Description
Description
When using annotations, I am able to validate them by using the signature being stored in the registry but not when using the offline validation capability.
For being able to recreate the tasks I did:
cosign sign --upload=false --key awskms:///arn:aws:kms:eu-west-3:xxxxxx:alias/cosign-key -a appname=myapp --output-signature=mysig1.sig xxx/yyy:latest
cosign verify -a appname=myapp --key cosign.pub --signature mysig1.sig xxx/yyy:latest
I'm getting the following error message:
WARNING: using obsolete implied signature payload data (with digested reference index.docker.io/xxx/bla@sha256:db071ebcec3e74bfb9a6e0358a233f7b4cc38585d3201239b9239d2e287d7e9a); specify it explicitly with --payload instead
Error: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest &{Code:400 Message:verifying signature: crypto/rsa: verification error}
main.go:69: error during command execution: no matching signatures: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest &{Code:400 Message:verifying signature: crypto/rsa: verification error}
When doing the validation online without having specified --upload=false or not specifying any annotation and doing then the offline validation by using --signature=mysig1.sig the validation is successful.
I am not sure if this is actually a bug but when reading the documentation my expectation is that cosign verify -a appname=myapp --key cosign.pub --signature mysig1.sig xxx/yyy:latest should work in general.
Version
______ ______ . __ _______ . .
/ | / __ \ / || | / || \ | |
| ,----'| | | | | (----| | | | __ | \| | | | | | | | \ \ | | | | |_ | | . |
| ----.| --' | .----) | | | | || | | |\ |
_| ______/ |_/ || __| || _|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: 2.4.1
GitCommit: 9a4cfe1
GitTreeState: "clean"
BuildDate: 2024-10-03T17:01:50Z
GoVersion: go1.23.2
Compiler: gc
Platform: darwin/arm64
Activity