Skip to content

Signing images by digest that don't exist yet #1905

New issue
New issue
Closed
#2959
Closed
Signing images by digest that don't exist yet#1905
#2959
Labels
enhancementNew feature or requestgood first issueGood for newcomersociIntegration between Sigstore and OCI registries/images
@imjasonh

Description

@imjasonh
imjasonh
opened on May 20, 2022

Description

It should be possible to sign an image specified by digest that doesn't (yet) exist in the registry, so long as the user has permission to push to the repository. As an example, I should be able to cosign sign registry.biz/myuser/image@sha256:abcdef even if no image with that digest exists yet.

Signing registry.biz/myuser/image:tag should still require that that tag exists, because cosign needs to be able to lookup the digest the tag points to. The registry.biz/myuser repository also must exist, and be accessible to the user, because that's where we'll push the signature.

Pre-signing images because an image build tool can write a signature to the repository before the image being signed is pushed, for example if I enforce a policy that only signed images can exist in my registry. Signing after pushing introduces a race condition, especially if signing fails for some reason (e.g., I close the OIDC browser tab and walk away), leading to unsigned images.

This used to work in a previous version of cosign, but seems to have regressed (possibly #1616 @puerco?). If we decide to fix this, we should introduce a test that guards against future regressions. Re #1616 we should also make sure that you can sign the same non-existent digest multiple times successfully.

Currently:

$ COSIGN_EXPERIMENTAL=1 cosign sign gcr.io/imjasonh/blah@sha256:$(head -n 10 /dev/urandom | sha256sum | cut -d' ' -f1)
Generating ephemeral keys...
Retrieving signed certificate...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=REDACTED&code_challenge_method=S256&nonce=REDACTED&redirect_uri=http%3A%2F%2Flocalhost%3A58857%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=REDACTED
Successfully verified SCT...
Error: signing [gcr.io/imjasonh/blah@sha256:7145ec233c4ebd21780be57aef96e3e18894d92a00755c3fd8974f5e82c244c8]: accessing image: entity not found in registry
main.go:52: error during command execution: signing [gcr.io/imjasonh/blah@sha256:7145ec233c4ebd21780be57aef96e3e18894d92a00755c3fd8974f5e82c244c8]: accessing image: entity not found in registry

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgood first issueGood for newcomersociIntegration between Sigstore and OCI registries/images

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions