Cosign should check Media Type of the layer before download of the signature

Question

Cosign should check Media Type of the layer before download of the signature

Opened this issue 2 months ago · 0 comments

Description

During signature verification cosign calculates the signature tag by using the artifact digest. ArtifactPath:sha256-Artifact Digest.sig
Using this tag cosign download the signature manifest.
once signature manifest is downloaded cosign start downloading the layers mentioned in the signature manifest file.
There should be a check to verify the Media Type of the layers it is downloading is matching to the expected media type of a signature layer "application/vnd.dev.cosign.simplesigning.v1+json"

Why this check is important is that if someone by mistake apply the signature Tag to an artifact which is not really a signature than cosign will start downloading all the layers present in that artifact to which Signature Tag is applied by mistake.
This can account to a huge download of data in cosign memory and eventually cosign will fail verification because the data was not actually a signature.
So proposed enhancement is to check MediaType before download of layers this will stop the erroneous layer download.
This will save from wrong data download and memory consumption.
This will also make system more robust for a change done by mistake in Registry related to signature tags