Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure When Attempting to Verify Attestation #1370

Closed
spiffcs opened this issue Nov 29, 2022 · 3 comments
Closed

Failure When Attempting to Verify Attestation #1370

spiffcs opened this issue Nov 29, 2022 · 3 comments
Labels
bug Something isn't working question Further information is requested

Comments

@spiffcs
Copy link
Contributor

spiffcs commented Nov 29, 2022

Please provide a set of steps on how to reproduce the issue

What happened:
Generate an SBOM attestation for an image you have write access to for a given OCI registry:

syft attest -o syft-json caphill4/scratch:latest

Attempt to verify with latest cosign (v1.13.1)

Error: none of the attestations matched the predicate type: custom

What you expected to happen:
Verification to show the attestation was signed correctly by the keyless workflow.

Environment:

  • Output of syft version:
    ``Application: syft
    Version: 0.62.2
    JsonSchemaVersion: 6.0.0
    BuildDate: 2022-11-28T16:44:33Z
    GitCommit: 0cbd0cc
    GitDescription: v0.62.2
    Platform: darwin/amd64
    GoVersion: go1.18.8
    Compiler: gc
@spiffcs spiffcs added the bug Something isn't working label Nov 29, 2022
@spiffcs spiffcs changed the title Attempting to Verify Attestation: Failure When Attempting to Verify Attestation Nov 29, 2022
@kzantow kzantow added this to OSS Nov 29, 2022
@ep4sh
Copy link

ep4sh commented Nov 30, 2022

Encountered the same issue:

Application:        syft
Version:            0.62.1
JsonSchemaVersion:  6.0.0
BuildDate:          2022-11-21T14:52:44Z
GitCommit:          098e61dcc81d7a6d666bc62a2166c9b8f32c61bc
GitDescription:     v0.62.1
Platform:           linux/amd64
GoVersion:          go1.18.7
Compiler:           gc

cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion:    1.13.1
GitCommit:     d1c6336475b4be26bb7fb52d97f56ea0a1767f9f
GitTreeState:  "clean"
BuildDate:     2022-10-17T18:00:05Z
GoVersion:     go1.19.2
Compiler:      gc
Platform:      darwin/amd64

@spiffcs
Copy link
Contributor Author

spiffcs commented Dec 1, 2022

sigstore/cosign#2494 <-- Filed an upstream issue

@spiffcs spiffcs removed this from OSS Dec 1, 2022
@spiffcs spiffcs added the question Further information is requested label Jan 2, 2023
@spiffcs
Copy link
Contributor Author

spiffcs commented Jan 26, 2023

@ep4sh this should be fixed as of #1442 - If you still have problems let me know and we can readdress the issue.

@spiffcs spiffcs closed this as completed Jan 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ep4sh @spiffcs