6-1751529126 registry.redhat.io/ubi9/php-82:latest registry.redhat.io/ubi9/php-82:1
Blobs of the missing items exist though:
$ curl -L -H "Authorization: Bearer $TOKEN" https://registry.redhat.io/v2/ubi9/php-82/blobs/sha256:2c20475aa1cacd9cab1bbf11f7c1bfa1af4fd2d157dae93cad143293960720b1
{"critical":{"identity":{"docker-reference":"registry.redhat.io/ubi9/php-82:9.6"},"image":{"docker-manifest-digest":"sha256:779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd"},"type":"cosign container image signature"},"optional":null}
$ curl -L -H "Authorization: Bearer $TOKEN" https://registry.redhat.io/v2/ubi9/php-82/blobs/sha256:ceb231c64e7a5557d44e6e72c5d74254d18513383035118c5ed8bfb901de3494
{"critical":{"identity":{"docker-reference":"registry.redhat.io/ubi9/php-82:9.6-1751529126"},"image":{"docker-manifest-digest":"sha256:779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd"},"type":"cosign container image signature"},"optional":null}
$ curl -L -H "Authorization: Bearer $TOKEN" https://registry.redhat.io/v2/ubi9/php-82/blobs/sha256:1e03780fb8c17d7c8a80ad77a707f5a0c601020ecd8c1be9e50f076ee9688be4
{"critical":{"identity":{"docker-reference":"registry.redhat.io/ubi9/php-82:latest"},"image":{"docker-manifest-digest":"sha256:779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd"},"type":"cosign container image signature"},"optional":null}
$ curl -L -H "Authorization: Bearer $TOKEN" https://registry.redhat.io/v2/ubi9/php-82/blobs/sha256:fd93abfc758a0c35544ac51063116d501fba205f00539147661b5c9f82406f0f
{"critical":{"identity":{"docker-reference":"registry.redhat.io/ubi9/php-82:1"},"image":{"docker-manifest-digest":"sha256:779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd"},"type":"cosign container image signature"},"optional":null}
So "cosign sign" did upload them to Quay. The question is why they are not in layers of registry.redhat.io/ubi9/php-82:sha256-779890cdf8b07126e26411332956ca0fd83a3a052486265d825f62c01c86abfd.sig.
Could you help to investigate?
