[FEATURE_REQUEST] Create a new release to upload the transparency log to Rekor
itchyny opened this issue · 1 comments
itchyny commented
Description of the problem/feature request
In the latest release of cosign, which was made on 2023-02-25, the cosign cli starts to upload the transparency log to Rekor on signing and to lookup log on verifying. The latest release of kube-linter is v0.6.0 on 2023-01-19, and it seems that the transparency log is not uploaded to Rekor. We're facing verifying error of the kube-linter v0.6.0 executable using cosign v2.0.0, without undesirable fix to add --insecure-ignore-tlog
.
Description of the existing behavior vs. expected behavior
$ KUBE_LINTER_VERSION=0.6.0
$ curl -sSfLO "https://raw.githubusercontent.com/stackrox/kube-linter/${KUBE_LINTER_VERSION}/kubelinter-cosign.pub"
$ curl -sSfLO "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux"
$ KUBE_LINTER_SIG=$(curl -sSfL "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux.sig")
$ cosign verify-blob --key kubelinter-cosign.pub --signature "${KUBE_LINTER_SIG}" kube-linter-linux
Error: verifying blob [kube-linter-linux]: signature not found in transparency log
main.go:74: error during command execution: verifying blob [kube-linter-linux]: signature not found in transparency log
$ cosign verify-blob --insecure-ignore-tlog --key kubelinter-cosign.pub --signature "${KUBE_LINTER_SIG}" kube-linter-linux
Verified OK
$ cosign version
...
GitVersion: 2.0.0
GitCommit: d6b9001f8e6ed745fb845849d623274c897d55f2
I expect the verification succeeds without the --insecure-ignore-tlog
option in the newer releases of kube-linter.