backward compatibility issue between v2.2.x and v2.[0|1].x

Question

backward compatibility issue between v2.2.x and v2.[0|1].x

Closed this issue 5 months ago · 1 comments

Description

cosign v2.1.x fails to sign artefacts with signing key pair generated with cosign v2.2.x, as shown below. Of couse, the best practice is to keep cosign up-to-date, but it may be worth to have backward compatibility.

$ cosign-2.2.2 version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.2.2
GitCommit:     bf6b57bc3edf8deb7e225e4dbd2d26c0d432979b
GitTreeState:  clean
BuildDate:     2023-12-05T18:59:25Z
GoVersion:     go1.21.4
Compiler:      gc
Platform:      linux/amd64

$ cosign-2.2.2 generate-key-pair gitlab://xxxxxxx
Password written to "COSIGN_PASSWORD" variable
Private key written to "COSIGN_PRIVATE_KEY" variable
Public key written to "COSIGN_PUBLIC_KEY" variable
Public key also written to cosign.pub


$ cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.1.1
GitCommit:     baf97ccb4926ed09c8f204b537dc0ee77b60d043
GitTreeState:  clean
BuildDate:     2023-06-27T06:57:11Z
GoVersion:     go1.20.5
Compiler:      gc
Platform:      linux/amd64

$ cosign sign --key  gitlab://xxxxx  registry.gitlab.com/bozo/cosign-bug/test:latest
Error: signing [registry.gitlab.com/bozo/cosign-bug/test:latest]: getting signer: reading key: decrypt: encrypted: unexpected kdf parameters
main.go:74: error during command execution: signing [registry.gitlab.com/bozo/cosign-bug/test:latest]: getting signer: reading key: decrypt: encrypted: unexpected kdf parameters

Version

Version 2.2.2 to generate key pair
Version 2.1.1 to sign

Answer 1 · 2024-01-23T15:45:16.000Z

Yep, this is known - #3128 (comment)