Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COSIGN_OCI_EXPERIMENTAL still uses old cosign tag #2854

Closed
itaysk opened this issue Mar 31, 2023 · 3 comments
Closed

COSIGN_OCI_EXPERIMENTAL still uses old cosign tag #2854

itaysk opened this issue Mar 31, 2023 · 3 comments
Labels
question Further information is requested

Comments

@itaysk
Copy link

itaysk commented Mar 31, 2023

I'm playing around with cosign with the latest OCI 1.1 with Referrers support. For the test I'm running a local zot registry.
It keeps using the old cosign tag instead of the new OCI tag (or no tag in case of zot?)

COSIGN_OCI_EXPERIMENTAL=1 cosign sign $myimage
...
tlog entry created with index: 16776742
Pushing signature to: localhost:5001/zot

regctl tag list $myimage
latest
sha256-501e08f696ad6fb26680a6f0d3f0471a40da05f20fc64654118c3474c4a64c70.sig

COSIGN_OCI_EXPERIMENTAL=1 cosign attach sbom --sbom ./spdx.json --type spdx $myimage
...
Uploading SBOM file for [localhost:5001/zot:latest] to [localhost:5001/zot:sha256-501e08f696ad6fb26680a6f0d3f0471a40da05f20fc64654118c3474c4a64c70.sbom] with mediaType [text/spdx+json].

regctl tag list $myimage
latest
sha256-501e08f696ad6fb26680a6f0d3f0471a40da05f20fc64654118c3474c4a64c70.sbom

I've also tried to export COSIGN_OCI_EXPERIMENTAL=1 just in case.

cosign version                                                
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v2.0.0
GitCommit:     d6b9001f8e6ed745fb845849d623274c897d55f2
GitTreeState:  clean
BuildDate:     2023-02-23T19:26:35Z
GoVersion:     go1.20.1
Compiler:      gc
Platform:      darwin/amd64

Any tips?
@itaysk itaysk added the question Further information is requested label Mar 31, 2023
@znewman01
Copy link
Contributor

CC @jdolitsky; see #2684

I think you need to use --registry-referrers-mode oci-1-1. This will get less awkward over time, promise 🙂

@jdolitsky
Copy link
Contributor

Hey Itay!

I think you need to use --registry-referrers-mode oci-1-1

Yes, thats it.

Wrote a bit more about this here: https://www.chainguard.dev/unchained/building-towards-oci-v1-1-support-in-cosign

@itaysk
Copy link
Author

itaysk commented Apr 3, 2023

Hi Josh! 🤗

Thanks both. works great

@itaysk itaysk closed this as completed Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jdolitsky @znewman01 @itaysk