Replies: 1 comment
-
|
It works with this, 1) Save Rekor’s log public key to a filecurl -ks "${REKOR_URL}/api/v1/log/publicKey" -o /ca/rekor-log-public.pem 2) Tell cosign where that file is (path, not contents)export SIGSTORE_REKOR_PUBLIC_KEY="/ca/rekor-log-public.pem" 3) VerifyCOSIGN_EXPERIMENTAL=1 But I now have to test keyless... |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I run fulcio service and rekor service locally, we are not allowed to open ports for services like this.
I put below my rekor parameters and run as docker-compose,
'rekor-server' 'serve' '--trillian_log_server.address=trillian-log-server' '--trillian_log_server.port=8090' '--rekor_server.address=0.0.0.0' '--rekor_server.signer=/signer/rekor_signer.key' '--enable_attestation_storage' '--attestation_storage_bucket=file:///var/run/attestations' '--search_index.storage_provider=mysql' '--search_index.mysql.dsn=test:zaphod@tcp(mysql:3306)/test' '--log_type=prod'
I used ECDSA for faster signing,
openssl ecparam -genkey -name prime256v1 -noout -out rekor_signer.key
I run my fulcio docker as,
docker run -d
-p 5555:5555
-v $(pwd)/:/ca
docker.io/my-user/fulcio:latest
serve
--ca fileca
--fileca-key /ca/fulcio.key
--fileca-cert /ca/fulcio.crt
--fileca-key-passwd changeit
I created the fulcio.* as,
openssl genrsa -aes256 -passout pass:changeit -out fulcio.key 4096
openssl req -new -key fulcio.key -passin pass:changeit -out fulcio.csr -subj "/C=CA/ST=Semwa/L=Blha/O=My Company/OU=DevOps/CN=fulcio.sigstore.domain.com"
openssl req -x509 -new -nodes -key fulcio.key -passin pass:changeit -sha256 -days 3650 -out fulcio.crt -subj "/C=CA/ST=Semwa/L=Blha/O=My Company/OU=DevOps/CN=fulcio.sigstore.domain.com"
My cosign regenerate-key-pair=changeit
I tested with my docker.io/my-user with cosign sign and verify with key, no problem, all signed.
But when I test with my nexus-server with self-signed certs, no problem with cosign sign but cosign verify got problem,
Here's my run on the cli,
export COSIGN_INSECURE_ALLOW_HTTP=1$2}' | tr -d $ '\r')
export NEXUS_USER="nexus-user"
export NEXUS_PASSWD="xxxxxxxxxxxxxxxxxxxxx"
IMAGE="hello-world"
TAG="latest"
NEXUS_REGISTRY="nexus-server:5555"
DIGEST=$(curl -ksI -u "$NEXUS_USER:$NEXUS_PASSWD" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://$NEXUS_REGISTRY/v2/$IMAGE/manifests/$TAG | grep -i Docker-Content-Digest | awk '{print
COSIGN_EXPERIMENTAL=1
COSIGN_PASSWORD='changeit'
cosign sign
--key cosign.key
--yes
--fulcio-url=http://docker.domain.com:49174
--rekor-url=http://docker.domain.com:49176
--registry-username=$NEXUS_USER
--registry-password=$NEXUS_PASSWD
--allow-insecure-registry
$NEXUS_REGISTRY/$IMAGE@$DIGEST
COSIGN_EXPERIMENTAL=1
COSIGN_PASSWORD='changeit'
cosign verify
--key cosign.pub
--registry-username=$NEXUS_USER
--registry-password=$NEXUS_PASSWD
--rekor-url=http://docker.domain.com:49176
--allow-insecure-registry
--registry-cacert='/ca/nexus.pem'
$NEXUS_REGISTRY/$IMAGE@$DIGEST
The log of rekor will only generate when doing cosign sign,
{"severity":"INFO","time":"2025-09-09T01:30:30.843928648Z","caller":"/opt/app-root/src/pkg/generated/restapi/configure_rekor_server.go:239","message":"completed request","operation":{"id":"2232c1486ded/LLJTSFGFqs-000003"},"httpRequest":{"requestMethod":"POST","requestUrl":"http://docker.domain.com:49176/api/v1/log/entries","requestSize":"558","status":201,"responseSize":"1519","userAgent":"cosign/v2.5.3 (linux; amd64)","remoteIp":"10.201.21.1:59604","latency":"0.170491789s","protocol":"HTTP/1.1"}}
No log with fulcio, just when it start about 21 lines of logs,
The rekor cosign verify will have this error and no log happened on the rekor/fulcio server,
...
setting TUF refresh period to 24h0m0s
Error: no matching signatures: error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error during command execution: no matching signatures: error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
Please help, I have no way of fixing this with nexus-server with self-signed certs.
But here's the verbose of cosign verify,
bash-5.2# COSIGN_EXPERIMENTAL=1 COSIGN_PASSWORD='changeit' cosign verify --key cosign.pub --registry-username=$NEXUS_USER --registry-password=$NEXUS_PASSWD --rekor-url=http://docker.domain.com:49176 --allow-insecure-registry --registry-cacert='/ca/nexus.pem' $NEXUS_REGISTRY/$IMAGE@$DIGEST --verbose
setting TUF refresh period to 24h0m0s
2025/09/08 21:52:03 --> GET https://nexus-server.domain.com:5555/v2/
2025/09/08 21:52:03 GET /v2/ HTTP/1.1
Host: nexus-server.domain.com:5555
User-Agent: cosign/v2.5.3 (linux; amd64) go-containerregistry/v0.20.6
Accept-Encoding: gzip
2025/09/08 21:52:03 <-- 401 https://nexus-server.domain.com:5555/v2/ (18.023317ms)
2025/09/08 21:52:03 HTTP/1.1 401 Unauthorized
Content-Length: 113
Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
Content-Type: application/json
Date: Tue, 09 Sep 2025 01:52:03 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: Nexus/3.80.0-06 (COMMUNITY)
Strict-Transport-Security: max-age=31536000; includeSubDomains;
Www-Authenticate: Bearer realm="https://nexus-server.domain.com:5555/v2/token",service="https://nexus-server.domain.com:5555/v2/token"
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
2025/09/08 21:52:03 --> GET https://nexus-server.domain.com:5555/v2/token?scope=repository%3Apipeline%2Fgitops-notification%3Apull&service=https%3A%2F%2Fnexus-server.domain.com%3A5555%2Fv2%2Ftoken [body redacted: basic token response contains credentials]
2025/09/08 21:52:03 GET /v2/token?scope=repository%3Apipeline%2Fgitops-notification%3Apull&service=https%3A%2F%2Fnexus-server.domain.com%3A5555%2Fv2%2Ftoken HTTP/1.1
Host: nexus-server.domain.com:5555
User-Agent: cosign/v2.5.3 (linux; amd64) go-containerregistry/v0.20.6
Authorization:
Accept-Encoding: gzip
...
all ok no error after this, i remove it, very long...
...
Error: no matching signatures: error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error during command execution: no matching signatures: error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
error verifying bundle: verifying bundle with trusted root: rekor log public key not found for payload
bash-5.2#
One more thing,
--registry-cacert='/ca/nexus.pem', the nexus-server crt certs, I just tried if it helps.
Beta Was this translation helpful? Give feedback.
All reactions