Details
-
Bug
-
Resolution: Done
-
Blocker
-
Pipelines 1.8.0
-
None
-
False
-
None
-
False
Description
Expected behavior
Chains work
Actual behavior
When following Chains' signed provenance tutorial https://github.com/tektoncd/chains/blob/main/docs/tutorials/signed-provenance-tutorial.md, it's not possible to verify signature and attestation using "cosign" even though the task run finished succesfully and both image and attestation were pushed to repository.
OpenShift Pipelines 1.8 (index image 284954)
OpenShift 4.11.0-rc.6
cosign 1.10.0
rekor-cli 0.5.0
Sample output
cosign verify --key cosign.pub quay.io/ppitonak/chainstest:0804153244 Error: no matching signatures: main.go:62: error during command execution: no matching signatures: ============== cosign verify-attestation --key cosign.pub quay.io/ppitonak/chainstest:0804153244 Error: no matching attestations: Accepted signatures do not match threshold, Found: 0, Expected 1 main.go:62: error during command execution: no matching attestations: Accepted signatures do not match threshold, Found: 0, Expected 1 Found matching entries (listed by UUID): ============== rekor-cli get --uuid 362f8ecba72f43264dc20fb0de6c614eec35ea1e1256181eac014457ac2141be44dcdc786757fa57 --format json | jq .Attestation "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://slsa.dev/provenance/v0.2\",\"subject\":[{\"name\":\"quay.io/ppitonak/chainstest\",\"digest\":{\"sha256\":\"7c4b13d0a1ffb45be169625a8ad487c08f690c72a94b06d212e8eb7187ab90d9\"}}],\"predicate\":{\"builder\":{\"id\":\"https://tekton.dev/chains/v2\"},\"buildType\":\"https://tekton.dev/attestations/chains@v2\",\"invocation\":{\"configSource\":{},\"parameters\":{\"BUILDER_IMAGE\":\"gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5\",\"CONTEXT\":\"./\",\"DOCKERFILE\":\"./Dockerfile\",\"EXTRA_ARGS\":\"[]\",\"IMAGE\":\"{string quay.io/ppitonak/chainstest:0804153244 []}\"}},\"buildConfig\":{\"steps\":[{\"entryPoint\":\"set -e\\necho \\\"FROM alpine@sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f\\\" | tee ./Dockerfile\\n\",\"arguments\":null,\"environment\":{\"container\":\"add-dockerfile\",\"image\":\"quay.io/fedora/fedora@sha256:9f9ce44a6643abeaa399ea3cd77d282ab381331379e8f7d92b6b894951364074\"},\"annotations\":null},{\"entryPoint\":\"\",\"arguments\":[\"\",\"--dockerfile=./Dockerfile\",\"--context=$(workspaces.source.path)/./\",\"--destination=quay.io/ppitonak/chainstest:0804153244\",\"--digest-file=/tekton/results/IMAGE_DIGEST\",\"--skip-tls-verify\"],\"environment\":{\"container\":\"build-and-push\",\"image\":\"gcr.io/kaniko-project/executor@sha256:68bb272f681f691254acfbdcef00962f22efe2f0c1e287e6a837b0abe07fb94b\"},\"annotations\":null},{\"entryPoint\":\"set -e\\necho quay.io/ppitonak/chainstest:0804153244 | tee /tekton/results/IMAGE_URL\\n\",\"arguments\":null,\"environment\":{\"container\":\"write-url\",\"image\":\"quay.io/fedora/fedora@sha256:9f9ce44a6643abeaa399ea3cd77d282ab381331379e8f7d92b6b894951364074\"},\"annotations\":null}]},\"metadata\":{\"buildStartedOn\":\"2022-08-04T13:32:48Z\",\"buildFinishedOn\":\"2022-08-04T13:33:07Z\",\"completeness\":{\"parameters\":false,\"environment\":false,\"materials\":false},\"reproducible\":false}}}"
Notes
Notice that image quay.io/ppitonak/chainstest:0804153244 has a small badge in https://quay.io/repository/ppitonak/chainstest?tab=tags saying that it was signed by cosign
