Wrong timestamp inside signature

Question

Wrong timestamp inside signature

Closed this issue 2 months ago · 1 comments

RockRich commented 2 months ago

Description

Wrong timestamp inside signature.

Gitlab shows that the Signature is over 23 Years old.

Does it only happen on Darwin binaries? No

Last Version, when it worked: Cosign 2.1.1

When I crated a signature in version 2.1.1

./cosign-V2.1.1 sign --key=./cosign.key --tlog-upload=false randomImage

Then I get a Manifest like this:

{
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "size": 245,
        "digest": "sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851"
    },
    "layers": [{
        "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
        "size": 263,
        "digest": "sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4",
        "annotations": {
            "dev.cosignproject.cosign/signature": "MEUCIHhv13rSPbq2+qq5ziKQWEQQI6vmcXcEyD19zUTZknoSAiEA0smYpWnFBIR/cgk+JwEPvFYVZW/yYv6DS+tm2TwOsEA="
        }
    }]
}

The timestamp in sha256:ce8ea8ab655eaeb38cbfd9d224a9ca3400eeecf9cdf187680aa4266294116851 file is correct
At least one of it.

created":"2024-04-08T18:08:39.635084+02:00

{"architecture":"","created":"2024-04-08T18:08:39.635084+02:00","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4"]},"config":{}}

The error is since Cosign version2.2.0

When I crated a signature in version 2.2.0

./cosign-V2.2.0 sign --key=./cosign.key --tlog-upload=false randomImage

Then I get a Manifest like this:

{
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "size": 233,
        "digest": "sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6"
    },
    "layers": [{
        "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
        "size": 263,
        "digest": "sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4",
        "annotations": {
            "dev.cosignproject.cosign/signature": "MEUCIQD2LxlidsEOsqex2NVIwwXzMIo1BbMUPB8mvKaP+LRjFwIgT8l+9eTG+6slCtmc3XQwGt6L0ZmmVTHkYaXIV8QASKY="
        }
    }]
}

The timestamp in sha256:7dd3db0ff29802b62d06d5e07c05a868f42fb7e46d922cfd4fba38f86f3bbfb6 file is incorrect

created":"0001-01-01T00:00:00Z

{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4f755d248f1b7ba040c69ca9a04509a42162ec0f3adf55b0c0d32f7b10b8a6f4"]},"config":{}}

As you can see. The timestamp changed to a nonsense value.

From 2024-04-08T18:08:39.635084+02:00 to 0001-01-01T00:00:00Z

I hope you can reproduce this issue

Best wishes

Answer 1 · 2024-04-08T16:58:44.000Z

Dup of #3298 - This is working as intended for reproducibility