CLI can't be verified with Cosign v2

[suzuki-shunsuke]

Hi, I'm trying to verify a checksum file of Argo Workflows CLI with Cosign.

Using Cosign v1.13.2, I could verify the checksum file.

$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.13.2
GitCommit:     ea92927b70aaf44902190be4516fd00611f1934a
GitTreeState:  clean
BuildDate:     2023-11-15T09:12:26Z
GoVersion:     go1.19.13
Compiler:      gc
Platform:      darwin/arm64

$ cosign verify-blob \
	--signature https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cli-checksums.sig \
	--key https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cosign.pub \
	argo-workflows-cli-checksums.txt
Verified OK

But I can't verify it with Cosign v2.2.3.

$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.2.3
GitCommit:     493e6e29e2ac830aaf05ec210b36d0a5a60c3b32
GitTreeState:  clean
BuildDate:     2024-01-31T17:54:40Z
GoVersion:     go1.21.6
Compiler:      gc
Platform:      darwin/arm64

$ cosign verify-blob \
	--certificate-identity-regexp "https://github\\.com/argoproj/argo-workflows/\\.github/workflows/release\\.yaml@.*" \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
	--signature https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cli-checksums.sig \
	--key https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cosign.pub \
	argo-workflows-cli-checksums.txt
Error: signature not found in transparency log
main.go:74: error during command execution: signature not found in transparency log

Recently, Sigstore has published a new TUF trust root.

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299
https://blog.sigstore.dev/tuf-root-update/

A new TUF trust root doesn't support Cosign v1, so we should use Cosign v2 as much as possible.

From Cosign v2, some options such as --certificate-identity-regexp and --certificate-oidc-issuer are required so I'm passing them, but maybe these values are wrong.

Or I found an issue regarding the same error message Error: signature not found in transparency log.

• Verifying signature with Cosign v2 fails due to Transparency Log istio/istio#44362

[agilgur5]

Welp apparently we need to update to Cosign v2 which was released ~a year ago.

Recently, Sigstore has published a new TUF trust root.

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299 https://blog.sigstore.dev/tuf-root-update/

Should at least update to latest v1.13.x to get the new trust root.

@suzuki-shunsuke would you be interested in contributing an update to a new Cosign version and testing it out?

Or I found an issue regarding the same error message Error: signature not found in transparency log.

• Verifying signature with Cosign v2 fails due to Transparency Log istio/istio#44362

Per istio/istio#44362 (comment), we might need to also use --insecure-ignore-tlog, which may be required similarly to istio/istio#44362 (comment), as it was experimental prior to the v2 release:

The following is the list of breaking changes:

• [...]
• By default, artifact signatures will be uploaded to Rekor, for both key-based and identity-based signing. To not upload to Rekor, include --tlog-upload=false.
  • You must also include --insecure-ignore-tlog=true when verifying an artifact that was not uploaded to Rekor.

[suzuki-shunsuke]

I confirmed I could verify https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cli-checksums.txt by Cosign v2.2.3 with --insecure-ignore-tlog.

$ cosign verify-blob \
	--certificate-identity-regexp "https://github\\.com/argoproj/argo-workflows/\\.github/workflows/release\\.yaml@.*" \
	--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
	--signature https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cli-checksums.sig \
	--key https://github.com/argoproj/argo-workflows/releases/download/v3.5.5/argo-workflows-cosign.pub \
	--insecure-ignore-tlog \
	argo-workflows-cli-checksums.txt
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
Verified OK

And since this is merged can you verify a recent commit on main with Cosign v2?

Do you mean to verify a container image?

[suzuki-shunsuke]

$ cosign verify --key cosign.pub quay.io/argoproj/argoexec:latest

Verification for quay.io/argoproj/argoexec:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"quay.io/argoproj/argoexec"},"image":{"docker-manifest-digest":"sha256:9dd47815124b96eea69e9d7f195062cf941d4d0758d67e2d53e086133b198a1f"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEQCIDVBAfN0Tt48wPcmyGNc2cTV9l1+5u8kERwZ9k2Cp5FYAiA0m4qZEpv9JMbwZbaT3y3J3OXvmjAxJF3h0aeNw85NIg==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1YTg1ZjA2YTAzOTIwZDU3OTg4YzgwMzk3OWFhOTIwMDU4YjgwNzVmZTEwZWU1MDgwZjJlODA0MWJlMDhkYzE4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUQ0YmcyVDBwNk5pQWwxV0thZXJJUExYMzJTMWtQSW0xT3B2VEZsQUVudUt3SWhBTXFYL05aZ0xJeWVzUmhXcjEwa0xJQjc4eUhYdTkvT2J2M2xFWVpqVThVSyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGUlZKNlprVnBSV1YxWlVKRFltWjVka0l3UnpKWU9VaGxUbXB1ZEFwcFdGRTJjemxrV1VkMVRXa3JVbWRqVnpSdFdDdGpXRlF5VDI5cFFVaERVREl4WVZneVZ6RkxjMk5MUjA1M2NFNXdSMmswTTJob2NERkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1711822801,"logIndex":82254844,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]

.image.docker-manifest-digest is sha256:9dd47815124b96eea69e9d7f195062cf941d4d0758d67e2d53e086133b198a1f.

$ docker pull quay.io/argoproj/argoexec:latest
latest: Pulling from argoproj/argoexec
2f137302898f: Pull complete 
fe5ca62666f0: Pull complete 
be1681d2fb7c: Pull complete 
b6824ed73363: Pull complete 
7c12895b777b: Pull complete 
33e068de2649: Pull complete 
5664b15f108b: Pull complete 
27be814a09eb: Pull complete 
4aa0ea1413d3: Pull complete 
9ef7d74bdfdf: Pull complete 
9112d77ee5b1: Pull complete 
c975bf4440c7: Pull complete 
c56454041d92: Pull complete 
720165974601: Pull complete 
91bc55c41ec7: Pull complete 
Digest: sha256:9dd47815124b96eea69e9d7f195062cf941d4d0758d67e2d53e086133b198a1f
Status: Downloaded newer image for quay.io/argoproj/argoexec:latest
quay.io/argoproj/argoexec:latest

The image digest is sha256:9dd47815124b96eea69e9d7f195062cf941d4d0758d67e2d53e086133b198a1f, which is same with .image.docker-manifest-digest.

[suzuki-shunsuke]

I verified an old image quay.io/argoproj/argoexec:v3.5.5.

$ docker pull quay.io/argoproj/argoexec:v3.5.5
v3.5.5: Pulling from argoproj/argoexec
2f137302898f: Already exists 
fe5ca62666f0: Already exists 
be1681d2fb7c: Already exists 
fcb6f6d2c998: Pull complete 
e8c73c638ae9: Pull complete 
1e3d9b7d1452: Pull complete 
4aa0ea1413d3: Pull complete 
7c881f9ab25e: Pull complete 
5627a970d25e: Pull complete 
a86a3c37d8ad: Pull complete 
0b03c553cbb1: Pull complete 
23f12b12d951: Pull complete 
f4aa18bbbe52: Pull complete 
Digest: sha256:32a568bd1ecb2691a61aa4a646d90b08fe5c4606a2d5cbf264565b1ced98f12b
Status: Downloaded newer image for quay.io/argoproj/argoexec:v3.5.5
quay.io/argoproj/argoexec:v3.5.5

The image digest is sha256:32a568bd1ecb2691a61aa4a646d90b08fe5c4606a2d5cbf264565b1ced98f12b.

Without --insecure-ignore-tlog, the verification failed.

$ cosign verify --key cosign.pub quay.io/argoproj/argoexec:v3.5.5                                     
Error: no matching signatures: signature not found in transparency log
main.go:69: error during command execution: no matching signatures: signature not found in transparency log

With --insecure-ignore-tlog, the verification succeeded.

$ cosign verify --insecure-ignore-tlog --key cosign.pub quay.io/argoproj/argoexec:v3.5.5
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for quay.io/argoproj/argoexec:v3.5.5 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"quay.io/argoproj/argoexec"},"image":{"docker-manifest-digest":"sha256:32a568bd1ecb2691a61aa4a646d90b08fe5c4606a2d5cbf264565b1ced98f12b"},"type":"cosign container image signature"},"optional":null}]

The image digest is same.

So I couldn't verify the old image without --insecure-ignore-tlog, but I could verify the latest image without --insecure-ignore-tlog. This is the expected result. 👍

[agilgur5]

Thanks for verifying!

To summarize for other readers:

1. To verify Cosign v1 signed images using Cosign v2 CLI, you need to use--insecure-ignore-tlog
   • This is required for Argo <3.5.6, as the feature was experimental in Cosign v1 and not therefore not used by Argo
2. To verify Cosign v2 signed images using Cosign v2 CLI, no extra arguments are needed.
   • This method is valid for Argo >3.5.6, which should now be signed using Cosign v2 thanks to chore(deps): upgrade Cosign to v2.2.3 #12850