Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing with tlog upload is not idempotent #3356

Closed
reedloden opened this issue Nov 10, 2023 · 2 comments · Fixed by #3371
Closed

Signing with tlog upload is not idempotent #3356

reedloden opened this issue Nov 10, 2023 · 2 comments · Fixed by #3371
Labels
bug Something isn't working

Comments

@reedloden
Copy link

Description

We sign our images during the final stage of our release. However, because of the sheer amount of things that happen in that "promotion" stage, it is sometimes necessary to re-run it. cosign 1.x didn't have an issue with this, as signatures were not uploaded automatically to the transparency log. However, with cosign 2.x, we're running into an issue due to a signature already existing:

$ cosign sign --yes --key awskms:///... --recursive public.ecr.aws/foo/bar@sha256:abcdef...

...

Signature already exists. Displaying proof
Error: signing [public.ecr.aws/foo/bar@sha256:abcdef...]: recursively signing: signing digest: unexpected entry returned from rekor server: expected EntryUUID 24296fb24b8ad77aa8f736fc36ff0184b30419c0347d81b22f5d3328592015e2369a8f71bc741bac got UUID 24296fb24b8ad77aa8f736fc36ff0184b30419c0347d81b22f5d3328592015e2369a8f71bc741bac from Tree c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
main.go:74: error during command execution: signing [public.ecr.aws/foo/bar@sha256:abcdef...]: recursively signing: signing digest: unexpected entry returned from rekor server: expected EntryUUID 24296fb24b8ad77aa8f736fc36ff0184b30419c0347d81b22f5d3328592015e2369a8f71bc741bac got UUID 24296fb24b8ad77aa8f736fc36ff0184b30419c0347d81b22f5d3328592015e2369a8f71bc741bac from Tree c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d

cosign/pkg/cosign/tlog.go

Lines 207 to 224 in aaa354d

// If the entry already exists, we get a specific error.
// Here, we display the proof and succeed.
var existsErr *entries.CreateLogEntryConflict
if errors.As(err, &existsErr) {
ui.Infof(ctx, "Signature already exists. Displaying proof")
uriSplit := strings.Split(existsErr.Location.String(), "/")
uuid := uriSplit[len(uriSplit)-1]
e, err := GetTlogEntry(ctx, rekorClient, uuid)
if err != nil {
return nil, err
}
rekorPubsFromAPI, err := rekorPubsFromClient(rekorClient)
if err != nil {
return nil, err
}
return e, VerifyTLogEntryOffline(ctx, e, rekorPubsFromAPI)
}
return nil, err
makes it seem like signing an image multiple times is fine (and it's what I would expect).

Version

cosign 2.2.1
@reedloden reedloden added the bug Something isn't working label Nov 10, 2023
@haydentherapper
Copy link
Contributor

Lemme dig in, this is definitely a bug.

@haydentherapper haydentherapper mentioned this issue Nov 17, 2023
Merged
@haydentherapper
Copy link
Contributor

@reedloden Fixed in #3371

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix idempotency error with signing haydentherapper/cosign
2 participants
@reedloden @haydentherapper