CLI can't be verified with Cosign v2 #12828
-
Hi, I'm trying to verify a checksum file of Argo Workflows CLI with Cosign. Using Cosign v1.13.2, I could verify the checksum file. $ cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v1.13.2
GitCommit: ea92927b70aaf44902190be4516fd00611f1934a
GitTreeState: clean
BuildDate: 2023-11-15T09:12:26Z
GoVersion: go1.19.13
Compiler: gc
Platform: darwin/arm64
$ cosign verify-blob \
--signature https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cli-checksums.sig \
--key https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cosign.pub \
argo-workflows-cli-checksums.txt
Verified OK But I can't verify it with Cosign v2.2.3. $ cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v2.2.3
GitCommit: 493e6e29e2ac830aaf05ec210b36d0a5a60c3b32
GitTreeState: clean
BuildDate: 2024-01-31T17:54:40Z
GoVersion: go1.21.6
Compiler: gc
Platform: darwin/arm64
$ cosign verify-blob \
--certificate-identity-regexp "https://github\\.com/argoproj/argo-workflows/\\.github/workflows/release\\.yaml@.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--signature https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cli-checksums.sig \
--key https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cosign.pub \
argo-workflows-cli-checksums.txt
Error: signature not found in transparency log
main.go:74: error during command execution: signature not found in transparency log Recently, Sigstore has published a new TUF trust root. https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299 A new TUF trust root doesn't support Cosign v1, so we should use Cosign v2 as much as possible. From Cosign v2, some options such as Or I found an issue regarding the same error message |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
Welp apparently we need to update to Cosign v2 which was released ~a year ago.
Should at least update to latest v1.13.x to get the new trust root. @suzuki-shunsuke would you be interested in contributing an update to a new Cosign version and testing it out?
Per istio/istio#44362 (comment), we might need to also use
|
Beta Was this translation helpful? Give feedback.
Thanks for verifying!
To summarize for other readers:
--insecure-ignore-tlog