Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-2388

Chains: cannot verify signature and attestations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • Pipelines 1.8.0
    • Pipelines 1.8.0
    • Tekton Chains
    • None
    • False
    • None
    • False

      Expected behavior

      Chains work

      Actual behavior

      When following Chains' signed provenance tutorial https://github.com/tektoncd/chains/blob/main/docs/tutorials/signed-provenance-tutorial.md, it's not possible to verify signature and attestation using "cosign" even though the task run finished succesfully and both image and attestation were pushed to repository.

      OpenShift Pipelines 1.8 (index image 284954)
      OpenShift 4.11.0-rc.6
      cosign 1.10.0
      rekor-cli 0.5.0

      Sample output

      cosign verify --key cosign.pub quay.io/ppitonak/chainstest:0804153244
Error: no matching signatures:

main.go:62: error during command execution: no matching signatures:
==============
cosign verify-attestation --key cosign.pub quay.io/ppitonak/chainstest:0804153244
Error: no matching attestations:
Accepted signatures do not match threshold, Found: 0, Expected 1
main.go:62: error during command execution: no matching attestations:
Accepted signatures do not match threshold, Found: 0, Expected 1
Found matching entries (listed by UUID):
==============
rekor-cli get --uuid 362f8ecba72f43264dc20fb0de6c614eec35ea1e1256181eac014457ac2141be44dcdc786757fa57 --format json | jq .Attestation
"{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://slsa.dev/provenance/v0.2\",\"subject\":[{\"name\":\"quay.io/ppitonak/chainstest\",\"digest\":{\"sha256\":\"7c4b13d0a1ffb45be169625a8ad487c08f690c72a94b06d212e8eb7187ab90d9\"}}],\"predicate\":{\"builder\":{\"id\":\"https://tekton.dev/chains/v2\"},\"buildType\":\"https://tekton.dev/attestations/chains@v2\",\"invocation\":{\"configSource\":{},\"parameters\":{\"BUILDER_IMAGE\":\"gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5\",\"CONTEXT\":\"./\",\"DOCKERFILE\":\"./Dockerfile\",\"EXTRA_ARGS\":\"[]\",\"IMAGE\":\"{string quay.io/ppitonak/chainstest:0804153244 []}\"}},\"buildConfig\":{\"steps\":[{\"entryPoint\":\"set -e\\necho \\\"FROM alpine@sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f\\\" | tee ./Dockerfile\\n\",\"arguments\":null,\"environment\":{\"container\":\"add-dockerfile\",\"image\":\"quay.io/fedora/fedora@sha256:9f9ce44a6643abeaa399ea3cd77d282ab381331379e8f7d92b6b894951364074\"},\"annotations\":null},{\"entryPoint\":\"\",\"arguments\":[\"\",\"--dockerfile=./Dockerfile\",\"--context=$(workspaces.source.path)/./\",\"--destination=quay.io/ppitonak/chainstest:0804153244\",\"--digest-file=/tekton/results/IMAGE_DIGEST\",\"--skip-tls-verify\"],\"environment\":{\"container\":\"build-and-push\",\"image\":\"gcr.io/kaniko-project/executor@sha256:68bb272f681f691254acfbdcef00962f22efe2f0c1e287e6a837b0abe07fb94b\"},\"annotations\":null},{\"entryPoint\":\"set -e\\necho quay.io/ppitonak/chainstest:0804153244 | tee /tekton/results/IMAGE_URL\\n\",\"arguments\":null,\"environment\":{\"container\":\"write-url\",\"image\":\"quay.io/fedora/fedora@sha256:9f9ce44a6643abeaa399ea3cd77d282ab381331379e8f7d92b6b894951364074\"},\"annotations\":null}]},\"metadata\":{\"buildStartedOn\":\"2022-08-04T13:32:48Z\",\"buildFinishedOn\":\"2022-08-04T13:33:07Z\",\"completeness\":{\"parameters\":false,\"environment\":false,\"materials\":false},\"reproducible\":false}}}"

      Notes

      Notice that image quay.io/ppitonak/chainstest:0804153244 has a small badge in https://quay.io/repository/ppitonak/chainstest?tab=tags saying that it was signed by cosign

        1. cosign.pub
          0.2 kB

              concaf Shubham Minglani
              ppitonak Pavol Pitoňák
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: