Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skopeo sync does not sync Notation signatures #2227

Open
tuminoid opened this issue Feb 13, 2024 · 6 comments
Open

Skopeo sync does not sync Notation signatures #2227

tuminoid opened this issue Feb 13, 2024 · 6 comments
Labels
kind/feature A request for, or a PR adding, new functionality stale-issue

Comments

@tuminoid
Copy link

Skopeo does not sync Notation signatures, despite the skopeo command output is saying it is copying signatures.

Is there a way to get skopeo to sync/copy/export Notation signatures from one registry to another?

Skopeo used:

$ skopeo --version
skopeo version 1.4.1
# source image has been signed
$ notation inspect --insecure-registry 127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
Inspecting all signatures for signed artifact
127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
└── application/vnd.cncf.notary.signature
    └── sha256:6c57ac4270780eb18dab9d76da9918f8b21d9b5105e80b5a7110826d304d5483
        ├── media type: application/jose+json
        ├── signature algorithm: RSASSA-PSS-SHA-512
        ├── signed attributes
        │   ├── signingScheme: notary.x509
        │   └── signingTime: Tue Feb 13 10:05:42 2024
        ├── user defined attributes
        │   └── (empty)
        ├── unsigned attributes
        │   └── signingAgent: Notation/1.0.0 external-signer/v0.1.0+unreleased
        ├── certificates
        │   ├── SHA256 fingerprint: 05b4585c5382c5a83479637d59dcdd6ea4020f70c563402c6601715fc66a1c8b
        │   │   ├── issued to: CN=Notation.leaf
        │   │   ├── issued by: CN=Notation Root CA,O=Notation
        │   │   └── expiry: Wed Feb 12 08:05:42 2025
        │   └── SHA256 fingerprint: cfd1ed85f0f40ee9dffd1c8df09e5c4026998791a63847a040728c3837dcbec0
        │       ├── issued to: CN=Notation Root CA,O=Notation
        │       ├── issued by: CN=Notation Root CA,O=Notation
        │       └── expiry: Wed Feb 12 08:05:40 2025
        └── signed artifact
            ├── media type: application/vnd.docker.distribution.manifest.v2+json
            ├── digest: sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
            └── size: 527

Syncing the image to second registry:

$ skopeo sync --src-tls-verify=false --dest-tls-verify=false --src docker --dest docker 127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7 127.0.0.1:5000
INFO[0000] Tag presence check                            imagename="127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7" tagged=true
INFO[0000] Copying image ref 1/1                         from="docker://127.0.0.1:5002/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7" to="docker://127.0.0.1:5000/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7"
Getting image source signatures
Copying blob 9ad63333ebc9 done  
Copying config 3f57d9401f done  
Writing manifest to image destination
Storing signatures
INFO[0000] Synced 1 images from 1 sources  

Target image is not signed anymore, even the skopeo sync said it was doing signatures too.

$ notation inspect --insecure-registry 127.0.0.1:5000/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7
127.0.0.1:5000/busybox@sha256:d319b0e3e1745e504544e931cde012fc5470eba649acc8a7b3607402942e5db7 has no associated signature
@mtrmac
Copy link
Contributor

mtrmac commented Feb 13, 2024

Thanks for your report.

Notation signatures are OCI artifacts, aren’t they? If so, it should be possible to copy them separately — if you can list their digests (or if they have tags that can be discovered by skopeo sync).

We do want to support automatically copying signatures per referrer links ( containers/image#1848 ), but it does not exist yet.

@mtrmac mtrmac added the kind/feature A request for, or a PR adding, new functionality label Feb 13, 2024
Copy link

A friendly reminder that this issue had no activity for 30 days.

@omkhard
Copy link

omkhard commented Mar 26, 2024

skopeo copy is not attesting the signature in Images signed using notation and transported in other path and trying to attest signature over the same image.
notation ls $IMAGE gives:


root@okhardubuntu:~/.config/notation# notation ls registry.private.com/repo/archlinux2:latest

Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:latest) because resolved digest may not point to the same signed artifact, as tags are mutable. registry.private.com/repo/archlinux2@sha256:85dc960fa1b01560091e6de62b09c4ad99c35cf818f6a7e2b2118a57f712bcb7 has no associated signature

oras copy , does copy and notation ls showing signature associated.

Copy link

A friendly reminder that this issue had no activity for 30 days.

@tuminoid
Copy link
Author

tuminoid commented May 6, 2024

Yeah this is still valid.

A friendly reminder that this issue had no activity for 30 days.

Copy link

github-actions bot commented Jun 6, 2024

A friendly reminder that this issue had no activity for 30 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature A request for, or a PR adding, new functionality stale-issue
Projects
None yet
Development

No branches or pull requests

3 participants