The verifierReports did not include signature digest

Question

The verifierReports did not include signature digest

yizha1 opened this issue 5 months ago · 2 comments

What would you like to be added?

The current verifierReports did not include the digest for a signature manifest. If an image has multiple signatures, it will be very hard to know which signature failed verification. It's better to show the digest of every OCI artifact that was verified, so that it can be correlated later for different purposes.

An example of current verifierReports in the Ratify logs:

  "verifierReports": [
    {
      "subject": "***.azurecr.io/fromado@sha256:9bd300b50747ff122cf5c2fb47f1e29a162604e85f37659cde09d6358221a1d4",
      "isSuccess": true,
      "name": "verifier-cosign",
      "type": "cosign",
      "message": "cosign verification success. valid signatures found. please refer to extensions field for verifications performed.",
      "extensions": {
        "signatures": [
          {
            "signature": "*****",
            "verifications": [
              {
                "isSuccess": false,
                "bundleVerified": false,
                "error": "crypto/rsa: verification error",
                "keyInformation": {
                  "provider": "keymanagementprovider-akv",
                  "name": "test-cosign",
                  "version": "849bc742cb674e0aa4cc5573e692209a"
                }
              }
            ]
          },
          {
            "signature": "*****",
            "verifications": [
              {
                "isSuccess": true,
                "bundleVerified": false,
                "keyInformation": {
                  "provider": "keymanagementprovider-akv",
                  "name": "test-cosign",
                  "version": "849bc742cb674e0aa4cc5573e692209a"
                }
              }
            ]
          }
        ]
      },
      "artifactType": "application/vnd.dev.cosign.artifact.sig.v1+json"
    }
  ]
} component-type=server go.version=go1.21.9 trace-id=d38178b1-7dd7-46c3-95d7-c3b57236b40d

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

Yes, I am willing to implement it.

Answer 1 · 2024-05-13T18:09:58.000Z

@yizha1 Can you provide an example scenario where each signature will have a different layer digest? From my testing, I notice that the payload that is signed does not change between various signatures. As a result, the signature digest stays the same. Discussion can be found here: #1381 (comment)

Answer 2 · 2024-07-25T04:24:07.000Z

Per discussion in the community meeting, the digest is same across different cosign signatures. But we have unique signature hash in the report. Closing the issue.