backward compatibility issue between v2.2.x and v2.[0|1].x
Closed this issue · 1 comments
bouenou commented
Description
cosign
v2.1.x fails to sign artefacts with signing key pair generated with cosign
v2.2.x, as shown below. Of couse, the best practice is to keep cosign
up-to-date, but it may be worth to have backward compatibility.
$ cosign-2.2.2 version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v2.2.2
GitCommit: bf6b57bc3edf8deb7e225e4dbd2d26c0d432979b
GitTreeState: clean
BuildDate: 2023-12-05T18:59:25Z
GoVersion: go1.21.4
Compiler: gc
Platform: linux/amd64
$ cosign-2.2.2 generate-key-pair gitlab://xxxxxxx
Password written to "COSIGN_PASSWORD" variable
Private key written to "COSIGN_PRIVATE_KEY" variable
Public key written to "COSIGN_PUBLIC_KEY" variable
Public key also written to cosign.pub
$ cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v2.1.1
GitCommit: baf97ccb4926ed09c8f204b537dc0ee77b60d043
GitTreeState: clean
BuildDate: 2023-06-27T06:57:11Z
GoVersion: go1.20.5
Compiler: gc
Platform: linux/amd64
$ cosign sign --key gitlab://xxxxx registry.gitlab.com/bozo/cosign-bug/test:latest
Error: signing [registry.gitlab.com/bozo/cosign-bug/test:latest]: getting signer: reading key: decrypt: encrypted: unexpected kdf parameters
main.go:74: error during command execution: signing [registry.gitlab.com/bozo/cosign-bug/test:latest]: getting signer: reading key: decrypt: encrypted: unexpected kdf parameters
Version
Version 2.2.2 to generate key pair
Version 2.1.1 to sign
haydentherapper commented
Yep, this is known - #3128 (comment)