Wrong timestamp inside signature
Closed this issue · 1 comments
Description
Wrong timestamp inside signature.
Gitlab shows that the Signature is over 23 Years old.
Does it only happen on Darwin binaries? No
Last Version, when it worked: Cosign 2.1.1
When I crated a signature in version 2.1.1
./cosign-V2.1.1 sign --key=./cosign.key --tlog-upload=false randomImage
Then I get a Manifest like this:
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 245,
"digest": "sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851"
},
"layers": [{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 263,
"digest": "sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4",
"annotations": {
"dev.cosignproject.cosign/signature": "MEUCIHhv13rSPbq2+qq5ziKQWEQQI6vmcXcEyD19zUTZknoSAiEA0smYpWnFBIR/cgk+JwEPvFYVZW/yYv6DS+tm2TwOsEA="
}
}]
}
The timestamp in sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851 file is correct
At least one of it.
created":"2024-04-08T18:08:39.635084+02:00
{"architecture":"","created":"2024-04-08T18:08:39.635084+02:00","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4"]},"config":{}}
The error is since Cosign version2.2.0
When I crated a signature in version 2.2.0
./cosign-V2.2.0 sign --key=./cosign.key --tlog-upload=false randomImage
Then I get a Manifest like this:
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 233,
"digest": "sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6"
},
"layers": [{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 263,
"digest": "sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4",
"annotations": {
"dev.cosignproject.cosign/signature": "MEUCIQD2LxlidsEOsqex2NVIwwXzMIo1BbMUPB8mvKaP+LRjFwIgT8l+9eTG+6slCtmc3XQwGt6L0ZmmVTHkYaXIV8QASKY="
}
}]
}
The timestamp in sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6 file is incorrect
created":"0001-01-01T00:00:00Z
{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4"]},"config":{}}
As you can see. The timestamp changed to a nonsense value.
From 2024-04-08T18:08:39.635084+02:00
to 0001-01-01T00:00:00Z
I hope you can reproduce this issue
Best wishes
Dup of #3298 - This is working as intended for reproducibility