sigstore / cosign Goto Github PK

Code signing and transparency for containers and binaries

License: Apache License 2.0

Go 98.45% Shell 0.89% Makefile 0.55% PowerShell 0.11%

cosign's Introduction

sigstore framework

sigstore/sigstore contains common Sigstore code: that is, code shared by infrastructure (e.g., Fulcio and Rekor) and Go language clients (e.g., Cosign and Gitsign).

This library currently provides:

A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
OpenID Connect fulcio client code

The following KMS systems are available:

AWS Key Management Service
Azure Key Vault
HashiCorp Vault
Google Cloud Platform Key Management Service

For example code, look at the relevant test code for each main code file.

Fuzzing

The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz

Security

Should you discover any security issues, please refer to sigstores security process

For container signing, you want cosign

cosign's People

Contributors

Stargazers

Watchers

Forkers

imjasonh dlorenc priyawadhwa font jonjohnsonjr developgo sfrias tuapuikia ahmetb isgasho bobcallaway chrnorm kimsterv dekkagaijin naveensrinivasan paes-dawrlog asraa rhatdan containeriz eminks mbestavros danpop-chainguard cpanato dentrax puerco gajananan rosstimson moise3 syllogy pearcec crazy-max rajkrishnamurthy 82ndairbornediv rchincha yoavamit mafrosis theykk cajga rotem-cider devopstoday11 ducthinh993 metaver5o zubux rgreinho rjbrown57 codysoyland syncom joaodrp johnjohnsp1 katmutua th3w4y tomhennen happysky2046 vi1234sh12 hectorj2f joshes jackie-kinsler developer-guy xopham sporynin srenatus gkovan luhring denverdino nadgowdas josedonizetti shimish2 hasheddan codegazers marcofranssen samj1912 joker72655561 obarbier chhetripradeep novoselskiy mattmoor erkanzileli vaikas mlieberman85 dgomezny pritidesai n3wscott glaucimar mrjoelkamp adityasaky avoidik wsandin nicollenina sudo-bmitch jimbugwadia a0su woshizilong oliviergaumond axelsimon houey strongjz rgerganov shubhampalriwala leewalter blackcat-lin

cosign's Issues

Publish containers for tasks and actions!

Some kind of remote KMS support

GCP KMS doesn't support ed25519.
So we can store the ed25519 private-key as a GCP Secret, descrypt it - sign - destroy.

The command would be something like:
cosign generate-key-pair -kms gcp://project/secrets/region...

Then allow key -key to reference the kms secret by URI as well.

cosign sign -key gcp://fkdafd gcr.io/dlorenc-vmtest2/demo

It will use GCP auth helpers.

We can support multiple remote KMS systems - not just GCP - the https://github.com/google/go-cloud might have a helper for this.

Fix copacetic!

I bet i signature verify doesn't work right now after we switched to ecdsa.

TLOG Support

Let's add an experimental TLOG mode to the tool. This will look like:

TLOG=1 cosign sign ...

and

TLOG=1 cosign verify ...

The tlog server will default to api.rekor.dev, and can be overridden with the REKOR_SERVER env variable.

TLOG=1 cosign sign will publish the signature, public key and payload to the Rekor tlog.
TLOG=1 cosign verify will verify the signature, public key and payload are in the tlog, as well as verifying the signature itself.

Both commands will record the state of the tlog in the .rekor/state.json configuration file and audit the log on each invocation..

cmd: public-key writing to a particular file

$ cosign public-key -kms $KMS
Public key written to cosign.pub

I think this experience is problematic because
it always writes to $CWD and with a fixed file name.
That'll make scripting harder. I think we should
write to stdout.

Happy to refactor.

Add an examples doc

This could show:

Other signing formats (in-toto, v1.Descriptor, etc.)
How to sign/verify with openssl
How to sign/verify with a remote KMS
How to sign other things: a Tekton Bundle, a Helm Chart
Other places to store these signatures (Rekor, Grafeas?)
How to fetch and inline these signatures into a k8s object at deployment time.
OPA integration?

minor suggestion on tag name of signature index

while working on https://github.com/vmware-tanzu/imgpkg i've also noodled on the idea of using tags for searching related artifacts (signatures and few other things) since there is no other mechanisms available in registry APIs. i'm glad yall came to a similar conclusion :)

im curious where yall see this project head to (is it a poc)... my team have recently popped into notary OSS WG to see where the community is at with regards to an open standards for signing, so curious about your take on this.

onto minor suggestion:

i think it's worth adding cosign- prefix to sha256-... lookup tag so that it's cosign-sha256-... mostly to have some kind of namespacing between tools using similar approach for lookups.

ux: using both -key and -kms should error out

it seems -key and -kms are mutually exclusive but they are not causing an
error in the CLI at the moment.

Extra check if the TLOG=1 and the image is not public

We can be extra safe by checking if the image is public before uploading to the tlog.

For public, we can see if we can pull the manifest with no creds.

Print a warning w/ confirmation if the image is private.
Have a -q flag for non-interactive scenarios

Code coverage metric in CI

Hi!

I was peering around CI (yay at signing CI builds!), and wondering whether a code coverage metric would be useful per push/PR to detect coverage regressions on new code.

cosign/.github/workflows/tests.yaml

Line 3 in ca5a8aa

# Run this workflow every time a new commit pushed to your repository

I'm very new to Go so don't know its extend of coverage profiling (how easy it is to filter files/generate reports), but this would be cool to have!

Kms ux

Can we make the string shorter?

Default project, location to global, default key in keyring

Use the location header from rekor

When this goes in we can simplify our upload handling:
https://github.com/sigstore/rekor/pull/226/files

Come up with a good integration testing story for OIDC

We should have a way to run e2e tests that doesn't require clicking in the browser...

Registry Support

Our primary goal is broad registry support. Right now we're unsure of where we are:

GCR (tested, mostly works)
Google Artifact Registry (works)
Quay - works in latest version, not in hosted service yet
Dockerhub?
Azure Container Registry?
Amazon Container Registry?
Others?

We have some options we can try to increase support, but they're kind of ugly. I'd first like to understand how much support we have vs. how much we would gain by doing terrible things with media types.

cc @jonjohnsonjr @font
(slack here: https://github.com/google/go-containerregistry/blob/93228a70849651ba98cdee6f0654f623d7cdcbdb/pkg/v1/manifest.go#L27)

Switch from ed25519 to ecdsa?

We would use sha256 or 512, and P-384.

Basically until ed25519 gets into FIPS, most KMS systems and CAs aren't going to support ed25519 curves.

The keys are larger, but still smaller than RSA keys. For a sample:

vs.
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAhJNkGxncSZ3R2ijORaJ9m1BHxzx5nJ2Q/GTLNfYt9UM=
-----END PUBLIC KEY-----

It's still manageable to squeeze one of these onto one line for easy CLI operations, but ugly.

Reproducible builds

cosign/Makefile

Line 21 in 8c9c025

-X github.com/sigstore/cosign/cmd/cosign/cli.buildDate=$(BUILDDATE)"

This makes it harder to have reproducible builds, is there a specific reason to have a date in the ldflags? I understand Git SHA.

Installation instructions

Document these!

Simplify the env var handling

The TLOG=1 and --force-tlog and the new keyless mode stuff all start to interact with each other in complex ways. I think we should probably consider merging these features and putting them behind a single "COSIGN_EXPERIMENTAL" env var or something.

Then the behavior would be:

Experimental Off: No tlog, no fulcio
Experimental On: tlog and fulcio turned on by default, but warn/prompt/confirm for private images.

Fulcio/Tlog requests not traceable via -d -v

Debug and verbose options in the CLI do not seem to be covering requests made to Rekor or Fulcio.

Release v0.1.0

Here's a list of what's left to do:

Merge #103
Release notes!
Final smoke testing!
Actually tag a release and cut a branch

From there, we'll get an automated Github action build that pushes an Artifact with a signature and a hash.
The signature is created from the private key that is in the repo at this commit.

We'll publish that information on the Github releases page, and our GCS bucket (gs://cosign-releases/ under some path that makes sense. Maybe "gs://cosign-releases/releases/v0.1.0/".

Then we're set! The release can be verified from Github or GCS. The manual upload to GCS is intentional. The hashes should match between the two for easy verification, and we haven't given the GitHub system permissions to the GCS resources, so we have the information in two, independent places.

After that, we can add installation instructions to the readme (download from the releases, or "go install github.com/sigstore/cosign"). @SantiagoTorres has also offered to package for Arch!

Then our first release can be packaged up into GitHub actions and other container build steps (for Tekton and Cloud Build and other container-based systems, which we will also sign). This will make further releases much easier!

Multi platform makefile

Arm, osx!

Use two dashes (e.g., "--name") for multi-letter options (e.g., --key not -key)

I suggest using two dashes to start multi-letter options. E.g., use "--key" not "-key".

Usually an option with more than one letter is preceded by "--". E.g., "--key" not "-key". That way, you can have single-letter options combined into a single argument, and multi-letter options are clearly distinct. Then you can support, e.g., "-k" for a key option name as well as "--key".

ux: consider adding EXAMPLES section to commands

Several flags like -kms are currently hard to infer how to use without exploring docs or source code.

Having EXAMPLES in each cmd would help with CUJs. Might need to shoehorn into Description, or use cobra library to properly do it.

ux: required arguments cause "help requested" error

e.g. this command is trying to tell me either -key or -kms is required:

cosign verify gcr.io/ahmetb-demo/ytdl:latest
USAGE
  cosign verify -key <key> <image uri>

FLAGS
  -a ...              extra key=value pairs to sign
  -check-claims true  whether to check the claims found
  -key ...            path to the public key
  -kms ...            verify via a public key stored in a KMS
error: flag: help requested

Support for other KMS systems

AWS, Azure, more!

ux: distinguish public key vs private key in CLI

Right now -key flag is used in both meanings "public key" and "private key".

It might be wise to distinguish these as -key and -pub earlier than later. Please vote 👍🏼 👎🏼 .

USAGE
  cosign verify -key <key> <image uri>

FLAGS
  -a ...              extra key=value pairs to sign
  -check-claims true  whether to check the claims found
  -key ...            path to the public key
  -kms ...            verify via a public key stored in a KMS

USAGE
  cosign sign -key <key> [-payload <path>] [-a key=value] [-upload=true|false] [-force-tlog=true|false] <image uri>

FLAGS
  -a ...             extra key=value pairs to sign
  -force-tlog false  whether to upload to the tlog even when the image is private
  -key ...           path to the private key
  -kms ...           sign via a private key stored in a KMS
  -payload ...       path to a payload file to use rather than generating one.
  -upload true       whether to upload the signature

Yubikey support!

We should be able to support storing keys in yubikeys!

https://github.com/go-piv/piv-go
https://github.com/go-piv/go-ykpiv

--key arg accepts both file and value, leads to confusing error

I was just trying:

cosign verify -key cosign.pub dlorenc/signed-container:v0.0.1
error: illegal base64 data at input byte 6

but it turned out there's no cosign.pub on my disk, so it performed fallback to parsing cosign.pub value as b64, which led to a confusing error message.

This sort of fallback behavior defeats principle of least astonishment.
Users can provide values as fds e.g. --key <(echo "...") that we can read as files.

So this sort of fallback is unpredictable. Happy to send a PR to fix if 👍🏼.

Release v0.2.0

Some things I'd like to get in:

And I'd like to do #115 with the 0.2.0 release (they'll be published as part of it).

Other nice to haves:

All of @ahmetb's UX things:

FIPS Compliance

We might need to make sure this is FIPS compliant.

Idea: kubectl plugin to embed signatures in objects

This could work something like:

1. Go through a k8s object looking for images
2. For each image, pull do something like "cosign verify" and get all verified payloads
3. Attach those payloads directly into the k8s object as annotations

This way deployment time policy enforcement (OPA, etc.) could look directly at the yaml rather than needing to interact with an external service.

test: go test failing locally

To onboard new maintainers, it would be better if go test ./... worked out of the box.

right now it seems it requests some external setup.

also would be good to introduce -short support for unit testing only.

...

?   	github.com/sigstore/cosign/cmd/cosign	[no test files]
?   	github.com/sigstore/cosign/cmd/cosign/cli	[no test files]
?   	github.com/sigstore/cosign/copasetic	[no test files]
=== RUN   TestLoadPrivateKey
--- PASS: TestLoadPrivateKey (0.42s)
PASS
ok  	github.com/sigstore/cosign/pkg/cosign	(cached)
?   	github.com/sigstore/cosign/pkg/cosign/kms	[no test files]
=== RUN   TestSignVerify
    e2e_test.go:353: COSIGN_TEST_REPO unset, using fake registry
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:c8fa724cb05b9c99afa8ef70d3b7da5f9622613cf736f013fadaae5077842a58 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:e28066df07ecde0d32905c66fc35b26804b5cf3125fa6116aac4e88a7040b69e 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:3fe5fdce124718213c3dece6f71632fad0450ced88228501e3077fbca1b1b840 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:801e45da5d42fffbe2910687b444d877bb20a15efbfa7ad502974aa2c4a20bf6 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:6327342866a29c3bbfe5c32a69111e4d6912a1321c3a5ff25cdeea48819a37aa 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:9496397081e5318659b1e728d9b5ba7d3167c68262bfa2b7c17d1788fe4daaec 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/605394647632969758
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/1443635317331776148
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/6334824724549167320
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/2775422040480279449
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/894385949183117216
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/1443635317331776148?digest=sha256%3A3fe5fdce124718213c3dece6f71632fad0450ced88228501e3077fbca1b1b840
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/605394647632969758?digest=sha256%3Ae28066df07ecde0d32905c66fc35b26804b5cf3125fa6116aac4e88a7040b69e
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/4751997750760398084
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/6334824724549167320?digest=sha256%3Ac8fa724cb05b9c99afa8ef70d3b7da5f9622613cf736f013fadaae5077842a58
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/2775422040480279449?digest=sha256%3A801e45da5d42fffbe2910687b444d877bb20a15efbfa7ad502974aa2c4a20bf6
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/894385949183117216?digest=sha256%3A9496397081e5318659b1e728d9b5ba7d3167c68262bfa2b7c17d1788fe4daaec
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/4751997750760398084?digest=sha256%3A6327342866a29c3bbfe5c32a69111e4d6912a1321c3a5ff25cdeea48819a37aa
2021/03/11 11:42:25 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
Pushing signature to: 127.0.0.1:63572/cosign-e2e:sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:a32319b5ad16e9cf1501850ca2fbc90f4dc23341123872bb8b1fe50f1dfc6226 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:d1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/7504504064263669287
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/1976235410884491574
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/7504504064263669287?digest=sha256%3Aa32319b5ad16e9cf1501850ca2fbc90f4dc23341123872bb8b1fe50f1dfc6226
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/1976235410884491574?digest=sha256%3Ad1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17
2021/03/11 11:42:25 PUT /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:d1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:d1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
Pushing signature to: 127.0.0.1:63572/cosign-e2e:sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:a32319b5ad16e9cf1501850ca2fbc90f4dc23341123872bb8b1fe50f1dfc6226
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:d1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:34da2ce5fc5fe3687e044878ad16bed6ec32879ab91c57bf6f2ef7aa16f04169 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 HEAD /v2/cosign-e2e/blobs/sha256:bb561a72b2d685c6542f533b90967abd44dbc8855cea8ba34d8b9225821ce4c0 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/3510942875414458836
2021/03/11 11:42:25 PATCH /v2/cosign-e2e/blobs/uploads/2933568871211445515
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/3510942875414458836?digest=sha256%3A34da2ce5fc5fe3687e044878ad16bed6ec32879ab91c57bf6f2ef7aa16f04169
2021/03/11 11:42:25 PUT /v2/cosign-e2e/blobs/uploads/2933568871211445515?digest=sha256%3Abb561a72b2d685c6542f533b90967abd44dbc8855cea8ba34d8b9225821ce4c0
2021/03/11 11:42:25 PUT /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:d1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:34da2ce5fc5fe3687e044878ad16bed6ec32879ab91c57bf6f2ef7aa16f04169
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 GET /v2/cosign-e2e/manifests/sha256-698dc87529807a85dfb56ff24f01b6d0339ba22411638d3320c177513e92dba1.cosign
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:d1cba456fc9361b0270547b441b01341b5aeb3ad6d453855a2e3b17b455c9e17
2021/03/11 11:42:25 GET /v2/cosign-e2e/blobs/sha256:34da2ce5fc5fe3687e044878ad16bed6ec32879ab91c57bf6f2ef7aa16f04169
2021/03/11 11:42:25 GET /v2/
2021/03/11 11:42:25 DELETE /v2/cosign-e2e/manifests/latest
--- PASS: TestSignVerify (2.04s)
=== RUN   TestMultipleSignatures
    e2e_test.go:353: COSIGN_TEST_REPO unset, using fake registry
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:82d9a944e5031fb48f2e03c5f5a47d6e00490c12d3e1bf1b40cf36c349a90e80 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:b54afa1a7d838b27636406dcce16c814bd009795600306fa5fa3910b8fbf0662 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:5460e056d2528994126df8867a41e1c8286ad68e8957d66171f090ce481314fd 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:e0924ae83ac95679207f050d6be4d03512a42e530f7a022ac1fdfd054a794368 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:494bf9fe551d433782a9fe91eecc41d7e7a7187d18eac65e5c43da72dc7f499a 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:ffb45968bd6cbe48f73749b69c088ddfa0bdb729bab1e60f79938a6e1c0922e6 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/3328451335138149956
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/5263531936693774911
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/7955079406183515637
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/1874068156324778273
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/2703501726821866378
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/2740103009342231109
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/1874068156324778273?digest=sha256%3A82d9a944e5031fb48f2e03c5f5a47d6e00490c12d3e1bf1b40cf36c349a90e80
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/3328451335138149956?digest=sha256%3A494bf9fe551d433782a9fe91eecc41d7e7a7187d18eac65e5c43da72dc7f499a
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/5263531936693774911?digest=sha256%3Ab54afa1a7d838b27636406dcce16c814bd009795600306fa5fa3910b8fbf0662
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/2703501726821866378?digest=sha256%3A5460e056d2528994126df8867a41e1c8286ad68e8957d66171f090ce481314fd
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/7955079406183515637?digest=sha256%3Ae0924ae83ac95679207f050d6be4d03512a42e530f7a022ac1fdfd054a794368
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/2740103009342231109?digest=sha256%3Affb45968bd6cbe48f73749b69c088ddfa0bdb729bab1e60f79938a6e1c0922e6
2021/03/11 11:42:27 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
Pushing signature to: 127.0.0.1:63608/cosign-e2e:sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:8d8feba1a9ec01b2c11cc5c22b609d2dde9fc6dafec11bda873ffd0429d86db0 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/1905388747193831650
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/6941261091797652072
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/1905388747193831650?digest=sha256%3A37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/6941261091797652072?digest=sha256%3A8d8feba1a9ec01b2c11cc5c22b609d2dde9fc6dafec11bda873ffd0429d86db0
2021/03/11 11:42:27 PUT /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
Pushing signature to: 127.0.0.1:63608/cosign-e2e:sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:8d8feba1a9ec01b2c11cc5c22b609d2dde9fc6dafec11bda873ffd0429d86db0
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 HEAD /v2/cosign-e2e/blobs/sha256:96fde9c17fb0210fefb2cc794c895c2a43bac0e101e9c077ee19d7abde0e5dee 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:27 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:27 PATCH /v2/cosign-e2e/blobs/uploads/7981306761429961588
2021/03/11 11:42:27 PUT /v2/cosign-e2e/blobs/uploads/7981306761429961588?digest=sha256%3A96fde9c17fb0210fefb2cc794c895c2a43bac0e101e9c077ee19d7abde0e5dee
2021/03/11 11:42:27 PUT /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 GET /v2/cosign-e2e/manifests/sha256-73d60156e8dde8125f177739902a99b5162ee2cc55ebd1180071506c418397be.cosign
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 GET /v2/cosign-e2e/blobs/sha256:37229bb39ab2fab4f8bc1d6a7c7c739d80d3aa4d90eccc93e13c024b053ce06b
2021/03/11 11:42:27 GET /v2/
2021/03/11 11:42:27 DELETE /v2/cosign-e2e/manifests/latest
--- PASS: TestMultipleSignatures (1.81s)
=== RUN   TestGenerate
    e2e_test.go:353: COSIGN_TEST_REPO unset, using fake registry
2021/03/11 11:42:29 GET /v2/
2021/03/11 11:42:29 HEAD /v2/cosign-e2e/blobs/sha256:ed4143bf0109f4186b722e0ddff018a58aa6e784aaa7d7c4a93866cb08feea35 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:29 HEAD /v2/cosign-e2e/blobs/sha256:d48486ba0504bf13ed27ee0b7077e94ff9f270375eeaaedfc312e0518d1edc94 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:29 HEAD /v2/cosign-e2e/blobs/sha256:d90a5c65986c01aa64a59eb1ace438c52039ab98656cd187ceddb5e17a17d309 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:29 HEAD /v2/cosign-e2e/blobs/sha256:0741ee4529e95f4129183208cc43b3f645f9768f318a48cd4c56c726bbe28b36 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:29 HEAD /v2/cosign-e2e/blobs/sha256:15dcdc5f68c4301c058d0b2e0e8d665b4ddd8fbb94135f934c931a336c3fe126 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:29 HEAD /v2/cosign-e2e/blobs/sha256:49e0bf138c0096a41211454b8601ae662cb309ec121700bcc9ab0f60d8a864a1 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:29 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:29 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:29 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:29 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:29 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:29 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:29 PATCH /v2/cosign-e2e/blobs/uploads/8995016276575641803
2021/03/11 11:42:29 PATCH /v2/cosign-e2e/blobs/uploads/732830328053361739
2021/03/11 11:42:29 PATCH /v2/cosign-e2e/blobs/uploads/5486140987150761883
2021/03/11 11:42:29 PATCH /v2/cosign-e2e/blobs/uploads/6382800227808658932
2021/03/11 11:42:29 PATCH /v2/cosign-e2e/blobs/uploads/2781055864473387780
2021/03/11 11:42:29 PATCH /v2/cosign-e2e/blobs/uploads/545291762129038907
2021/03/11 11:42:29 PUT /v2/cosign-e2e/blobs/uploads/8995016276575641803?digest=sha256%3Aed4143bf0109f4186b722e0ddff018a58aa6e784aaa7d7c4a93866cb08feea35
2021/03/11 11:42:29 PUT /v2/cosign-e2e/blobs/uploads/732830328053361739?digest=sha256%3Ad48486ba0504bf13ed27ee0b7077e94ff9f270375eeaaedfc312e0518d1edc94
2021/03/11 11:42:29 PUT /v2/cosign-e2e/blobs/uploads/6382800227808658932?digest=sha256%3A15dcdc5f68c4301c058d0b2e0e8d665b4ddd8fbb94135f934c931a336c3fe126
2021/03/11 11:42:29 PUT /v2/cosign-e2e/blobs/uploads/2781055864473387780?digest=sha256%3A49e0bf138c0096a41211454b8601ae662cb309ec121700bcc9ab0f60d8a864a1
2021/03/11 11:42:29 PUT /v2/cosign-e2e/blobs/uploads/5486140987150761883?digest=sha256%3Ad90a5c65986c01aa64a59eb1ace438c52039ab98656cd187ceddb5e17a17d309
2021/03/11 11:42:29 PUT /v2/cosign-e2e/blobs/uploads/545291762129038907?digest=sha256%3A0741ee4529e95f4129183208cc43b3f645f9768f318a48cd4c56c726bbe28b36
2021/03/11 11:42:29 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:29 GET /v2/
2021/03/11 11:42:29 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:29 GET /v2/
2021/03/11 11:42:29 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:29 GET /v2/
2021/03/11 11:42:29 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:29 GET /v2/
2021/03/11 11:42:29 DELETE /v2/cosign-e2e/manifests/latest
--- PASS: TestGenerate (1.38s)
=== RUN   TestUploadDownload
    e2e_test.go:353: COSIGN_TEST_REPO unset, using fake registry
=== RUN   TestUploadDownload/file_containing_signature
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:ccc60dc456c1ecadb6900cb0b25a733798d57dc9be7ffa0e04643a0026fb5cbb 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:3ab161c3831768ecfee76fdb67065189c28701905c20d844a114b6996160890c 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:5062c0eacbfa77ac7aa40dd0a243f699394f61427478f9d05b752bf1c19b42e2 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:72156bec5ddbc687c8507f4b2e4f2cb9970d5bf556a08bc7075c07acd1a99a2f 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:34c003d38bbdb3473d0d99594925e38c82445da96e81e6db70b42f4ef02474da 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:a4cf8b0b87ee89013866f78697ed4436c4e443fe934118a1abd06dc2a1777c61 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/4893789450120281907
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/7273596521315663110
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/2338498362660772719
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/3337066551442961397
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/2601737961087659062
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/7273596521315663110?digest=sha256%3A5062c0eacbfa77ac7aa40dd0a243f699394f61427478f9d05b752bf1c19b42e2
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/8121576815539813105
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/4893789450120281907?digest=sha256%3A3ab161c3831768ecfee76fdb67065189c28701905c20d844a114b6996160890c
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/2338498362660772719?digest=sha256%3Accc60dc456c1ecadb6900cb0b25a733798d57dc9be7ffa0e04643a0026fb5cbb
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/3337066551442961397?digest=sha256%3A34c003d38bbdb3473d0d99594925e38c82445da96e81e6db70b42f4ef02474da
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/8121576815539813105?digest=sha256%3Aa4cf8b0b87ee89013866f78697ed4436c4e443fe934118a1abd06dc2a1777c61
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/2601737961087659062?digest=sha256%3A72156bec5ddbc687c8507f4b2e4f2cb9970d5bf556a08bc7075c07acd1a99a2f
2021/03/11 11:42:30 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 GET /v2/cosign-e2e/manifests/sha256-0828c76942faeeeb1f71cb6bd7f90a1e52c3a1c3a6ff15beea1edcd4c40f61a1.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:f5b1321b02e0f73b0e68ecaa6da3d1204ddc4341d62e896136fe69b75a86a1f6 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 HEAD /v2/cosign-e2e/blobs/sha256:17e25830de8833d4c96b15a69173bdbf69e66d620210daed42455095ddd73820 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/2740376916591569721
2021/03/11 11:42:30 PATCH /v2/cosign-e2e/blobs/uploads/8249030965139585917
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/2740376916591569721?digest=sha256%3Af5b1321b02e0f73b0e68ecaa6da3d1204ddc4341d62e896136fe69b75a86a1f6
2021/03/11 11:42:30 PUT /v2/cosign-e2e/blobs/uploads/8249030965139585917?digest=sha256%3A17e25830de8833d4c96b15a69173bdbf69e66d620210daed42455095ddd73820
2021/03/11 11:42:30 PUT /v2/cosign-e2e/manifests/sha256-0828c76942faeeeb1f71cb6bd7f90a1e52c3a1c3a6ff15beea1edcd4c40f61a1.cosign
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 GET /v2/cosign-e2e/manifests/sha256-0828c76942faeeeb1f71cb6bd7f90a1e52c3a1c3a6ff15beea1edcd4c40f61a1.cosign
2021/03/11 11:42:30 GET /v2/cosign-e2e/blobs/sha256:f5b1321b02e0f73b0e68ecaa6da3d1204ddc4341d62e896136fe69b75a86a1f6
2021/03/11 11:42:30 GET /v2/
2021/03/11 11:42:30 DELETE /v2/cosign-e2e/manifests/latest
=== RUN   TestUploadDownload/raw_signature_as_argument
2021/03/11 11:42:31 GET /v2/
2021/03/11 11:42:31 HEAD /v2/cosign-e2e/blobs/sha256:25e24e0af4222be205ca0ac3083cb13b7235dd3ac34f1acf0f3174d678d3ab2e 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:31 HEAD /v2/cosign-e2e/blobs/sha256:da1140b44621bf06dff5a225d2da17f82880d954919b2b189508b2b658a6580c 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:31 HEAD /v2/cosign-e2e/blobs/sha256:5c382987316a8ff64b19d2b07f0b2119d767ab87d2582ff231681146aefec39f 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:31 HEAD /v2/cosign-e2e/blobs/sha256:86d6ef17212b8a2e4371228018677cf8b5e2e2236d0982c48a1a0f395c7a9f6b 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:31 HEAD /v2/cosign-e2e/blobs/sha256:53d704931027a9d5fa06e9002378c00e295b79dda240a825fa857d261ca8dedc 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:31 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:31 HEAD /v2/cosign-e2e/blobs/sha256:f5b8c0d737729e5601aef80c3c56dbcf1c2c6ed28385ca721f6afb3d3f9a0583 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:31 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:31 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:31 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:31 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:31 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/8603989663476771718
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/6735196588112087610
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/6842348953158377901
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/2227583514184312746
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/8603989663476771718?digest=sha256%3A25e24e0af4222be205ca0ac3083cb13b7235dd3ac34f1acf0f3174d678d3ab2e
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/2873287401706343734
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/7388428680384065704
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/6735196588112087610?digest=sha256%3A53d704931027a9d5fa06e9002378c00e295b79dda240a825fa857d261ca8dedc
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/6842348953158377901?digest=sha256%3A86d6ef17212b8a2e4371228018677cf8b5e2e2236d0982c48a1a0f395c7a9f6b
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/7388428680384065704?digest=sha256%3Af5b8c0d737729e5601aef80c3c56dbcf1c2c6ed28385ca721f6afb3d3f9a0583
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/2227583514184312746?digest=sha256%3A5c382987316a8ff64b19d2b07f0b2119d767ab87d2582ff231681146aefec39f
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/2873287401706343734?digest=sha256%3Ada1140b44621bf06dff5a225d2da17f82880d954919b2b189508b2b658a6580c
2021/03/11 11:42:32 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/sha256-4d3dd9c9829d0a606652beed8118861f7e15f02f4ee65b48d050708c032d39ba.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:17e25830de8833d4c96b15a69173bdbf69e66d620210daed42455095ddd73820
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:f5b1321b02e0f73b0e68ecaa6da3d1204ddc4341d62e896136fe69b75a86a1f6
2021/03/11 11:42:32 PUT /v2/cosign-e2e/manifests/sha256-4d3dd9c9829d0a606652beed8118861f7e15f02f4ee65b48d050708c032d39ba.cosign
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/sha256-4d3dd9c9829d0a606652beed8118861f7e15f02f4ee65b48d050708c032d39ba.cosign
2021/03/11 11:42:32 GET /v2/cosign-e2e/blobs/sha256:f5b1321b02e0f73b0e68ecaa6da3d1204ddc4341d62e896136fe69b75a86a1f6
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 DELETE /v2/cosign-e2e/manifests/latest
=== RUN   TestUploadDownload/empty_signature_as_argument
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:ee6bb2cfc0dff05a5dfecb2b2ba5ebcd93a10a4c16a6f191561022f4e950d8a7 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:e1fae0070f1f6f0c2dd36852bd0e27ce958a495c184d1a901062bbb2bcb6ae0c 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:24fab67a665883245c19e62c2e143aa8259bba69e6d8a82beaf30a5700f895c2 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:c669f37751ee61d6dabef3f2512e7bb36e5ae61ef73be63602e550a64bb9d923 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:8997919a650f12dbdaed0fa91e23dc6570215cd65fd9e62944aa0d3b2845a985 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:32 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 HEAD /v2/cosign-e2e/blobs/sha256:0980cc3537ab2f91553fd1486b678f885d966cb0c58331f16ac6210df88e6427 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:32 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/8505906760983331750
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/837825985403119657
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/4548432111829895923
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/8549944162621642512
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/837825985403119657?digest=sha256%3A24fab67a665883245c19e62c2e143aa8259bba69e6d8a82beaf30a5700f895c2
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/8807817071862113702
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/4548432111829895923?digest=sha256%3Ae1fae0070f1f6f0c2dd36852bd0e27ce958a495c184d1a901062bbb2bcb6ae0c
2021/03/11 11:42:32 PATCH /v2/cosign-e2e/blobs/uploads/3209308858241334655
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/8505906760983331750?digest=sha256%3Aee6bb2cfc0dff05a5dfecb2b2ba5ebcd93a10a4c16a6f191561022f4e950d8a7
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/8549944162621642512?digest=sha256%3Ac669f37751ee61d6dabef3f2512e7bb36e5ae61ef73be63602e550a64bb9d923
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/8807817071862113702?digest=sha256%3A8997919a650f12dbdaed0fa91e23dc6570215cd65fd9e62944aa0d3b2845a985
2021/03/11 11:42:32 PUT /v2/cosign-e2e/blobs/uploads/3209308858241334655?digest=sha256%3A0980cc3537ab2f91553fd1486b678f885d966cb0c58331f16ac6210df88e6427
2021/03/11 11:42:32 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 GET /v2/cosign-e2e/manifests/sha256-af35eeefb0451634e103b6e7fd715ccf5d08b1080d59b501398ec5d4600f12cf.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:32 GET /v2/
2021/03/11 11:42:32 DELETE /v2/cosign-e2e/manifests/latest
--- PASS: TestUploadDownload (2.99s)
    --- PASS: TestUploadDownload/file_containing_signature (1.38s)
    --- PASS: TestUploadDownload/raw_signature_as_argument (0.79s)
    --- PASS: TestUploadDownload/empty_signature_as_argument (0.82s)
=== RUN   TestTlog
    e2e_test.go:353: COSIGN_TEST_REPO unset, using fake registry
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:72898f5cdc28404569c3f12fcc413c57c83713b6ebe347d18ee7c6ccf0f522ff 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:9b3e560963123ea784a4a63cc5df3774fd98ed3c861f106bbc3aab2a803a1fcd 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:05ca6173264e745e553dad75e3188420cb791576d3dafd903fad586dde4ef62c 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:55ca517a7c7aa8075154fe4edf84d0c7edb7729e47de545477f9cbf7863fae97 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:e3866990dbaf994d8bedab55f5a5ee4537199620314710d4e7eceefc17d87126 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:8d3b3c312110f3ae4094fb5b7aaaa9d204aedafaf3fbe9080289a18b99aa8181 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/6971241403795498694
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/3724427934598140041
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/2970700287221458280
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/1205043859388862788
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/8267293389953062911
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/1205043859388862788?digest=sha256%3Ae3866990dbaf994d8bedab55f5a5ee4537199620314710d4e7eceefc17d87126
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/9093919513921919021
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/6971241403795498694?digest=sha256%3A72898f5cdc28404569c3f12fcc413c57c83713b6ebe347d18ee7c6ccf0f522ff
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/2970700287221458280?digest=sha256%3A05ca6173264e745e553dad75e3188420cb791576d3dafd903fad586dde4ef62c
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/3724427934598140041?digest=sha256%3A9b3e560963123ea784a4a63cc5df3774fd98ed3c861f106bbc3aab2a803a1fcd
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/8267293389953062911?digest=sha256%3A55ca517a7c7aa8075154fe4edf84d0c7edb7729e47de545477f9cbf7863fae97
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/9093919513921919021?digest=sha256%3A8d3b3c312110f3ae4094fb5b7aaaa9d204aedafaf3fbe9080289a18b99aa8181
2021/03/11 11:42:33 PUT /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
Pushing signature to: 127.0.0.1:63718/cosign-e2e:sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign 404 MANIFEST_UNKNOWN Unknown manifest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:1c296162595e02ecec1d6574fb04c073176b199143feedcf8123ac0d072f2e76 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 HEAD /v2/cosign-e2e/blobs/sha256:982bc03e46d22e04936d33cdc173fdf1c0aae25f904e95b66b3c9d077a4553fc 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/5944830206637008055
2021/03/11 11:42:33 PATCH /v2/cosign-e2e/blobs/uploads/6651414131918424343
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/5944830206637008055?digest=sha256%3A982bc03e46d22e04936d33cdc173fdf1c0aae25f904e95b66b3c9d077a4553fc
2021/03/11 11:42:33 PUT /v2/cosign-e2e/blobs/uploads/6651414131918424343?digest=sha256%3A1c296162595e02ecec1d6574fb04c073176b199143feedcf8123ac0d072f2e76
2021/03/11 11:42:33 PUT /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:33 GET /v2/cosign-e2e/blobs/sha256:1c296162595e02ecec1d6574fb04c073176b199143feedcf8123ac0d072f2e76
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:33 GET /v2/cosign-e2e/blobs/sha256:1c296162595e02ecec1d6574fb04c073176b199143feedcf8123ac0d072f2e76
2021/03/11 11:42:33 GET /v2/
2021/03/11 11:42:33 GET /v2/cosign-e2e/manifests/latest
Pushing signature to: 127.0.0.1:63718/cosign-e2e:sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:34 GET /v2/
2021/03/11 11:42:34 GET /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:34 GET /v2/cosign-e2e/blobs/sha256:982bc03e46d22e04936d33cdc173fdf1c0aae25f904e95b66b3c9d077a4553fc
2021/03/11 11:42:34 GET /v2/
2021/03/11 11:42:34 HEAD /v2/cosign-e2e/blobs/sha256:1c296162595e02ecec1d6574fb04c073176b199143feedcf8123ac0d072f2e76
2021/03/11 11:42:34 HEAD /v2/cosign-e2e/blobs/sha256:03bde37aeb77179cd5ffb4e6f92308b61aaead7d2b35d455753184a05c59a825 404 BLOB_UNKNOWN Unknown blob
2021/03/11 11:42:34 POST /v2/cosign-e2e/blobs/uploads/
2021/03/11 11:42:34 PATCH /v2/cosign-e2e/blobs/uploads/788787457839692041
2021/03/11 11:42:34 PUT /v2/cosign-e2e/blobs/uploads/788787457839692041?digest=sha256%3A03bde37aeb77179cd5ffb4e6f92308b61aaead7d2b35d455753184a05c59a825
2021/03/11 11:42:34 PUT /v2/cosign-e2e/manifests/sha256-d80c967c6c29e51b980e8a0ac95405e83b26ea1b35455fa88a98576e782596de.cosign
2021/03/11 11:42:34 GET /v2/
2021/03/11 11:42:34 GET /v2/cosign-e2e/manifests/latest
    e2e_test.go:282: Post "http://127.0.0.1:3000/api/v1/log/entries": dial tcp 127.0.0.1:3000: connect: connection refused
2021/03/11 11:42:34 GET /v2/
2021/03/11 11:42:34 DELETE /v2/cosign-e2e/manifests/latest
--- FAIL: TestTlog (1.82s)
FAIL
FAIL	github.com/sigstore/cosign/test	10.534s
FAIL

Refactor into using crypto.Signer interface

We have three key types now:

Certs
Fixed keys
KMS

If we add Yubikey support (#108) we'll be up to 4. It's probably time to refactor these out into crypto.Signers.

Payload format: Simple Signing vs. OCI Descriptor.

Both are JSON that contain the image reference and have a space for extra annotations.

I think I'd prefer to switch to OCI descriptors, but many tools already use Simple Signing.

Keyless signing for blobs do not seem to be working

I'm trying

export COSIGN_EXPERIMENTAL=1
cosign sign-blob README.md

Output:

Using payload from: README.md
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://accounts.google.com/o/oauth2/v2/auth?access_type=online&client_id=237800849078-rmntmr1b2tcu20kpid66q5[...]

Signing with certificate:
-----BEGIN CERTIFICATE-----
MIICqzCCAjGgAwIBAgIUAOTYpl3cOP2Qaj7PqcLgyCQuTs0wCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MTAzMjIyMTUwMDlaFw0yMTAzMjIyMjEwMDJaMDgxGjAYBgNVBAoMEWFobWV0YkBn
b29nbGUuY29tMRowGAYDVQQDDBFhaG1ldGJAZ29vZ2xlLmNvbTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABF/qXf+zmfuTo33RQqeyIKpPZdrNIcwj2MNpg4sfoiXf
bf+YLlJE/wOEry7ORkRmLnp03pfQbIIdXPlp8rc7/LGjggElMIIBITAOBgNVHQ8B
Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUa/ko/fUQCEADpHZJOgJOGBI/SVMwHwYDVR0jBBgwFoAUyMUdAEGaJCky
USTrDa5K7UoG0+wwgY0GCCsGAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0dHA6
Ly9wcml2YXRlY2EtY29udGVudC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1mNGY1
ZTgwZDI5NTQuc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJiOWZj
YjE0Ni9jYS5jcnQwHAYDVR0RBBUwE4ERYWhtZXRiQGdvb2dsZS5jb20wCgYIKoZI
zj0EAwMDaAAwZQIwD3JNeYCtON2/iO4LMfisM14uwlyEj55rsJXdpFqAoHqamqfm
YQQimUYr75JqObo0AjEAs+oGjyVu/2w+1UwhVqkSjZ+GC091kO/Pm4qQjywoMf0L
5bua4L7sRdRVA9fWCkW/
-----END CERTIFICATE-----

error: empty key

Is this expected? I'm guessing it's just not implemented yet, but it seems we're missing an explicit error.

Initial release plans for cosign

I reeallly want to try to sign the first release of cosign, with cosign, if we can figure out a way that makes sense.

I think we'll have to do it manually, since we won't have a signed release to use in automation yet though. Thankfully we can skip some of the issues with reproducible builds.

Here's a rough plan:

The trick is that we can use Go to build a reproducible binary.

Setup github actions to build and publish a cosign binary on each commit to main
- cosign builds should be reproducible, with some care.
- We'll make these build logs public, showing the sha of each binary we build.
One or more of us will generate keys specific to this initial release.
- The more the merrier!
- We can commit these public keys to a file here in the repo.
We can pick a commit to tag our initial release at.
We'll have several of us build our own versions of cosign from it, and check the SHAs against the ones from the GitHub action. We can publish those in an issue.
If they match, we can tag the release. We'll then sign the first binaries and git tag (v0.1.0)!
We'll publish the signatures in Rekor and in the GitHub release.
The keys to verify the release will be included in the git repo at the matching commit!

After this, we can change our automation to use it's own public/private key-pair (also stored in this repo), and the last signed cosign binary release (v0.1.0) in CI to sign continuous builds. Signatures can get published to Rekor, the build log, and wherever we host the binaries.

Actual tagged releases will also be signed by the automation, and one or more maintainers. We'll sign the git commits as well as the resulting binaries. These can get published to the GitHub release. These public keys (and their mapping to maintainers) will also be stored in the repo.

We can write a verification script to help people verify.

Cosign/TUF integration

As mentioned in the README, cosign can be used to store TUF metadata on a registry. This TUF metadata can secure the tag to digest relationships on the registry, define trust delegations, and provide compromise resilience in the case of a registry or infrastructure compromise. It would be nice to get a working prototype of this integration, possibly leveraging existing TUF implementations such as go-tuf.

As I envision it, a TUF/cosign integration would involve:
[x] Storing TUF metadata on a registry using cosign
[] Ensuring easy querying of that TUF metadata by users, ideally using a human-readable name

In the future, this could lead to more sigstore integration, for example:
[] Allowing TUF targets metadata to delegate to a fulcio identity
[] Supporting TUF root key discovery through a threshold of fulcio servers
[] Publishing TUF metadata to rekor for an immutable history

Consider verifying local images if they exist

Right now cosign verify verifies that the remote image passed in is valid.

Maybe users would want to verify the local image they just pulled is also what they expected it to be. I'm still not sure if:

this is a feature anyone would actually use
if there is a way to delete the digest for an image locally but maintain the image in docker (cosign won't work without the digest)

I'll leave this issue open for a bit in case anyone has any thoughts.

tag update race

are yall aware of any work in opencontainers to support atomic tag swaps (aka fail to update tag if expected previous digest does not match what tag is pointing at right before the update)? it might be too much burden to implement for registry implementors but would be handy for tag updates.

Add a "COSIGN_REPOSITORY" flag/env var

This would act as a replacement for the image repository, in case you want to sign/store/verify from an alternate location.

We should use this before we sign distroless. The first round will be:

export COSIGN_REPOSITORY=gcr.io/distroless-signatures

Causing:

gcr.io/distroless/static -> gcr.io/cosign-signatures/static:sha256-3b3507aa7ce16b085215915d6334f140d8f50ef35bbf3251ee52d3102296f60e.cosign

Move the transparency log feature out of experimental

Gem signing

Gems support a certs/ directory inside the gem, and a gemspec can point to the cert chain to use for verification.

https://github.com/djberg96/net-proto
https://guides.rubygems.org/security/

We could generate a cert, get it into the directory and configure the fulcio chain all at the same time!

"cosign version" command

We should get this in before the first release (0.1.0)

Easy support for GitHub actions

Credentials are passed in as environment variables. That would require writing to disk first (which we would like to avoid anyway). Cosign could take in a predefined env var for private keys for these environments.

export COSIGN_SECRET=$GITHUB_SECRET
cosign sign $image

cosign sign should be able to take multiple keys

cosign sign --key foo.key --key bar.key -a hello=world <img>

should be equivalent to

cosign sign --key foo.key -a hello=world <img>
cosign sign --key bar.key -a hello=world <img>

while making fewer requests to the registry, and failing to publish any signatures if either signing operation fails.

This might also mean that you should be able to cosign sign --key foo.key --kms ... (#78)

We should "attach" the sig and cert into the tarball somehow
We can modify it (obviously), but it would be great if we can still find the original digest
It should be transparent/not-noticeable to users that don't care about the signatures. They shouldn't notice

[SOLVED] Build fails (macOS)

Cloned the repo, but go build -o cosign ./cmd after cd ~/Developer/GitHub/cosign failed with no Go files in ~/Developer/GitHub/cosign/cmd. Am I doing something wrong?

(macOS 11.2.3)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.