cosign complains "no maching signatures"

[yrro]

I've not used cosign before so maybe I'm doing it wrong. I get:

$ COSIGN_REPOSITORY=ghcr.io/bitnami-labs/sealed-secrets-controller/signs ~/go/bin/cosign verify --key cosign.pub ghcr.io/bitnami-labs/sealed-secrets-controller:v0.20.2
Error: no matching signatures:
signature not found in transparency log
 signature not found in transparency log
main.go:69: error during command execution: no matching signatures:
signature not found in transparency log
 signature not found in transparency log

Is this telling me that the image is signed but that I'm using the wrong public key?

$ cat cosign.pub
# Downloaded from <https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.20.2/cosign.pub>
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEseWNtEaI73oDVgjfLzU4eQYHE11i
MzRSNs1TA+cTT/Lw70ckfCC/vHnOXKACF2dnhsZsNNj647p9mAiYNVl9ug==
-----END PUBLIC KEY-----

[agarcia-oss]

Hi @yrro I can reproduce the error but only with cosign v2.0; It didn´t happen on the previous version of cosign. Just to confirm: you are using closing 2 locally, right?

[yrro]

Yes, cosign version reports GitVersion: v2.0.0

This also happens if I build from their main branch (GitVersion: v2.0.0-75-gc900e9ac)

(I am trying to get stackrox to verify the signature on our mirror of the images, it too is complaining that it can't verify the signature against the public key - but it doesn't give me any more information than that, hence me trying to figure out how to use cosign manually to check if the problem is with the image or with stackrox)

[alemorcuq]

Hi, @yrro. Cosign introduced breaking changes in release v2, so it can't verify artifacts that were signed using the previous v1. You are using Cosign correctly, but this image was signed using Cosign v1, thus the error you are getting. You can verify the image using Cosign v1.

[agarcia-oss]

We can close the issue since the cosign version we're using for the upcoming release has been upgraded to v2.

[yrro]

Thanks folks. I'm seeing this with 2.0.5:

$ COSIGN_REPOSITORY=ghcr.io/bitnami-labs/sealed-secrets-controller/signs ~/go/bin/cosign verify --key ~/src/phe-openshift/base/sealed-secrets-controller/cosign.pub ghcr.io/bitnami-labs/sealed-secrets-controller:v0.20.5

Verification for ghcr.io/bitnami-labs/sealed-secrets-controller:v0.20.5 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"index.docker.io/bitnami/sealed-secrets-controller"},"image":{"docker-manifest-digest":"sha256:4f1a406177d821d04cd28c3863544a58f545a23793a2662d3f8939f497b0db28"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEQCIGE7hL0Qoiupqz3iSammLHggkBqQTJwXmN8uXQYTQAqRAiApvgcE6BZLWyh0JsxnHQup2NR7xGRicwq9oLcPsM7ZGw==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkNjNjNDg4MTAwZDFkOTI4MGI3N2ExNjUxN2M3YTA5OTZlOGU5NDM1MmE2YjFjMjQ2MzhlM2RmODcyNmU5ZDUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJSC9PQ0IzdjNuZ2JQVldnK3RmQ1VQNW0vUFZDaGJVMHJNZ29NQzkwYmYwOUFpRUF5OFNMb3I4VzFrcmpkYWhzMStSYmJJTDBjR1QvWE1qU1lOazBGQktsREZNPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGYzJWWFRuUkZZVWszTTI5RVZtZHFaa3g2VlRSbFVWbElSVEV4YVFwTmVsSlRUbk14VkVFclkxUlVMMHgzTnpCamEyWkRReTkyU0c1UFdFdEJRMFl5Wkc1b2MxcHpUazVxTmpRM2NEbHRRV2xaVGxac09YVm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1681745365,"logIndex":18191162,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}},{"critical":{"identity":{"docker-reference":"index.docker.io/bitnami/sealed-secrets-controller"},"image":{"docker-manifest-digest":"sha256:4f1a406177d821d04cd28c3863544a58f545a23793a2662d3f8939f497b0db28"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEYCIQCR8EV1EaFt5SlzIeIIoCXARbeVkgNYE2fivQzcDc/A1gIhALc/QZRGsNu3raF/HYNVT/9CnNI8clWFUsjg7vM02yhO","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkNjNjNDg4MTAwZDFkOTI4MGI3N2ExNjUxN2M3YTA5OTZlOGU5NDM1MmE2YjFjMjQ2MzhlM2RmODcyNmU5ZDUyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNLTk9HMHVpejU4bTJkdGlkSHBDSG00ZUl5b1VFTTliaDM5TlFidHhZZytBSWdRMmhNcEFsU3hiRkExbHA0UW8vVTdZelVPUFRKc2lCRXN4VXR6b3ZKNnBVPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGYzJWWFRuUkZZVWszTTI5RVZtZHFaa3g2VlRSbFVWbElSVEV4YVFwTmVsSlRUbk14VkVFclkxUlVMMHgzTnpCamEyWkRReTkyU0c1UFdFdEJRMFl5Wkc1b2MxcHpUazVxTmpRM2NEbHRRV2xaVGxac09YVm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1681745368,"logIndex":18191167,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}},{"critical":{"identity":{"docker-reference":"ghcr.io/bitnami-labs/sealed-secrets-controller"},"image":{"docker-manifest-digest":"sha256:4f1a406177d821d04cd28c3863544a58f545a23793a2662d3f8939f497b0db28"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQDUlzmr8zpd+PPU63hZNhp5VF4gotKMRKUc+0tF3GTI0AIgSDTXtaCV96+dFZJgSs283Jn7gr8eO7Ke0KMFzIZjiOY=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlODU2OTU3ZTgzOGIwNWMxZTQ0ZWVjNGRhMGZlODQ5NmRmM2ZkY2M5NzZmYTFmMGQ1MjFmNzUxMzJiZGMxOWY1In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQ2ZxNjZRUVBhQ3h2YWpUSnFnWnQydCs3MUp4TkxFR01NWWlCeitmWUtMVkFpQndPbzl3WGwzQitkUUV3TGprUE9zRnNGbkNaeHVwblg2VDBwdTJrRWhzM0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGYzJWWFRuUkZZVWszTTI5RVZtZHFaa3g2VlRSbFVWbElSVEV4YVFwTmVsSlRUbk14VkVFclkxUlVMMHgzTnpCamEyWkRReTkyU0c1UFdFdEJRMFl5Wkc1b2MxcHpUazVxTmpRM2NEbHRRV2xaVGxac09YVm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1681745371,"logIndex":18191172,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}},{"critical":{"identity":{"docker-reference":"ghcr.io/bitnami-labs/sealed-secrets-controller"},"image":{"docker-manifest-digest":"sha256:4f1a406177d821d04cd28c3863544a58f545a23793a2662d3f8939f497b0db28"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEQCIGm7moZl4YSGdojsCOsuq8gtETbebsz0NuD2jtDDCx/iAiAa+md8U+mYGP6Ko72dCzdYyHRMRSJeiR2kD4vVbPgU1Q==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlODU2OTU3ZTgzOGIwNWMxZTQ0ZWVjNGRhMGZlODQ5NmRmM2ZkY2M5NzZmYTFmMGQ1MjFmNzUxMzJiZGMxOWY1In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUR3VUNNandGM014WUZYSXVpRGplbkEzbjErckR4eCtYYXBXVTZGMkhSdStnSWhBSXBUdGtXQjhHRFpBMmxIZnBoRmpLQjdNcTBTNkQvQk5tNFh0N1pGRlBQMCIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGYzJWWFRuUkZZVWszTTI5RVZtZHFaa3g2VlRSbFVWbElSVEV4YVFwTmVsSlRUbk14VkVFclkxUlVMMHgzTnpCamEyWkRReTkyU0c1UFdFdEJRMFl5Wkc1b2MxcHpUazVxTmpRM2NEbHRRV2xaVGxac09YVm5QVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1681745376,"logIndex":18191180,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]

I guess it works! Though I think the cosign output could be much clearer! :)