Double gzip of message (which seems unnecessary?)
lewisdiamond opened this issue · 1 comments
lewisdiamond commented
"cosign.sigstore.dev/message" annotation is double gzipped:
$ kubectl sigstore sign -f configmap.yaml -k cosign.key
Enter password for private key: INFO[0001] 0D )2kQ????GoJ? ?\-nwY?g(RUsing payload from: /tmp/kubectl-sigstore-temp-dir3932530381/tmp-blob-file
INFO[0001] signed manifest generated at configmap.yaml.signed
$ cat configmap.yaml.signed
apiVersion: v1
data:
game.properties: "enemy.types=aliens,monsters\nplayer.maximum-lives=5 \n"
player_initial_lives: "3"
ui_properties_file_name: user-interface.properties
user-interface.properties: "color.good=purple\ncolor.bad=yellow\nallow.textmode=true
\ \n"
kind: ConfigMap
metadata:
annotations:
cosign.sigstore.dev/message: H4sIAAAAAAAA/wCoAVf+H4sIAAAAAAAA/+yUT4ucTBDGPfspijm/Oq3t6LyCp1xyCeSU04BUxhop0v/objdjQr57cCbLJoEhy4ZssuDvUlIPWo9FP72N2m2PVjtPIbAZs4g+Gz/VxV5KUe3327d4fk04kA+52B6tOfG
o0eUzapU8EnHlVhWiKh+el34pKtEkcH7sgN9hChF9IsRzzPoHKRoYeehqIcpa7AqZFg1MS0M2/5elrGX6tx2u/El+mf+nRf4HllDXVXUz/7uyToqqqKQUshFVIsqiqKsEniWT9/lXduKBUT/1Oz//3AsBHb8jH9iaFu6KdMCIbQowoqbceevIR6bQwoYM6TmPs6P
QoWIy4T9tTYjkw8E4hTP5XOOZ9aQzxXcUuh0AwMFsUoCr3rPhyKj6i97CRi7axP3DoP7EinqDmlqYAvmMTSR/wuP3bpaXbmktbI5WWZ+P1g6dm7xTdDDX1nscupmUsh8PBpeSRzpHbQfqop8ovfj95vkDm6GFV5fD/wZdqini/XLQGBsxsjWhhc9fUoCr4WVp2UD
arnfmysrKC+BrAAAA//9dtdDzAAwAAAEAAP//Q7giKagBAAA=
cosign.sigstore.dev/signature: MEQCICkya4hRxbvCucT8qxmB3bW916f8R9ZvSoUPngbflpnaAiAf1qT84B9cov2c6xAtvW649NZ3WcWZrhNnf7PcKOdS2w==
name: game-demo
$ < configmap.yaml.signed yq -rc '.metadata.annotations."cosign.sigstore.dev/message"' | base64 -d | gunzip -c -
OL=)9:\r T)n7cB{p&&!?lRRZE?mV;O!>^JQx~M893j<qV*~)*$p~a
}"s)yj!Z
LKC6eI~EPUu3NU"?%WvQ?;?
#?tm
0yG
9?b2?mM83\3wlR?F.??zZM$nni-lVYSt0{G:Gm?(W])r5_Rei@?w
k]
$ < configmap.yaml.signed yq -rc '.metadata.annotations."cosign.sigstore.dev/message"' | base64 -d | gunzip -c - | gunzip -c -
/tmp/compressing-tar-gz618330488/PaxHeaders.0/configmap.yaml0000000000000000000000000000004200000000000020407 xustar0017 gid=600260513
17 uid=637922363
/tmp/compressing-tar-gz618330488/configmap.yaml0000644000000000000000000000052614143303704021164 0ustar00user00000000000000apiVersion: v1
data:
game.properties: "enemy.types=aliens,monsters\nplayer.maximum-lives=5 \n"
player_initial_lives: "3"
ui_properties_file_name: user-interface.properties
user-interface.properties: "color.good=purple\ncolor.bad=yellow\nallow.textmode=true
\ \n"
kind: ConfigMap
metadata:
annotations: {}
name: game-demo
hirokuni-kitahara commented
hi @lewisdiamond , thank you for checking this.
This message
data is not double gzipped, but it is "gzipped tar.gz binary".
To check raw message data, you can follow the following steps.
# get "message" data and save "message.tar.gz" file by doing base64 decode & gzip decode
$ cat sample-configmap.yaml.signed | yq4 eval '.metadata.annotations."cosign.sigstore.dev/message"' - | base64 -d | gzip -d > ./tmp/message.tar.gz
# decompress .tar.gz file
$ cd tmp
$ tar xzf message.tar.gz
$ ls -l
total 8
-rw-r--r-- 1 hiro staff 283 Nov 15 17:58 message.tar.gz
drwxr-xr-x 3 hiro staff 96 Nov 15 17:59 var
# the original manifest is here as file (the file path can be different depending on signing environment)
$ cat var/folders/6d/qyzngmnn7_905c0_cj01f2qw0000gn/T/compressing-tar-gz022313481/sample-configmap.yaml
apiVersion: v1
data:
key1: val1
key4: val4
kind: ConfigMap
metadata:
name: sample-cm
The reason of creating .tar.gz is to support signing a directory which contains multiple YAML manifests.
So basically it is working as expected.