Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lowercasing the imageref when signing breaks non-lowercase image *tags* #1568

Closed
funkypenguin opened this issue Mar 9, 2022 · 4 comments · Fixed by #1586
Closed

Lowercasing the imageref when signing breaks non-lowercase image *tags* #1568

funkypenguin opened this issue Mar 9, 2022 · 4 comments · Fixed by #1586
Labels
bug Something isn't working

Comments

@funkypenguin
Copy link

Hey gang!

I've been working on signing valid copies of various images I use, and stashing them in my internal Harbor registry.

I stumbled across an odd behavior with Minio images.. I'd push them into Harbor with something like this:

docker tag minio/minio:RELEASE.2022-03-05T06-32-39Z myregistry/library/minio:RELEASE.2022-03-05T06-32-39Z 
docker push myregistry/library/minio:RELEASE.2022-03-05T06-32-39Z

This works fine, and the image appears in harbor. Then I tried to sign it:

root@cn1:~# cosign sign --key awskms:///${AWS_CMK_ID}  myregistry/library/minio:RELEASE.2022-03-05T06-32-39Z 
Error: signing [myregistry/library/minio:RELEASE.2022-03-05T06-32-39Z ]: accessing entity: entity not found in registry
main.go:46: error during command execution: signing [myregistry/library/minio:RELEASE.2022-03-05T06-32-39Z ]: accessing entity: entity not found in registry

I tracked the problem down to a recent PR, which lowercases the entire image name (including tags) before attempting to sign an image.

As I understand it, the PR was in response to this issue , and intended to improve compatibility with docker push, which (as the issue correctly points out) doesn't support non-lowercase image names:

root@cn1:~# docker tag minio/minio:RELEASE.2022-03-05T06-32-39Z myregistry/library/MiNio:what-about-this
Error parsing reference: "myregistry/library/MiNio:whaht-about-this" is not a valid repository/tag: invalid reference format: repository name must be lowercase
root@cn1:~#

However, docker push is perfectly happy with non-lowercase image tags, as evidenced in my original docker push output above.

For the sake of clarity / user experience, may I suggest that instead of silently transforming the case of the image path, we simply error and fail to sign if the resulting signature artifact will be incompatible with docker push? (I.e., if the repository name, but not the tag, contains non-alpha-lowercase characters)

As a user, I'd rather the command fail entirely outright than try to silently "fix" my error :)

Cheers!
D
@funkypenguin funkypenguin added the bug Something isn't working label Mar 9, 2022
@dlorenc
Copy link
Member

dlorenc commented Mar 9, 2022

cc @mattmoor @jonjohnsonjr @imjasonh

@imjasonh
Copy link
Member

imjasonh commented Mar 9, 2022

Just failing sgtm, it sounds like the docker starter workflow handles lowercasing for us.

@dlorenc
Copy link
Member

dlorenc commented Mar 9, 2022

@bobcallaway - I think you put this in, do you have strong opinions?

@bobcallaway
Copy link
Member

SGTM to change to failure, I didn't consider the difference in behavior around tags so best to be explicit about the issue than being too cute in trying to fix it.

@imjasonh imjasonh mentioned this issue Mar 10, 2022
Merged
@ZachNewbery ZachNewbery mentioned this issue Apr 16, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't lowercase input image refs, just fail imjasonh/cosign
4 participants
@imjasonh @funkypenguin @dlorenc @bobcallaway