Why calling v2 referrers api and including all signature layer in new signature manifest
MinerYang opened this issue · 3 comments
MinerYang commented
Question
step 1 sign image with regular cosign
step2 sign image with COSIGN_EXPERIMENTAL=1 and --registry-referrers-mode oci-1-1
step3 get new signature manifest, will including all preceding signatures layers
/data/registry/docker/registry/v2/blobs/sha256$ cat eb/ebc4372c9fe2bff1a0ba3c15857cab9ba97174c8ca64a8168a4b2f85cbc6700d/data | jq .
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.dev.cosign.artifact.sig.v1+json",
"size": 451,
"digest": "sha256:24e41e6b63095501c8c9d0b7021b79fcf23ffdb295fba17af443f95205448939"
},
"layers": [
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 250,
"digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
"annotations": {
"dev.cosignproject.cosign/signature": "MEQCIHqac+pViFr85AikUF78koAK5ELvZ9zpSYie+i8XiRD/AiAdOXycSHfAujPel3QH9GnnNfLSyygglSzpyUJwMuuTaw==",
"dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEUCIQDf4eY/DVX21rZIZJUWrpk7MQAcNNwRZuMlnWFdd/pfegIgLR3Z3EF2ohSCC0lIFINcdiyLO1AJJGeCr33qYt+73A8=\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJSHFhYytwVmlGcjg1QWlrVUY3OGtvQUs1RUx2Wjl6cFNZaWUraThYaVJEL0FpQWRPWHljU0hmQXVqUGVsM1FIOUdubk5mTFN5eWdnbFN6cHlVSndNdXVUYXc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712641884,\"logIndex\":84292486,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
}
},
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 250,
"digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
"annotations": {
"dev.cosignproject.cosign/signature": "MEQCIF9XqjuO8dMIqQTg6gomrYoGp5ukVN1T9UC8sc4noOfgAiADfrki8OBV36KjckR2X75LWCDrCRLH4NIXy1aWI4+kXg==",
"dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEYCIQD9FvimCVi5KMkjYkkLIFC7ISTr86rxqcxSJYUN2ix4RAIhAL4s62geCxqHF0NOmE30J3UsfCtNDzzd+/fTVSfwtusQ\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRjlYcWp1TzhkTUlxUVRnNmdvbXJZb0dwNXVrVk4xVDlVQzhzYzRub09mZ0FpQURmcmtpOE9CVjM2S2pja1IyWDc1TFdDRHJDUkxINE5JWHkxYVdJNCtrWGc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712649737,\"logIndex\":84307241,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
}
},
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 250,
"digest": "sha256:53627750525c032c04693ffac1c2a910350d0f6ac36402f0b3a4d1e4f3876819",
"annotations": {
"dev.cosignproject.cosign/signature": "MEUCIC4OJ4fcPET7AxS3ZMNeYtxDdSXY1jqVY30KQcqS73sCAiEAkK+R2/cQlYexmq7/avRXLTZ1/SRlaAomfVGwuG+fat0=",
"dev.sigstore.cosign/bundle": "{\"SignedEntryTimestamp\":\"MEYCIQD9ImUx+SrChaql3SKKJeWOeDYEUetHfIwUcECUc94ZmgIhAMEA2ZCbqT1MT5MO9K40LlZKmrhSXYutnpw+wxJwXxgT\",\"Payload\":{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1MzYyNzc1MDUyNWMwMzJjMDQ2OTNmZmFjMWMyYTkxMDM1MGQwZjZhYzM2NDAyZjBiM2E0ZDFlNGYzODc2ODE5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQzRPSjRmY1BFVDdBeFMzWk1OZVl0eERkU1hZMWpxVlkzMEtRY3FTNzNzQ0FpRUFrSytSMi9jUWxZZXhtcTcvYXZSWExUWjEvU1JsYUFvbWZWR3d1RytmYXQwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWVVoSk1DOTZiWEpIYW1VNE9FeFVTM0ZDU2tvNWJXZDNhWEprWkFwaVJrZGpNQzlRYWtWUUwxbFJNelJwZFZweWJGVnRhMGx3ZDBocFdVTmxSV3M0YWpoWE5rSnBaV3BxTHk5WmVVRnZZaXN5VTFCTGRqUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\",\"integratedTime\":1712649852,\"logIndex\":84307411,\"logID\":\"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d\"}}"
}
}
],
"subject": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 524,
"digest": "sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"
}
}
bobcallaway commented
I'm not following your question, can you please clarify?
MinerYang commented
Hi @bobcallaway ,
What I wondering is including all the signature layers in the new signature manifest when I sign a image using --registry-referrers-mode oci-1-1
If I sign a image, what we expected for the layer of signature manifest is this signature itself.
However, signing by this experimental mode would including all the old signatures that referenced to this image. e.g. there are 3 descriptors in the above manifest layers.