sigstore/k8s-manifest-sigstore

Double gzip of message (which seems unnecessary?)

lewisdiamond opened this issue · 1 comments

lewisdiamond commented

"cosign.sigstore.dev/message" annotation is double gzipped:

$ kubectl sigstore sign -f configmap.yaml -k cosign.key
Enter password for private key: INFO[0001] 0D )2kQ????GoJ? ?\-nwY?g(RUsing payload from: /tmp/kubectl-sigstore-temp-dir3932530381/tmp-blob-file
INFO[0001] signed manifest generated at configmap.yaml.signed


$ cat configmap.yaml.signed
apiVersion: v1
data:
  game.properties: "enemy.types=aliens,monsters\nplayer.maximum-lives=5    \n"
  player_initial_lives: "3"
  ui_properties_file_name: user-interface.properties
  user-interface.properties: "color.good=purple\ncolor.bad=yellow\nallow.textmode=true
    \   \n"
kind: ConfigMap
metadata:
  annotations:
    cosign.sigstore.dev/message: H4sIAAAAAAAA/wCoAVf+H4sIAAAAAAAA/+yUT4ucTBDGPfspijm/Oq3t6LyCp1xyCeSU04BUxhop0v/objdjQr57cCbLJoEhy4ZssuDvUlIPWo9FP72N2m2PVjtPIbAZs4g+Gz/VxV5KUe3327d4fk04kA+52B6tOfG
o0eUzapU8EnHlVhWiKh+el34pKtEkcH7sgN9hChF9IsRzzPoHKRoYeehqIcpa7AqZFg1MS0M2/5elrGX6tx2u/El+mf+nRf4HllDXVXUz/7uyToqqqKQUshFVIsqiqKsEniWT9/lXduKBUT/1Oz//3AsBHb8jH9iaFu6KdMCIbQowoqbceevIR6bQwoYM6TmPs6P
QoWIy4T9tTYjkw8E4hTP5XOOZ9aQzxXcUuh0AwMFsUoCr3rPhyKj6i97CRi7axP3DoP7EinqDmlqYAvmMTSR/wuP3bpaXbmktbI5WWZ+P1g6dm7xTdDDX1nscupmUsh8PBpeSRzpHbQfqop8ovfj95vkDm6GFV5fD/wZdqini/XLQGBsxsjWhhc9fUoCr4WVp2UD
arnfmysrKC+BrAAAA//9dtdDzAAwAAAEAAP//Q7giKagBAAA=
    cosign.sigstore.dev/signature: MEQCICkya4hRxbvCucT8qxmB3bW916f8R9ZvSoUPngbflpnaAiAf1qT84B9cov2c6xAtvW649NZ3WcWZrhNnf7PcKOdS2w==
  name: game-demo


$ < configmap.yaml.signed yq -rc '.metadata.annotations."cosign.sigstore.dev/message"' | base64 -d | gunzip -c -
OL=)9:\r        T)n7cB{p&&!?lRRZE?mV;O!>^JQx~M893j<qV*~)*$p~a
}"s)yj!Z
LKC6eI~EPUu3NU"?%WvQ?;?
                       #?tm
0yG
   9?b2?mM83\3wlR?F.??zZM$nni-lVYSt0{G:Gm?(W])r5_Rei@?w
                                                       k]
                                                         


$ < configmap.yaml.signed yq -rc '.metadata.annotations."cosign.sigstore.dev/message"' | base64 -d | gunzip -c - | gunzip -c -
/tmp/compressing-tar-gz618330488/PaxHeaders.0/configmap.yaml0000000000000000000000000000004200000000000020407 xustar0017 gid=600260513
17 uid=637922363
/tmp/compressing-tar-gz618330488/configmap.yaml0000644000000000000000000000052614143303704021164 0ustar00user00000000000000apiVersion: v1
data:
  game.properties: "enemy.types=aliens,monsters\nplayer.maximum-lives=5    \n"
  player_initial_lives: "3"
  ui_properties_file_name: user-interface.properties
  user-interface.properties: "color.good=purple\ncolor.bad=yellow\nallow.textmode=true
    \   \n"
kind: ConfigMap
metadata:
  annotations: {}
  name: game-demo
hirokuni-kitahara commented

hi @lewisdiamond , thank you for checking this.
This message data is not double gzipped, but it is "gzipped tar.gz binary".
To check raw message data, you can follow the following steps.

# get "message" data and save "message.tar.gz" file by doing base64 decode & gzip decode
$ cat sample-configmap.yaml.signed | yq4 eval '.metadata.annotations."cosign.sigstore.dev/message"' - | base64 -d | gzip -d > ./tmp/message.tar.gz

# decompress .tar.gz file
$ cd tmp
$ tar xzf message.tar.gz
$ ls -l
total 8
-rw-r--r--  1 hiro  staff  283 Nov 15 17:58 message.tar.gz
drwxr-xr-x  3 hiro  staff   96 Nov 15 17:59 var

# the original manifest is here as file (the file path can be different depending on signing environment)
$ cat var/folders/6d/qyzngmnn7_905c0_cj01f2qw0000gn/T/compressing-tar-gz022313481/sample-configmap.yaml
apiVersion: v1
data:
  key1: val1
  key4: val4
kind: ConfigMap
metadata:
  name: sample-cm

The reason of creating .tar.gz is to support signing a directory which contains multiple YAML manifests.
So basically it is working as expected.