Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newline in cosign generate payload results in differing sha256sum #3392

Closed
lkatalin opened this issue Nov 27, 2023 · 1 comment · Fixed by #3393
Closed

Newline in cosign generate payload results in differing sha256sum #3392

lkatalin opened this issue Nov 27, 2023 · 1 comment · Fixed by #3393
Labels
bug Something isn't working

Comments

@lkatalin
Copy link
Contributor

Description

The newline appended to the end of the payload with cosign generate results in a sha256sum that differs from the sha produced by cosign sign --output-payload ... and the sha that is embedded in a hashedrekord object's hashedrekordobj.data.hash.value field. These should be consistent as they aid in verification and in understanding the relationships between the image and its uploaded metadata.

Steps to reproduce:

[lily@fedora cosign-test]$ cosign sign --key cosign.key $IMAGE --output-payload output_payload
...

[lily@fedora cosign-test]$ cosign generate $IMAGE > generated_payload

[lily@fedora cosign-test]$ sha256sum generated_payload 
53efe87cd7478cd38f72e2ec1425a418072f99f8bf0d45d5f9439396dd32f7f8  generated_payload

[lily@fedora cosign-test]$ sha256sum output_payload 
148f96e56b2e0b613eb37c95ac68ee0792281c2f889e652bf4ce0aa4eaa080f6  output_payload

$ diff generated_payload output_payload
1c1
< {"critical":{"identity":{"docker-reference":"ghcr.io/lkatalin/sigstore-keyless-demo"},"image":{"docker-manifest-digest":"sha256:3e8292e4fefe7488936fffb8771492964995fb872504e48f4e63aff7963a1d7d"},"type":"cosign container image signature"},"optional":null}
---
> {"critical":{"identity":{"docker-reference":"ghcr.io/lkatalin/sigstore-keyless-demo"},"image":{"docker-manifest-digest":"sha256:3e8292e4fefe7488936fffb8771492964995fb872504e48f4e63aff7963a1d7d"},"type":"cosign container image signature"},"optional":null}
\ No newline at end of file

Note that after signing the image with tlog upload enabled, the hash in the hashedrekordobj.data.hash.value field matches the hash of the output_payload. Even though including the newline in the generated_payload looks cleaner, I think it should be removed in order to match what is visible in the rekor object.

Version

This uses cosign version 2.2.1 (it should be reproducible with any version 2.0.2 or higher).
@lkatalin lkatalin added the bug Something isn't working label Nov 27, 2023
@lkatalin
Copy link
Contributor Author

Update: this behavior also happens when using cosign generate $IMAGE --output-file generated_payload

@lkatalin lkatalin mentioned this issue Nov 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update cosign generate cmd to not include newline lkatalin/cosign
1 participant
@lkatalin